PLEASE NOTE: This document applies to v1.0 version and not to the latest stable release v1.1Documentation for other releases can be found by using the version selector in the left bottom of any doc page.
Using Rook with Pod Security Policies
NOTE Cluster role configuration is only needed when you are not already
cluster-admin in your Kubernetes cluster!
Creating the Rook operator requires privileges for setting up RBAC. To launch the operator you need to have created your user certificate that is bound to ClusterRole
One simple way to achieve it is to assign your certificate with the
system:masters is a special group that is bound to
cluster-admin ClusterRole, but it can’t be easily revoked so be careful with taking that route in a production setting.
Binding individual certificate to ClusterRole
cluster-admin is revocable by deleting the ClusterRoleBinding.
RBAC for PodSecurityPolicies
If you have activated the PodSecurityPolicy Admission Controller and thus are
using PodSecurityPolicies, you will require additional
for the different
ServiceAccounts Rook uses to start the Rook Storage Pods.
Security policies will differ for different backends. See Ceph’s Pod Security Policy document for an example of how this is done in practice.
Note: You do not have to perform these steps if you do not have the
PodSecurityPolicy Admission Controller activated!
You need at least one
PodSecurityPolicy that allows privileged
Pod execution. Here is an example
which should be more permissive than is needed for any backend:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: privileged spec: fsGroup: rule: RunAsAny privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - '*' allowedCapabilities: - '*' hostPID: true # hostNetwork is required for using host networking hostNetwork: false
hostNetwork usage is required when using
hostNetwork: true in a Cluster
You are then also required to allow the usage of
hostPorts in the
PodSecurityPolicy. The given
port range will allow all ports:
hostPorts: # Ceph msgr2 port - min: 1 max: 65535