Skip to content

Commit

Permalink
logrotate: use the contoller plugin privileged to set sc
Browse files Browse the repository at this point in the history
currently security context was just set by looking logrotate
is enabled or not, but from this commit we will also check
if the cntrlplugin has prviliged true

Signed-off-by: parth-gr <partharora1010@gmail.com>
  • Loading branch information
parth-gr committed Aug 19, 2024
1 parent 6e1a6a9 commit 9667889
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 27 deletions.
34 changes: 19 additions & 15 deletions docs/design/logrotate.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,14 @@ apiVersion: csi.ceph.io/v1alpha1
spec:
log:
verbosity: 1
driverSpecDefaults:
driverSpecDefaults:
log:
verbosity: 5
rotation:
# one of: hourly, daily, weekly, monthly
periodicity: daily
maxLogSize: 500M
maxFiles: 5
maxFiles: 7
logHostPath: /var/lib/cephcsi
```
Expand All @@ -35,14 +35,14 @@ metadata:
spec:
log:
verbosity: 1
driverSpecDefaults:
driverSpecDefaults:
log:
verbosity: 5
rotation:
# one of: hourly, daily, weekly, monthly
periodicity: daily
maxLogSize: 500M
maxFiles: 5
maxFiles: 7
logHostPath: /var/lib/cephcsi
```

Expand All @@ -51,20 +51,24 @@ Logrotator sidecar container cpu and memory usage can configured by,
`OperatorConfig CRD`:
```yaml
spec:
provisioner:
logRotator:
cpu: "100m"
memory: "32Mi"
plugin:
logRotator:
cpu: "100m"
memory: "32Mi"
driverSpecDefaults:
controllerPlugin:
resources:
logRotator:
cpu: "100m"
memory: "32Mi"
nodePlugin:
resources:
logRotator:
cpu: "100m"
memory: "32Mi"
```

For systems where SELinux is enabled (e.g. OpenShift),start plugin-controller as privileged that mount a host path.
For systems where SELinux is enabled (e.g. OpenShift), start plugin-controller as privileged that mount a host path.
`OperatorConfig CRD`:
```yaml
spec:
provisioner:
privileged: true
driverSpecDefaults:
controllerPlugin:
privileged: true
```
2 changes: 1 addition & 1 deletion docs/design/operator.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ spec:
# one of: hourly, daily, weekly, monthly
periodicity: daily
maxLogSize: 500M
maxFiles: 5
maxFiles: 7
logHostPath: /var/lib/cephcsi
clusterName: 5c63ad7e-74fe-4724-a511-4ccdc560da56
enableMetadata: true
Expand Down
42 changes: 31 additions & 11 deletions internal/controller/driver_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,11 @@ const (
NfsDriverType = "nfs"
)

// Annotation name for ownerref information
const ownerRefAnnotationKey = "csi.ceph.io/ownerref"
const (
// Annotation name for ownerref information
ownerRefAnnotationKey = "csi.ceph.io/ownerref"
logRotateCmd = `while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done`
)

// A regexp used to parse driver's prefix and type from the full name
var nameRegExp, _ = regexp.Compile(fmt.Sprintf(
Expand Down Expand Up @@ -513,9 +516,17 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error {
forceKernelClient := r.isCephFsDriver() && r.driver.Spec.CephFsClientType == csiv1a1.KernelCephFsClient
snPolicy := cmp.Or(r.driver.Spec.SnapshotPolicy, csiv1a1.VolumeSnapshotSnapshotPolicy)
logRotationSpec := cmp.Or(r.driver.Spec.Log, &csiv1a1.LogSpec{}).Rotation
logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath)
logRotationEnabled := logRotationSpec != nil
securityContext := utils.If(logRotationEnabled, &corev1.SecurityContext{Privileged: ptr.To(true)}, nil)
logRotateSecurityContext := utils.If(
pluginSpec.Privileged != nil && logRotationEnabled,
&corev1.SecurityContext{
Privileged: pluginSpec.Privileged,
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"All"},
},
},
nil,
)

leaderElectionSettingsArg := []string{
utils.LeaderElectionNamespaceContainerArg(r.driver.Namespace),
Expand Down Expand Up @@ -549,7 +560,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error {
Name: fmt.Sprintf("csi-%splugin", r.driverType),
Image: r.images["plugin"],
ImagePullPolicy: imagePullPolicy,
SecurityContext: securityContext,
SecurityContext: logRotateSecurityContext,
Args: utils.DeleteZeroValues(
[]string{
utils.TypeContainerArg(string(r.driverType)),
Expand Down Expand Up @@ -727,7 +738,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error {
Name: "csi-addons",
Image: r.images["addons"],
ImagePullPolicy: imagePullPolicy,
SecurityContext: securityContext,
SecurityContext: logRotateSecurityContext,
Args: utils.DeleteZeroValues(
append(
slices.Clone(leaderElectionSettingsArg),
Expand Down Expand Up @@ -832,8 +843,8 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error {
Image: r.images["plugin"],
ImagePullPolicy: imagePullPolicy,
Resources: resources,
Command: []string{"/bin/bash", "-c"},
Args: []string{`while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done`},
SecurityContext: logRotateSecurityContext,
Command: []string{"/bin/bash", "-c", logRotateCmd},
VolumeMounts: []corev1.VolumeMount{
utils.LogsDirVolumeMount,
utils.LogRotateDirVolumeMount,
Expand Down Expand Up @@ -866,6 +877,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error {
utils.KmsConfigVolume(&r.driver.Spec.Encryption.ConfigMapRef))
}
if logRotationEnabled {
logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath)
volumes = append(
volumes,
utils.LogsDirVolume(logHostPath, deploy.Name),
Expand Down Expand Up @@ -913,7 +925,6 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error {
topology := r.isRdbDriver() && pluginSpec.Topology != nil
domainLabels := cmp.Or(pluginSpec.Topology, &csiv1a1.TopologySpec{}).DomainLabels
logRotationSpec := cmp.Or(r.driver.Spec.Log, &csiv1a1.LogSpec{}).Rotation
logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath)
logRotationEnabled := logRotationSpec != nil

daemonSet.Spec = appsv1.DaemonSetSpec{
Expand Down Expand Up @@ -1162,8 +1173,13 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error {
Image: r.images["plugin"],
ImagePullPolicy: imagePullPolicy,
Resources: resources,
Command: []string{"/bin/bash", "-c"},
Args: []string{`while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done`},
SecurityContext: &corev1.SecurityContext{
Privileged: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"All"},
},
},
Command: []string{"/bin/bash", "-c", logRotateCmd},
VolumeMounts: []corev1.VolumeMount{
utils.LogsDirVolumeMount,
utils.LogRotateDirVolumeMount,
Expand Down Expand Up @@ -1212,6 +1228,7 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error {
)
}
if logRotationEnabled {
logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath)
volumes = append(
volumes,
utils.LogsDirVolume(logHostPath, daemonSet.Name),
Expand Down Expand Up @@ -1461,6 +1478,9 @@ func mergeDriverSpecs(dest, src *csiv1a1.DriverSpec) {
if dest.Replicas == nil {
dest.Replicas = src.Replicas
}
if dest.Privileged == nil {
dest.Privileged = src.Privileged
}
if dest.Resources.Attacher == nil {
dest.Resources.Attacher = src.Resources.Attacher
}
Expand Down

0 comments on commit 9667889

Please sign in to comment.