From f0d4007f6512e6c94b127f76e8896be4d319f4e7 Mon Sep 17 00:00:00 2001 From: Peter Goron Date: Sat, 26 Aug 2023 16:37:20 +0200 Subject: [PATCH] avoid naming conflicts on rbac when deploying one operator per namespace [Candidate for upstream] When deploying multiple ceph clusters on single kubernetes cluster (for multi-tenancy for example), we can opt for deploying one operator per namespace thanks to currentNamespaceOnly helm variable. Unfortunately we are facing conflicts on ClusterRole/ClusterRoleBinding when deploying rook-ceph helm chart in distinct namespaces. This commit adds namespace suffix to ClusterRole/ClusterRoleBinding when deploying operator with currentNamespaceOnly=true --- .../templates/_cluster-rolebinding.tpl | 9 ++++++ .../templates/_suffix-cluster-namespace.tpl | 3 +- .../rook-ceph/templates/clusterrole.yaml | 26 +++++++-------- .../templates/clusterrolebinding.yaml | 32 +++++++++---------- 4 files changed, 40 insertions(+), 30 deletions(-) diff --git a/deploy/charts/library/templates/_cluster-rolebinding.tpl b/deploy/charts/library/templates/_cluster-rolebinding.tpl index dc5e05f29daf3..b59a17e06de85 100644 --- a/deploy/charts/library/templates/_cluster-rolebinding.tpl +++ b/deploy/charts/library/templates/_cluster-rolebinding.tpl @@ -66,12 +66,21 @@ subjects: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + {{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}} + {{- if $operatorWatchesCurrentNamespaceOnly }} + name: rook-ceph-mgr-system + {{- else }} name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }} + {{- end }} namespace: {{ .Values.operatorNamespace | default .Release.Namespace }} # namespace:operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole + {{- if $operatorWatchesCurrentNamespaceOnly }} + name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }} + {{- else }} name: rook-ceph-mgr-system + {{- end }} subjects: - kind: ServiceAccount name: rook-ceph-mgr diff --git a/deploy/charts/library/templates/_suffix-cluster-namespace.tpl b/deploy/charts/library/templates/_suffix-cluster-namespace.tpl index fdf679340d21a..0f0e5e08dcd80 100644 --- a/deploy/charts/library/templates/_suffix-cluster-namespace.tpl +++ b/deploy/charts/library/templates/_suffix-cluster-namespace.tpl @@ -11,8 +11,9 @@ If the cluster namespace is different from the operator namespace, we want to na {{- define "library.suffix-cluster-namespace" -}} {{/* the operator chart won't set .Values.operatorNamespace, so default to .Release.Namespace */}} {{- $operatorNamespace := .Values.operatorNamespace | default .Release.Namespace -}} +{{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}} {{- $clusterNamespace := .Release.Namespace -}} -{{- if ne $clusterNamespace $operatorNamespace -}} +{{- if or (ne $clusterNamespace $operatorNamespace) $operatorWatchesCurrentNamespaceOnly -}} {{ printf "-%s" $clusterNamespace }} {{- end }} {{- end }} diff --git a/deploy/charts/rook-ceph/templates/clusterrole.yaml b/deploy/charts/rook-ceph/templates/clusterrole.yaml index 7d018b95a879c..a11437d59152c 100644 --- a/deploy/charts/rook-ceph/templates/clusterrole.yaml +++ b/deploy/charts/rook-ceph/templates/clusterrole.yaml @@ -2,7 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -32,7 +32,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: rook-ceph-cluster-mgmt + name: rook-ceph-cluster-mgmt{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -65,7 +65,7 @@ apiVersion: rbac.authorization.k8s.io/v1 # operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`. kind: ClusterRole metadata: - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -265,7 +265,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-mgr-cluster + name: rook-ceph-mgr-cluster{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -305,7 +305,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-mgr-system + name: rook-ceph-mgr-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: - "" @@ -322,7 +322,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -382,7 +382,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-osd + name: rook-ceph-osd{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: - "" @@ -397,7 +397,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-csi-nodeplugin + name: cephfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["nodes"] @@ -407,7 +407,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-external-provisioner-runner + name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["persistentvolumes"] @@ -460,7 +460,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-nodeplugin + name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -474,7 +474,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-external-provisioner-runner + name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["secrets"] @@ -519,7 +519,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -550,7 +550,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-external-provisioner-runner + name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["secrets"] diff --git a/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml b/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml index 58fb25d09edeb..32dc9e883c6af 100644 --- a/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml +++ b/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml @@ -2,7 +2,7 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -10,7 +10,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -20,7 +20,7 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -28,7 +28,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -38,11 +38,11 @@ kind: ClusterRoleBinding # Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims. apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -51,27 +51,27 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-csi-provisioner-role + name: cephfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: cephfs-external-provisioner-runner + name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- # This is required by operator-sdk to map the cluster/clusterrolebindings with SA @@ -93,14 +93,14 @@ roleRef: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-provisioner-role + name: ceph-nfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-nfs-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: ceph-nfs-external-provisioner-runner + name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- # TODO: remove this, once https://github.com/rook/rook/issues/10141 @@ -108,28 +108,28 @@ roleRef: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-nodeplugin-role + name: ceph-nfs-csi-nodeplugin-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-nfs-plugin-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: ceph-nfs-csi-nodeplugin + name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- {{ end }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-provisioner-role + name: rbd-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: rbd-external-provisioner-runner + name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- # RBAC for ceph cosi driver service account