From 9667889fbc53de70ac803a7e5ab7095faae5cd1a Mon Sep 17 00:00:00 2001 From: parth-gr Date: Fri, 16 Aug 2024 14:10:30 +0530 Subject: [PATCH] logrotate: use the contoller plugin privileged to set sc currently security context was just set by looking logrotate is enabled or not, but from this commit we will also check if the cntrlplugin has prviliged true Signed-off-by: parth-gr --- docs/design/logrotate.md | 34 ++++++++++--------- docs/design/operator.md | 2 +- internal/controller/driver_controller.go | 42 +++++++++++++++++------- 3 files changed, 51 insertions(+), 27 deletions(-) diff --git a/docs/design/logrotate.md b/docs/design/logrotate.md index c3773fcd..b8e9e95c 100644 --- a/docs/design/logrotate.md +++ b/docs/design/logrotate.md @@ -13,14 +13,14 @@ apiVersion: csi.ceph.io/v1alpha1 spec: log: verbosity: 1 - driverSpecDefaults: + driverSpecDefaults: log: verbosity: 5 rotation: # one of: hourly, daily, weekly, monthly periodicity: daily maxLogSize: 500M - maxFiles: 5 + maxFiles: 7 logHostPath: /var/lib/cephcsi ``` @@ -35,14 +35,14 @@ metadata: spec: log: verbosity: 1 - driverSpecDefaults: + driverSpecDefaults: log: verbosity: 5 rotation: # one of: hourly, daily, weekly, monthly periodicity: daily maxLogSize: 500M - maxFiles: 5 + maxFiles: 7 logHostPath: /var/lib/cephcsi ``` @@ -51,20 +51,24 @@ Logrotator sidecar container cpu and memory usage can configured by, `OperatorConfig CRD`: ```yaml spec: - provisioner: - logRotator: - cpu: "100m" - memory: "32Mi" - plugin: - logRotator: - cpu: "100m" - memory: "32Mi" + driverSpecDefaults: + controllerPlugin: + resources: + logRotator: + cpu: "100m" + memory: "32Mi" + nodePlugin: + resources: + logRotator: + cpu: "100m" + memory: "32Mi" ``` -For systems where SELinux is enabled (e.g. OpenShift),start plugin-controller as privileged that mount a host path. +For systems where SELinux is enabled (e.g. OpenShift), start plugin-controller as privileged that mount a host path. `OperatorConfig CRD`: ```yaml spec: - provisioner: - privileged: true + driverSpecDefaults: + controllerPlugin: + privileged: true ``` diff --git a/docs/design/operator.md b/docs/design/operator.md index 01818b18..1d4f00d7 100644 --- a/docs/design/operator.md +++ b/docs/design/operator.md @@ -92,7 +92,7 @@ spec: # one of: hourly, daily, weekly, monthly periodicity: daily maxLogSize: 500M - maxFiles: 5 + maxFiles: 7 logHostPath: /var/lib/cephcsi clusterName: 5c63ad7e-74fe-4724-a511-4ccdc560da56 enableMetadata: true diff --git a/internal/controller/driver_controller.go b/internal/controller/driver_controller.go index c4544c88..0fca903a 100644 --- a/internal/controller/driver_controller.go +++ b/internal/controller/driver_controller.go @@ -69,8 +69,11 @@ const ( NfsDriverType = "nfs" ) -// Annotation name for ownerref information -const ownerRefAnnotationKey = "csi.ceph.io/ownerref" +const ( + // Annotation name for ownerref information + ownerRefAnnotationKey = "csi.ceph.io/ownerref" + logRotateCmd = `while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done` +) // A regexp used to parse driver's prefix and type from the full name var nameRegExp, _ = regexp.Compile(fmt.Sprintf( @@ -513,9 +516,17 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error { forceKernelClient := r.isCephFsDriver() && r.driver.Spec.CephFsClientType == csiv1a1.KernelCephFsClient snPolicy := cmp.Or(r.driver.Spec.SnapshotPolicy, csiv1a1.VolumeSnapshotSnapshotPolicy) logRotationSpec := cmp.Or(r.driver.Spec.Log, &csiv1a1.LogSpec{}).Rotation - logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath) logRotationEnabled := logRotationSpec != nil - securityContext := utils.If(logRotationEnabled, &corev1.SecurityContext{Privileged: ptr.To(true)}, nil) + logRotateSecurityContext := utils.If( + pluginSpec.Privileged != nil && logRotationEnabled, + &corev1.SecurityContext{ + Privileged: pluginSpec.Privileged, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"All"}, + }, + }, + nil, + ) leaderElectionSettingsArg := []string{ utils.LeaderElectionNamespaceContainerArg(r.driver.Namespace), @@ -549,7 +560,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error { Name: fmt.Sprintf("csi-%splugin", r.driverType), Image: r.images["plugin"], ImagePullPolicy: imagePullPolicy, - SecurityContext: securityContext, + SecurityContext: logRotateSecurityContext, Args: utils.DeleteZeroValues( []string{ utils.TypeContainerArg(string(r.driverType)), @@ -727,7 +738,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error { Name: "csi-addons", Image: r.images["addons"], ImagePullPolicy: imagePullPolicy, - SecurityContext: securityContext, + SecurityContext: logRotateSecurityContext, Args: utils.DeleteZeroValues( append( slices.Clone(leaderElectionSettingsArg), @@ -832,8 +843,8 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error { Image: r.images["plugin"], ImagePullPolicy: imagePullPolicy, Resources: resources, - Command: []string{"/bin/bash", "-c"}, - Args: []string{`while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done`}, + SecurityContext: logRotateSecurityContext, + Command: []string{"/bin/bash", "-c", logRotateCmd}, VolumeMounts: []corev1.VolumeMount{ utils.LogsDirVolumeMount, utils.LogRotateDirVolumeMount, @@ -866,6 +877,7 @@ func (r *driverReconcile) reconcileControllerPluginDeployment() error { utils.KmsConfigVolume(&r.driver.Spec.Encryption.ConfigMapRef)) } if logRotationEnabled { + logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath) volumes = append( volumes, utils.LogsDirVolume(logHostPath, deploy.Name), @@ -913,7 +925,6 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error { topology := r.isRdbDriver() && pluginSpec.Topology != nil domainLabels := cmp.Or(pluginSpec.Topology, &csiv1a1.TopologySpec{}).DomainLabels logRotationSpec := cmp.Or(r.driver.Spec.Log, &csiv1a1.LogSpec{}).Rotation - logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath) logRotationEnabled := logRotationSpec != nil daemonSet.Spec = appsv1.DaemonSetSpec{ @@ -1162,8 +1173,13 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error { Image: r.images["plugin"], ImagePullPolicy: imagePullPolicy, Resources: resources, - Command: []string{"/bin/bash", "-c"}, - Args: []string{`while true; do logrotate --verbose /logrotate-config/csi; sleep 15m; done`}, + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"All"}, + }, + }, + Command: []string{"/bin/bash", "-c", logRotateCmd}, VolumeMounts: []corev1.VolumeMount{ utils.LogsDirVolumeMount, utils.LogRotateDirVolumeMount, @@ -1212,6 +1228,7 @@ func (r *driverReconcile) reconcileNodePluginDeamonSet() error { ) } if logRotationEnabled { + logHostPath := cmp.Or(logRotationSpec.LogHostPath, defaultLogHostPath) volumes = append( volumes, utils.LogsDirVolume(logHostPath, daemonSet.Name), @@ -1461,6 +1478,9 @@ func mergeDriverSpecs(dest, src *csiv1a1.DriverSpec) { if dest.Replicas == nil { dest.Replicas = src.Replicas } + if dest.Privileged == nil { + dest.Privileged = src.Privileged + } if dest.Resources.Attacher == nil { dest.Resources.Attacher = src.Resources.Attacher }