Code Review / icn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Update documentation for Cluster-API and Flux
[icn.git] / deploy / kud-plugin-addons / rook / yaml / rook-common.yaml
1 ###################################################################################################################
2 # Create the common resources that are necessary to start the operator and the ceph cluster.
3 # These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
4 # The samples all assume that a single operator will manage a single cluster crd in the same "rook-ceph" namespace.
5 #
6 # If the operator needs to manage multiple clusters (in different namespaces), see the section below
7 # for "cluster-specific resources". The resources below that section will need to be created for each namespace
8 # where the operator needs to manage the cluster. The resources above that section do not be created again.
9 ###################################################################################################################
10
11 # Namespace where the operator and other rook resources are created
12 apiVersion: v1
13 kind: Namespace
14 metadata:
15   name: rook-ceph
16 ---
17 # The CRD declarations
18 apiVersion: apiextensions.k8s.io/v1beta1
19 kind: CustomResourceDefinition
20 metadata:
21   name: cephclusters.ceph.rook.io
22 spec:
23   group: ceph.rook.io
24   names:
25     kind: CephCluster
26     listKind: CephClusterList
27     plural: cephclusters
28     singular: cephcluster
29   scope: Namespaced
30   version: v1
31   validation:
32     openAPIV3Schema:
33       properties:
34         spec:
35           properties:
36             cephVersion:
37               properties:
38                 allowUnsupported:
39                   type: boolean
40                 image:
41                   type: string
42                 name:
43                   pattern: ^(luminous|mimic|nautilus)$
44                   type: string
45             dashboard:
46               properties:
47                 enabled:
48                   type: boolean
49                 urlPrefix:
50                   type: string
51                 port:
52                   type: integer
53             dataDirHostPath:
54               pattern: ^/(\S+)
55               type: string
56             mon:
57               properties:
58                 allowMultiplePerNode:
59                   type: boolean
60                 count:
61                   maximum: 9
62                   minimum: 1
63                   type: integer
64                 preferredCount:
65                   maximum: 9
66                   minimum: 0
67                   type: integer
68               required:
69               - count
70             network:
71               properties:
72                 hostNetwork:
73                   type: boolean
74             storage:
75               properties:
76                 nodes:
77                   items: {}
78                   type: array
79                 useAllDevices: {}
80                 useAllNodes:
81                   type: boolean
82           required:
83           - mon
84   additionalPrinterColumns:
85     - name: DataDirHostPath
86       type: string
87       description: Directory used on the K8s nodes
88       JSONPath: .spec.dataDirHostPath
89     - name: MonCount
90       type: string
91       description: Number of MONs
92       JSONPath: .spec.mon.count
93     - name: Age
94       type: date
95       JSONPath: .metadata.creationTimestamp
96     - name: State
97       type: string
98       description: Current State
99       JSONPath: .status.state
100     - name: Health
101       type: string
102       description: Ceph Health
103       JSONPath: .status.ceph.health
104 ---
105 apiVersion: apiextensions.k8s.io/v1beta1
106 kind: CustomResourceDefinition
107 metadata:
108   name: cephfilesystems.ceph.rook.io
109 spec:
110   group: ceph.rook.io
111   names:
112     kind: CephFilesystem
113     listKind: CephFilesystemList
114     plural: cephfilesystems
115     singular: cephfilesystem
116   scope: Namespaced
117   version: v1
118   additionalPrinterColumns:
119     - name: MdsCount
120       type: string
121       description: Number of MDSs
122       JSONPath: .spec.metadataServer.activeCount
123     - name: Age
124       type: date
125       JSONPath: .metadata.creationTimestamp
126 ---
127 apiVersion: apiextensions.k8s.io/v1beta1
128 kind: CustomResourceDefinition
129 metadata:
130   name: cephnfses.ceph.rook.io
131 spec:
132   group: ceph.rook.io
133   names:
134     kind: CephNFS
135     listKind: CephNFSList
136     plural: cephnfses
137     singular: cephnfs
138     shortNames:
139     - nfs
140   scope: Namespaced
141   version: v1
142 ---
143 apiVersion: apiextensions.k8s.io/v1beta1
144 kind: CustomResourceDefinition
145 metadata:
146   name: cephobjectstores.ceph.rook.io
147 spec:
148   group: ceph.rook.io
149   names:
150     kind: CephObjectStore
151     listKind: CephObjectStoreList
152     plural: cephobjectstores
153     singular: cephobjectstore
154   scope: Namespaced
155   version: v1
156 ---
157 apiVersion: apiextensions.k8s.io/v1beta1
158 kind: CustomResourceDefinition
159 metadata:
160   name: cephobjectstoreusers.ceph.rook.io
161 spec:
162   group: ceph.rook.io
163   names:
164     kind: CephObjectStoreUser
165     listKind: CephObjectStoreUserList
166     plural: cephobjectstoreusers
167     singular: cephobjectstoreuser
168   scope: Namespaced
169   version: v1
170 ---
171 apiVersion: apiextensions.k8s.io/v1beta1
172 kind: CustomResourceDefinition
173 metadata:
174   name: cephblockpools.ceph.rook.io
175 spec:
176   group: ceph.rook.io
177   names:
178     kind: CephBlockPool
179     listKind: CephBlockPoolList
180     plural: cephblockpools
181     singular: cephblockpool
182   scope: Namespaced
183   version: v1
184 ---
185 apiVersion: apiextensions.k8s.io/v1beta1
186 kind: CustomResourceDefinition
187 metadata:
188   name: volumes.rook.io
189 spec:
190   group: rook.io
191   names:
192     kind: Volume
193     listKind: VolumeList
194     plural: volumes
195     singular: volume
196     shortNames:
197     - rv
198   scope: Namespaced
199   version: v1alpha2
200 ---
201 # The cluster role for managing all the cluster-specific resources in a namespace
202 apiVersion: rbac.authorization.k8s.io/v1beta1
203 kind: ClusterRole
204 metadata:
205   name: rook-ceph-cluster-mgmt
206   labels:
207     operator: rook
208     storage-backend: ceph
209 aggregationRule:
210   clusterRoleSelectors:
211   - matchLabels:
212       rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
213 rules: []
214 ---
215 apiVersion: rbac.authorization.k8s.io/v1beta1
216 kind: ClusterRole
217 metadata:
218   name: rook-ceph-cluster-mgmt-rules
219   labels:
220     operator: rook
221     storage-backend: ceph
222     rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
223 rules:
224 - apiGroups:
225   - ""
226   resources:
227   - secrets
228   - pods
229   - pods/log
230   - services
231   - configmaps
232   verbs:
233   - get
234   - list
235   - watch
236   - patch
237   - create
238   - update
239   - delete
240 - apiGroups:
241   - apps
242   resources:
243   - deployments
244   - daemonsets
245   verbs:
246   - get
247   - list
248   - watch
249   - create
250   - update
251   - delete
252 ---
253 # The role for the operator to manage resources in its own namespace
254 apiVersion: rbac.authorization.k8s.io/v1beta1
255 kind: Role
256 metadata:
257   name: rook-ceph-system
258   namespace: rook-ceph
259   labels:
260     operator: rook
261     storage-backend: ceph
262 rules:
263 - apiGroups:
264   - ""
265   resources:
266   - pods
267   - configmaps
268   - services
269   verbs:
270   - get
271   - list
272   - watch
273   - patch
274   - create
275   - update
276   - delete
277 - apiGroups:
278   - apps
279   resources:
280   - daemonsets
281   - statefulsets
282   verbs:
283   - get
284   - list
285   - watch
286   - create
287   - update
288   - delete
289 ---
290 # The cluster role for managing the Rook CRDs
291 apiVersion: rbac.authorization.k8s.io/v1beta1
292 kind: ClusterRole
293 metadata:
294   name: rook-ceph-global
295   labels:
296     operator: rook
297     storage-backend: ceph
298 aggregationRule:
299   clusterRoleSelectors:
300   - matchLabels:
301       rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
302 rules: []
303 ---
304 apiVersion: rbac.authorization.k8s.io/v1beta1
305 kind: ClusterRole
306 metadata:
307   name: rook-ceph-global-rules
308   labels:
309     operator: rook
310     storage-backend: ceph
311     rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
312 rules:
313 - apiGroups:
314   - ""
315   resources:
316   # Pod access is needed for fencing
317   - pods
318   # Node access is needed for determining nodes where mons should run
319   - nodes
320   - nodes/proxy
321   verbs:
322   - get
323   - list
324   - watch
325 - apiGroups:
326   - ""
327   resources:
328   - events
329     # PVs and PVCs are managed by the Rook provisioner
330   - persistentvolumes
331   - persistentvolumeclaims
332   - endpoints
333   verbs:
334   - get
335   - list
336   - watch
337   - patch
338   - create
339   - update
340   - delete
341 - apiGroups:
342   - storage.k8s.io
343   resources:
344   - storageclasses
345   verbs:
346   - get
347   - list
348   - watch
349 - apiGroups:
350   - batch
351   resources:
352   - jobs
353   verbs:
354   - get
355   - list
356   - watch
357   - create
358   - update
359   - delete
360 - apiGroups:
361   - ceph.rook.io
362   resources:
363   - "*"
364   verbs:
365   - "*"
366 - apiGroups:
367   - rook.io
368   resources:
369   - "*"
370   verbs:
371   - "*"
372 ---
373 # Aspects of ceph-mgr that require cluster-wide access
374 kind: ClusterRole
375 apiVersion: rbac.authorization.k8s.io/v1beta1
376 metadata:
377   name: rook-ceph-mgr-cluster
378   labels:
379     operator: rook
380     storage-backend: ceph
381 aggregationRule:
382   clusterRoleSelectors:
383   - matchLabels:
384       rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
385 rules: []
386 ---
387 kind: ClusterRole
388 apiVersion: rbac.authorization.k8s.io/v1beta1
389 metadata:
390   name: rook-ceph-mgr-cluster-rules
391   labels:
392     operator: rook
393     storage-backend: ceph
394     rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
395 rules:
396 - apiGroups:
397   - ""
398   resources:
399   - configmaps
400   - nodes
401   - nodes/proxy
402   verbs:
403   - get
404   - list
405   - watch
406 ---
407 # The rook system service account used by the operator, agent, and discovery pods
408 apiVersion: v1
409 kind: ServiceAccount
410 metadata:
411   name: rook-ceph-system
412   namespace: rook-ceph
413   labels:
414     operator: rook
415     storage-backend: ceph
416 ---
417 # Grant the operator, agent, and discovery agents access to resources in the namespace
418 kind: RoleBinding
419 apiVersion: rbac.authorization.k8s.io/v1beta1
420 metadata:
421   name: rook-ceph-system
422   namespace: rook-ceph
423   labels:
424     operator: rook
425     storage-backend: ceph
426 roleRef:
427   apiGroup: rbac.authorization.k8s.io
428   kind: Role
429   name: rook-ceph-system
430 subjects:
431 - kind: ServiceAccount
432   name: rook-ceph-system
433   namespace: rook-ceph
434 ---
435 # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
436 kind: ClusterRoleBinding
437 apiVersion: rbac.authorization.k8s.io/v1beta1
438 metadata:
439   name: rook-ceph-global
440   namespace: rook-ceph
441   labels:
442     operator: rook
443     storage-backend: ceph
444 roleRef:
445   apiGroup: rbac.authorization.k8s.io
446   kind: ClusterRole
447   name: rook-ceph-global
448 subjects:
449 - kind: ServiceAccount
450   name: rook-ceph-system
451   namespace: rook-ceph
452 ---
453 #################################################################################################################
454 # Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
455 # namespace. If you want to create the cluster in a different namespace, you will need to modify these roles
456 # and bindings accordingly.
457 #################################################################################################################
458 # Service account for the Ceph OSDs. Must exist and cannot be renamed.
459 apiVersion: v1
460 kind: ServiceAccount
461 metadata:
462   name: rook-ceph-osd
463   namespace: rook-ceph
464 ---
465 # Service account for the Ceph Mgr. Must exist and cannot be renamed.
466 apiVersion: v1
467 kind: ServiceAccount
468 metadata:
469   name: rook-ceph-mgr
470   namespace: rook-ceph
471 ---
472 kind: Role
473 apiVersion: rbac.authorization.k8s.io/v1beta1
474 metadata:
475   name: rook-ceph-osd
476   namespace: rook-ceph
477 rules:
478 - apiGroups: [""]
479   resources: ["configmaps"]
480   verbs: [ "get", "list", "watch", "create", "update", "delete" ]
481 ---
482 # Aspects of ceph-mgr that require access to the system namespace
483 kind: ClusterRole
484 apiVersion: rbac.authorization.k8s.io/v1beta1
485 metadata:
486   name: rook-ceph-mgr-system
487   namespace: rook-ceph
488 aggregationRule:
489   clusterRoleSelectors:
490   - matchLabels:
491       rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
492 rules: []
493 ---
494 kind: ClusterRole
495 apiVersion: rbac.authorization.k8s.io/v1beta1
496 metadata:
497   name: rook-ceph-mgr-system-rules
498   namespace: rook-ceph
499   labels:
500       rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
501 rules:
502 - apiGroups:
503   - ""
504   resources:
505   - configmaps
506   verbs:
507   - get
508   - list
509   - watch
510 ---
511 # Aspects of ceph-mgr that operate within the cluster's namespace
512 kind: Role
513 apiVersion: rbac.authorization.k8s.io/v1beta1
514 metadata:
515   name: rook-ceph-mgr
516   namespace: rook-ceph
517 rules:
518 - apiGroups:
519   - ""
520   resources:
521   - pods
522   - services
523   verbs:
524   - get
525   - list
526   - watch
527 - apiGroups:
528   - batch
529   resources:
530   - jobs
531   verbs:
532   - get
533   - list
534   - watch
535   - create
536   - update
537   - delete
538 - apiGroups:
539   - ceph.rook.io
540   resources:
541   - "*"
542   verbs:
543   - "*"
544 ---
545   # Allow the operator to create resources in this cluster's namespace
546 kind: RoleBinding
547 apiVersion: rbac.authorization.k8s.io/v1beta1
548 metadata:
549   name: rook-ceph-cluster-mgmt
550   namespace: rook-ceph
551 roleRef:
552   apiGroup: rbac.authorization.k8s.io
553   kind: ClusterRole
554   name: rook-ceph-cluster-mgmt
555 subjects:
556 - kind: ServiceAccount
557   name: rook-ceph-system
558   namespace: rook-ceph
559 ---
560 # Allow the osd pods in this namespace to work with configmaps
561 kind: RoleBinding
562 apiVersion: rbac.authorization.k8s.io/v1beta1
563 metadata:
564   name: rook-ceph-osd
565   namespace: rook-ceph
566 roleRef:
567   apiGroup: rbac.authorization.k8s.io
568   kind: Role
569   name: rook-ceph-osd
570 subjects:
571 - kind: ServiceAccount
572   name: rook-ceph-osd
573   namespace: rook-ceph
574 ---
575 # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
576 kind: RoleBinding
577 apiVersion: rbac.authorization.k8s.io/v1beta1
578 metadata:
579   name: rook-ceph-mgr
580   namespace: rook-ceph
581 roleRef:
582   apiGroup: rbac.authorization.k8s.io
583   kind: Role
584   name: rook-ceph-mgr
585 subjects:
586 - kind: ServiceAccount
587   name: rook-ceph-mgr
588   namespace: rook-ceph
589 ---
590 # Allow the ceph mgr to access the rook system resources necessary for the mgr modules
591 kind: RoleBinding
592 apiVersion: rbac.authorization.k8s.io/v1beta1
593 metadata:
594   name: rook-ceph-mgr-system
595   namespace: rook-ceph
596 roleRef:
597   apiGroup: rbac.authorization.k8s.io
598   kind: ClusterRole
599   name: rook-ceph-mgr-system
600 subjects:
601 - kind: ServiceAccount
602   name: rook-ceph-mgr
603   namespace: rook-ceph
604 ---
605 # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
606 kind: ClusterRoleBinding
607 apiVersion: rbac.authorization.k8s.io/v1beta1
608 metadata:
609   name: rook-ceph-mgr-cluster
610 roleRef:
611   apiGroup: rbac.authorization.k8s.io
612   kind: ClusterRole
613   name: rook-ceph-mgr-cluster
614 subjects:
615 - kind: ServiceAccount
616   name: rook-ceph-mgr
617   namespace: rook-ceph
618 ---