Helm/Upstream Charts/ceph-csi-rbd

Chart name: ceph-csi-rbd

Chart version: v3.7.2

Phab task:

Review: task T364472

Use case: task T327259

Reviewers: Ben Tullis, Luca Toscano

Link to repo: https://ceph.github.io/csi-charts https://artifacthub.io/packages/helm/ceph-csi/ceph-csi-rbd

Link to source code: https://github.com/ceph/ceph-csi/blob/v3.7.2/charts/ceph-csi-rbd/Chart.yaml

Topics:

• storage

Decision: pass

Reasoning:

The helm chart is of sufficient quality and is actively developed. Upstream are responsive and receptive to patches intended to improve the functionality and/or security of the chart.

There are multiple components required to install and operate a Ceph CSI plugin. Some are provided by the kubernetes project, while others are shipped by the Ceph project. It would have been difficult for us to re-engineer what has been achieved in this chart by ourselves, using our standard scaffolding.

Several small modifications have been made:

1. Allow selective disabling of the csi-snapshot functionality, since this requires additional configuration and we wish to start using ceph-csi without it.
2. Prevent certain containers from requesting elevated privileges, which are only required in an SELinux environment.

There is one container that requires SYS_ADMIN capabilities and that is the cephrbd plugin container itself, which is running as part of the daemonset on each worker. We evaluated whether it would be practicable to extract this container from the pod and run it as a daemon on the bare-metal worker. Upon investigation, it was decided that this would likely create a more brittle configuration by coupling the daemonsets to an externally managed daemon, so we have permitted this container to run with the required privileges. All other privilege escalations have been disabled.