Provide steps to setup OpenEBS with PodSecurityPolicies

[kmova]

The following steps were provided by @chtardif in the OpenEBS community channel - on how he configured PodSecurityPolicies(PSP) for OpenEBS.

• Create a Privileged PSP

 apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
  metadata:
    name: privileged
    annotations:
      seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  spec:
    privileged: true
    allowPrivilegeEscalation: true
    allowedCapabilities:
    - '*'
    volumes:
    - '*'
    hostNetwork: true
    hostPorts:
    - min: 0
      max: 65535
    hostIPC: true
    hostPID: true
    runAsUser:
      rule: 'RunAsAny'
    seLinux:
      rule: 'RunAsAny'
    supplementalGroups:
      rule: 'RunAsAny'
    fsGroup:
      rule: 'RunAsAny'

• Associate the above PSP to a ClusterRole

  
  kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
  name: privilegedpsp
  rules:

• apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames:

  • privileged

• Associate the above Privileged ClusterRole to OpenEBS Service Account

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: openebspsp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: privilegedpsp
subjects:
- kind: ServiceAccount
  name: openebs-maya-operator
  namespace: openebs

• Proceed to install the OpenEBS. Note that the namespace and service account name used by the OpenEBS should match what is provided in the above ClusterRoleBinding.

[cjyar]

This doesn't seem to cover the Jiva replica pods, which are created in the application's namespace rather than the openebs namespace. The ClusterRoleBinding above only allows pods in openebs to use hostPath volumes; it doesn't allow the replicas to do so.

Or am I missing something?

[ranjithwingrider]

@cjyar The latest OpenEBS release 0.9 has the feature for creating Jiva pods in OpenEBS namespace. This can be set by adding one parameter in the corresponding StorageClass. Example snippet of SC:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: jiva-pods-in-openebs-ns
  annotations:
    openebs.io/cas-type: jiva
    cas.openebs.io/config: |
      - name: DeployInOpenEBSNamespace
        enabled: "true"
provisioner: openebs.io/provisioner-iscsi

More information can get from here.