Draft: Add ceph-csi-rbd and associated openshift security context constraints
closes: #3131 (closed)
What does this MR do and why?
This merge request adds ceph-csi-rbd. Relevant OpenShift security context constraints are also added so that ceph-csi-rbd can work with OKD.
Test coverage
Manual test was performed on OKD workload cluster and verified the following two cases,
- pod can access rbd raw block device.
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: raw-block-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Block
resources:
requests:
storage: 1Gi
storageClassName: ceph-rbd-csi
---
apiVersion: v1
kind: Pod
metadata:
name: pod-with-raw-block-volume
spec:
containers:
- name: fc-container
image: quay.io/centos/centos:stream8
command: ["/bin/sh", "-c"]
args: ["trap \"pkill -f sleep\" term; sleep 3600 & wait"]
volumeDevices:
- name: data
devicePath: /dev/xvda
securityContext:
allowPrivilegeEscalation: true
privileged: true
volumes:
- name: data
persistentVolumeClaim:
claimName: raw-block-pvc- pod can access rbd fs,
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: rbd-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: ceph-rbd-csi
---
apiVersion: v1
kind: Pod
metadata:
name: csi-rbd-demo-pod
spec:
containers:
- name: web-server
image: quay.io/centos/centos:stream8
command: ["/bin/sh", "-c"]
args: ["trap \"pkill -f sleep\" SIGINT SIGTERM EXIT; sleep 3600 & wait"]
volumeMounts:
- name: mypvc
mountPath: /var/lib/www/html
volumes:
- name: mypvc
persistentVolumeClaim:
claimName: rbd-pvc
readOnly: falseEdited by Mohan Sharma