1 ###################################################################################################################
2 # Create the common resources that are necessary to start the operator and the ceph cluster.
3 # These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
4 # The samples all assume that a single operator will manage a single cluster crd in the same "rook-ceph" namespace.
6 # If the operator needs to manage multiple clusters (in different namespaces), see the section below
7 # for "cluster-specific resources". The resources below that section will need to be created for each namespace
8 # where the operator needs to manage the cluster. The resources above that section do not be created again.
9 ###################################################################################################################
11 # Namespace where the operator and other rook resources are created
17 # The CRD declarations
18 apiVersion: apiextensions.k8s.io/v1beta1
19 kind: CustomResourceDefinition
21 name: cephclusters.ceph.rook.io
26 listKind: CephClusterList
43 pattern: ^(luminous|mimic|nautilus)$
84 additionalPrinterColumns:
85 - name: DataDirHostPath
87 description: Directory used on the K8s nodes
88 JSONPath: .spec.dataDirHostPath
91 description: Number of MONs
92 JSONPath: .spec.mon.count
95 JSONPath: .metadata.creationTimestamp
98 description: Current State
99 JSONPath: .status.state
102 description: Ceph Health
103 JSONPath: .status.ceph.health
105 apiVersion: apiextensions.k8s.io/v1beta1
106 kind: CustomResourceDefinition
108 name: cephfilesystems.ceph.rook.io
113 listKind: CephFilesystemList
114 plural: cephfilesystems
115 singular: cephfilesystem
118 additionalPrinterColumns:
121 description: Number of MDSs
122 JSONPath: .spec.metadataServer.activeCount
125 JSONPath: .metadata.creationTimestamp
127 apiVersion: apiextensions.k8s.io/v1beta1
128 kind: CustomResourceDefinition
130 name: cephnfses.ceph.rook.io
135 listKind: CephNFSList
143 apiVersion: apiextensions.k8s.io/v1beta1
144 kind: CustomResourceDefinition
146 name: cephobjectstores.ceph.rook.io
150 kind: CephObjectStore
151 listKind: CephObjectStoreList
152 plural: cephobjectstores
153 singular: cephobjectstore
157 apiVersion: apiextensions.k8s.io/v1beta1
158 kind: CustomResourceDefinition
160 name: cephobjectstoreusers.ceph.rook.io
164 kind: CephObjectStoreUser
165 listKind: CephObjectStoreUserList
166 plural: cephobjectstoreusers
167 singular: cephobjectstoreuser
171 apiVersion: apiextensions.k8s.io/v1beta1
172 kind: CustomResourceDefinition
174 name: cephblockpools.ceph.rook.io
179 listKind: CephBlockPoolList
180 plural: cephblockpools
181 singular: cephblockpool
185 apiVersion: apiextensions.k8s.io/v1beta1
186 kind: CustomResourceDefinition
188 name: volumes.rook.io
201 # The cluster role for managing all the cluster-specific resources in a namespace
202 apiVersion: rbac.authorization.k8s.io/v1beta1
205 name: rook-ceph-cluster-mgmt
208 storage-backend: ceph
210 clusterRoleSelectors:
212 rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
215 apiVersion: rbac.authorization.k8s.io/v1beta1
218 name: rook-ceph-cluster-mgmt-rules
221 storage-backend: ceph
222 rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
253 # The role for the operator to manage resources in its own namespace
254 apiVersion: rbac.authorization.k8s.io/v1beta1
257 name: rook-ceph-system
261 storage-backend: ceph
290 # The cluster role for managing the Rook CRDs
291 apiVersion: rbac.authorization.k8s.io/v1beta1
294 name: rook-ceph-global
297 storage-backend: ceph
299 clusterRoleSelectors:
301 rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
304 apiVersion: rbac.authorization.k8s.io/v1beta1
307 name: rook-ceph-global-rules
310 storage-backend: ceph
311 rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
316 # Pod access is needed for fencing
318 # Node access is needed for determining nodes where mons should run
329 # PVs and PVCs are managed by the Rook provisioner
331 - persistentvolumeclaims
373 # Aspects of ceph-mgr that require cluster-wide access
375 apiVersion: rbac.authorization.k8s.io/v1beta1
377 name: rook-ceph-mgr-cluster
380 storage-backend: ceph
382 clusterRoleSelectors:
384 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
388 apiVersion: rbac.authorization.k8s.io/v1beta1
390 name: rook-ceph-mgr-cluster-rules
393 storage-backend: ceph
394 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
407 # The rook system service account used by the operator, agent, and discovery pods
411 name: rook-ceph-system
415 storage-backend: ceph
417 # Grant the operator, agent, and discovery agents access to resources in the namespace
419 apiVersion: rbac.authorization.k8s.io/v1beta1
421 name: rook-ceph-system
425 storage-backend: ceph
427 apiGroup: rbac.authorization.k8s.io
429 name: rook-ceph-system
431 - kind: ServiceAccount
432 name: rook-ceph-system
435 # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
436 kind: ClusterRoleBinding
437 apiVersion: rbac.authorization.k8s.io/v1beta1
439 name: rook-ceph-global
443 storage-backend: ceph
445 apiGroup: rbac.authorization.k8s.io
447 name: rook-ceph-global
449 - kind: ServiceAccount
450 name: rook-ceph-system
453 #################################################################################################################
454 # Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
455 # namespace. If you want to create the cluster in a different namespace, you will need to modify these roles
456 # and bindings accordingly.
457 #################################################################################################################
458 # Service account for the Ceph OSDs. Must exist and cannot be renamed.
465 # Service account for the Ceph Mgr. Must exist and cannot be renamed.
473 apiVersion: rbac.authorization.k8s.io/v1beta1
479 resources: ["configmaps"]
480 verbs: [ "get", "list", "watch", "create", "update", "delete" ]
482 # Aspects of ceph-mgr that require access to the system namespace
484 apiVersion: rbac.authorization.k8s.io/v1beta1
486 name: rook-ceph-mgr-system
489 clusterRoleSelectors:
491 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
495 apiVersion: rbac.authorization.k8s.io/v1beta1
497 name: rook-ceph-mgr-system-rules
500 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
511 # Aspects of ceph-mgr that operate within the cluster's namespace
513 apiVersion: rbac.authorization.k8s.io/v1beta1
545 # Allow the operator to create resources in this cluster's namespace
547 apiVersion: rbac.authorization.k8s.io/v1beta1
549 name: rook-ceph-cluster-mgmt
552 apiGroup: rbac.authorization.k8s.io
554 name: rook-ceph-cluster-mgmt
556 - kind: ServiceAccount
557 name: rook-ceph-system
560 # Allow the osd pods in this namespace to work with configmaps
562 apiVersion: rbac.authorization.k8s.io/v1beta1
567 apiGroup: rbac.authorization.k8s.io
571 - kind: ServiceAccount
575 # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
577 apiVersion: rbac.authorization.k8s.io/v1beta1
582 apiGroup: rbac.authorization.k8s.io
586 - kind: ServiceAccount
590 # Allow the ceph mgr to access the rook system resources necessary for the mgr modules
592 apiVersion: rbac.authorization.k8s.io/v1beta1
594 name: rook-ceph-mgr-system
597 apiGroup: rbac.authorization.k8s.io
599 name: rook-ceph-mgr-system
601 - kind: ServiceAccount
605 # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
606 kind: ClusterRoleBinding
607 apiVersion: rbac.authorization.k8s.io/v1beta1
609 name: rook-ceph-mgr-cluster
611 apiGroup: rbac.authorization.k8s.io
613 name: rook-ceph-mgr-cluster
615 - kind: ServiceAccount