From dd29c6c06b8018ce8f9b2c50aa31ff61d5b04484 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 16 Dec 2020 09:52:36 +0100 Subject: [PATCH] deploy: allow rbd nodeplugin to read ConfigMaps from Tenants Tenants can have their own ConfigMap that contains connection parameters to the Vault Service where the PV encyption keys are located. It is possible for a Tenant to use a different Vault Service than the one configured by the Storage Admin who deployed Ceph-CSI. For this, the node-plugin needs to be able to read the ConfigMap from the Tenants namespace. See-also: docs/design/proposals/encryption-with-vault-tokens.md Signed-off-by: Niels de Vos --- charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml | 4 ++++ deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml index 2a642ed29..fa0542c13 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml @@ -15,7 +15,11 @@ rules: resources: ["nodes"] verbs: ["get"] {{- end }} + # allow to read Vault Token and connection options from the Tenants namespace - apiGroups: [""] resources: ["secrets"] verbs: ["get"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] {{- end -}} diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml index fa9bb61ab..5d02593ec 100644 --- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml @@ -12,9 +12,13 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] + # allow to read Vault Token and connection options from the Tenants namespace - apiGroups: [""] resources: ["secrets"] verbs: ["get"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1