wip

config/default/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: lvm-operator-system
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: lvm-operator-
+# namePrefix: lvm-operator-
 
 # Labels to add to all resources and selectors.
 #commonLabels:

config/rbac/kustomization.yaml

@@ -7,9 +7,13 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
-- sccs.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+# topolvm-node rbac
+- topolvm_node_service_account.yaml
+- topolvm_node_scc.yaml
+- topolvm_node_role.yaml
+- topolvm_node_role_bindings.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

config/rbac/role_binding.yaml

@@ -10,16 +10,3 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: topolvm-node-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: manager-role
-subjects:
-  - kind: ServiceAccount
-    name: node-manager
-    namespace: system

config/rbac/service_account.yaml

@@ -3,9 +3,3 @@ kind: ServiceAccount
 metadata:
   name: controller-manager
   namespace: system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: node-manager
-  namespace: system

config/rbac/topolvm_node_role.yaml

@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: topolvm-node
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - nodes
+  verbs:
+    - get
+    - list
+    - watch
+    - update
+    - patch
+- apiGroups:
+    - topolvm.cybozu.com
+  resources:
+    - logicalvolumes
+    - logicalvolumes/status
+  verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - delete
+    - patch
+- apiGroups:
+    - storage.k8s.io
+  resources:
+    - csidrivers
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  verbs:
+    - use
+  resourceNames:
+    - privileged
+    #- topolvm-node TODO: this scc (topolvm-node) does not provide all the rights needed .. why?

config/rbac/topolvm_node_role_bindings.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: topolvm-node
+subjects:
+  - kind: ServiceAccount
+    name: node-manager
+    namespace: system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: topolvm-node
+

config/rbac/topolvm_node_scc.yaml

@@ -0,0 +1,23 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: topolvm-node
+allowHostDirVolumePlugin: true
+allowHostIPC: true
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+readOnlyRootFilesystem: false
+volumes:
+  - emptyDir
+  - hostPath
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny

config/rbac/topolvm_node_service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-manager
+  namespace: system

controllers/topolvm_node.go

@@ -189,10 +189,14 @@ func getInitContainer() *corev1.Container {
 		fmt.Sprintf("until [ -f %s ]; do echo waiting for lvmd config file; sleep 5; done", lvmdConfigFile),
 	}
 
+	volumeMounts := []corev1.VolumeMount{
+		{Name: "lvmd-config-dir", MountPath: "/etc/topolvm"}}
+
 	fileChecker := &corev1.Container{
-		Name:    "file-checker",
-		Image:   auxImage,
-		Command: command,
+		Name:         "file-checker",
+		Image:        auxImage,
+		Command:      command,
+		VolumeMounts: volumeMounts,
 	}
 
 	return fileChecker