Using Rook with Pod Security Policies

Cluster Role

NOTE: Cluster role configuration is only needed when you are not already cluster-admin in your Kubernetes cluster!

Creating the Rook operator requires privileges for setting up RBAC. To launch the operator you need to have created your user certificate that is bound to ClusterRole cluster-admin.

One simple way to achieve it is to assign your certificate with the system:masters group:

  1. -subj "/CN=admin/O=system:masters"

system:masters is a special group that is bound to cluster-admin ClusterRole, but it can’t be easily revoked so be careful with taking that route in a production setting. Binding individual certificate to ClusterRole cluster-admin is revocable by deleting the ClusterRoleBinding.

RBAC for PodSecurityPolicies

If you have activated the PodSecurityPolicy Admission Controller and thus are using PodSecurityPolicies, you will require additional (Cluster)RoleBindings for the different ServiceAccounts Rook uses to start the Rook Storage Pods.

Security policies will differ for different backends. See Ceph’s Pod Security Policies set up in its common.yaml for an example of how this is done in practice.

NOTE: You do not have to perform these steps if you do not have the PodSecurityPolicy Admission Controller activated!

PodSecurityPolicy

You need at least one PodSecurityPolicy that allows privileged Pod execution. Here is an example which should be more permissive than is needed for any backend:

  1. apiVersion: policy/v1beta1
  2. kind: PodSecurityPolicy
  3. metadata:
  4. name: privileged
  5. spec:
  6. fsGroup:
  7. rule: RunAsAny
  8. privileged: true
  9. runAsUser:
  10. rule: RunAsAny
  11. seLinux:
  12. rule: RunAsAny
  13. supplementalGroups:
  14. rule: RunAsAny
  15. volumes:
  16. - '*'
  17. allowedCapabilities:
  18. - '*'
  19. hostPID: true
  20. # hostNetwork is required for using host networking
  21. hostNetwork: false

Hint: Allowing hostNetwork usage is required when using hostNetwork: true in a Cluster CustomResourceDefinition! You are then also required to allow the usage of hostPorts in the PodSecurityPolicy. The given port range will allow all ports:

  1. hostPorts:
  2. # Ceph msgr2 port
  3. - min: 1
  4. max: 65535