75a115ea29
This PS is to address security best practices concerning running containers as a non-privileged user and disallowing privilege escalation. Change-Id: If4c0e9fe446091ba75d1a9818ffd3a0933285af4
375 lines
9.6 KiB
YAML
375 lines
9.6 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for ceph-mon.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
deployment:
|
|
ceph: true
|
|
storage_secrets: true
|
|
|
|
images:
|
|
pull_policy: IfNotPresent
|
|
tags:
|
|
ceph_bootstrap: 'docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20200521'
|
|
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200521'
|
|
ceph_mon: 'docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20200521'
|
|
ceph_mon_check: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200521'
|
|
dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
|
|
image_repo_sync: 'docker.io/docker:17.07.0'
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
labels:
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
mon:
|
|
node_selector_key: ceph-mon
|
|
node_selector_value: enabled
|
|
|
|
pod:
|
|
security_context:
|
|
mon:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ceph_init_dirs:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
ceph_log_ownership:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
ceph_mon:
|
|
runAsUser: 64045
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
moncheck:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ceph_mon:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
bootstrap:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ceph_bootstrap:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
storage_keys_generator:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ceph_storage_keys_generator:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
ceph:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ceph-mds-keyring-generator:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
ceph-mgr-keyring-generator:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
ceph-mon-keyring-generator:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
ceph-osd-keyring-generator:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
dns_policy: "ClusterFirstWithHostNet"
|
|
replicas:
|
|
mon_check: 1
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
mon:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
resources:
|
|
enabled: false
|
|
mon:
|
|
requests:
|
|
memory: "50Mi"
|
|
cpu: "250m"
|
|
limits:
|
|
memory: "100Mi"
|
|
cpu: "500m"
|
|
mon_check:
|
|
requests:
|
|
memory: "5Mi"
|
|
cpu: "250m"
|
|
limits:
|
|
memory: "50Mi"
|
|
cpu: "500m"
|
|
jobs:
|
|
bootstrap:
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "500m"
|
|
secret_provisioning:
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "500m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tolerations:
|
|
mon_check:
|
|
tolerations:
|
|
- effect: NoExecute
|
|
key: node.kubernetes.io/not-ready
|
|
operator: Exists
|
|
tolerationSeconds: 60
|
|
- effect: NoExecute
|
|
key: node.kubernetes.io/unreachable
|
|
operator: Exists
|
|
tolerationSeconds: 60
|
|
|
|
secrets:
|
|
keyrings:
|
|
mon: ceph-mon-keyring
|
|
mds: ceph-bootstrap-mds-keyring
|
|
osd: ceph-bootstrap-osd-keyring
|
|
mgr: ceph-bootstrap-mgr-keyring
|
|
admin: ceph-client-admin-keyring
|
|
|
|
network:
|
|
public: 192.168.0.0/16
|
|
cluster: 192.168.0.0/16
|
|
|
|
conf:
|
|
templates:
|
|
keyring:
|
|
admin: |
|
|
[client.admin]
|
|
key = {{ key }}
|
|
auid = 0
|
|
caps mds = "allow"
|
|
caps mon = "allow *"
|
|
caps osd = "allow *"
|
|
caps mgr = "allow *"
|
|
mon: |
|
|
[mon.]
|
|
key = {{ key }}
|
|
caps mon = "allow *"
|
|
bootstrap:
|
|
mds: |
|
|
[client.bootstrap-mds]
|
|
key = {{ key }}
|
|
caps mon = "allow profile bootstrap-mds"
|
|
mgr: |
|
|
[client.bootstrap-mgr]
|
|
key = {{ key }}
|
|
caps mgr = "allow profile bootstrap-mgr"
|
|
osd: |
|
|
[client.bootstrap-osd]
|
|
key = {{ key }}
|
|
caps mon = "allow profile bootstrap-osd"
|
|
ceph:
|
|
global:
|
|
# auth
|
|
cephx: true
|
|
cephx_require_signatures: false
|
|
cephx_cluster_require_signatures: true
|
|
cephx_service_require_signatures: false
|
|
objecter_inflight_op_bytes: "1073741824"
|
|
objecter_inflight_ops: 10240
|
|
debug_ms: "0/0"
|
|
mon_osd_down_out_interval: 1800
|
|
mon_osd_down_out_subtree_limit: root
|
|
mon_osd_min_in_ratio: 0
|
|
mon_osd_min_up_ratio: 0
|
|
mon_data_avail_warn: 15
|
|
log_file: /dev/stdout
|
|
mon_cluster_log_file: /dev/stdout
|
|
osd:
|
|
osd_mkfs_type: xfs
|
|
osd_mkfs_options_xfs: -f -i size=2048
|
|
osd_max_object_name_len: 256
|
|
ms_bind_port_min: 6800
|
|
ms_bind_port_max: 7100
|
|
osd_snap_trim_priority: 1
|
|
osd_snap_trim_sleep: 0.1
|
|
osd_pg_max_concurrent_snap_trims: 1
|
|
filestore_merge_threshold: -10
|
|
filestore_split_multiple: 12
|
|
filestore_max_sync_interval: 10
|
|
osd_scrub_begin_hour: 22
|
|
osd_scrub_end_hour: 4
|
|
osd_scrub_during_recovery: false
|
|
osd_scrub_sleep: 0.1
|
|
osd_scrub_chunk_min: 1
|
|
osd_scrub_chunk_max: 4
|
|
osd_scrub_load_threshold: 10.0
|
|
osd_deep_scrub_stride: "1048576"
|
|
osd_scrub_priority: 1
|
|
osd_recovery_op_priority: 1
|
|
osd_recovery_max_active: 1
|
|
osd_mount_options_xfs: "rw,noatime,largeio,inode64,swalloc,logbufs=8,logbsize=256k,allocsize=4M"
|
|
osd_journal_size: 10240
|
|
storage:
|
|
mon:
|
|
directory: /var/lib/openstack-helm/ceph/mon
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- ceph-mon-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
bootstrap:
|
|
jobs: null
|
|
services:
|
|
- endpoint: internal
|
|
service: ceph_mon
|
|
job_keyring_generator:
|
|
jobs: null
|
|
mon:
|
|
jobs:
|
|
- ceph-storage-keys-generator
|
|
- ceph-mon-keyring-generator
|
|
moncheck:
|
|
jobs:
|
|
- ceph-storage-keys-generator
|
|
- ceph-mon-keyring-generator
|
|
services:
|
|
- endpoint: discovery
|
|
service: ceph_mon
|
|
storage_keys_generator:
|
|
jobs: null
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
bootstrap:
|
|
enabled: false
|
|
script: |
|
|
ceph -s
|
|
function ensure_pool () {
|
|
ceph osd pool stats $1 || ceph osd pool create $1 $2
|
|
local test_version=$(ceph tell osd.* version | egrep -c "nautilus|mimic|luminous" | xargs echo)
|
|
if [[ ${test_version} -gt 0 ]]; then
|
|
ceph osd pool application enable $1 $3
|
|
fi
|
|
}
|
|
#ensure_pool volumes 8 cinder
|
|
|
|
# if you change provision_storage_class to false
|
|
# it is presumed you manage your own storage
|
|
# class definition externally
|
|
# We iterate over each storageclass parameters
|
|
# and derive the manifest.
|
|
storageclass:
|
|
rbd:
|
|
provision_storage_class: true
|
|
provisioner: ceph.com/rbd
|
|
ceph_configmap_name: ceph-etc
|
|
metadata:
|
|
default_storage_class: true
|
|
name: general
|
|
parameters:
|
|
pool: rbd
|
|
adminId: admin
|
|
adminSecretName: pvc-ceph-conf-combined-storageclass
|
|
adminSecretNamespace: ceph
|
|
userId: admin
|
|
userSecretName: pvc-ceph-client-key
|
|
imageFormat: "2"
|
|
imageFeatures: layering
|
|
cephfs:
|
|
provision_storage_class: true
|
|
provisioner: ceph.com/cephfs
|
|
metadata:
|
|
name: cephfs
|
|
parameters:
|
|
adminId: admin
|
|
userSecretName: pvc-ceph-cephfs-client-key
|
|
adminSecretName: pvc-ceph-conf-combined-storageclass
|
|
adminSecretNamespace: ceph
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
ceph_mon:
|
|
namespace: null
|
|
hosts:
|
|
default: ceph-mon
|
|
discovery: ceph-mon-discovery
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
mon:
|
|
default: 6789
|
|
mon_msgr2:
|
|
default: 3300
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
configmap_templates: true
|
|
daemonset_mon: true
|
|
deployment_moncheck: true
|
|
job_image_repo_sync: true
|
|
job_bootstrap: true
|
|
job_keyring: true
|
|
service_mon: true
|
|
service_mon_discovery: true
|
|
job_storage_admin_keys: true
|
|
...
|