Helm/Upstream Charts/ceph-csi-rbd
Chart name: ceph-csi-rbd
Chart version: v3.7.2
Phab task:
Review: task T364472
Use case: task T327259
Reviewers: Ben Tullis, Luca Toscano
Link to repo: https://ceph.github.io/csi-charts https://artifacthub.io/packages/helm/ceph-csi/ceph-csi-rbd
Link to source code: https://github.com/ceph/ceph-csi/blob/v3.7.2/charts/ceph-csi-rbd/Chart.yaml
Topics:
- storage
Decision: pass
Reasoning:
The helm chart is of sufficient quality and is actively developed. Upstream are responsive and receptive to patches intended to improve the functionality and/or security of the chart.
There are multiple components required to install and operate a Ceph CSI plugin. Some are provided by the kubernetes project, while others are shipped by the Ceph project. It would have been difficult for us to re-engineer what has been achieved in this chart by ourselves, using our standard scaffolding.
Several small modifications have been made:
- Allow selective disabling of the csi-snapshot functionality, since this requires additional configuration and we wish to start using ceph-csi without it.
- Prevent certain containers from requesting elevated privileges, which are only required in an SELinux environment.
There is one container that requires SYS_ADMIN
capabilities and that is the cephrbd plugin container itself, which is running as part of the daemonset on each worker. We evaluated whether it would be practicable to extract this container from the pod and run it as a daemon on the bare-metal worker. Upon investigation, it was decided that this would likely create a more brittle configuration by coupling the daemonsets to an externally managed daemon, so we have permitted this container to run with the required privileges. All other privilege escalations have been disabled.