Add hostpath provisioner cluster-scoped resources

This adds the cluster-scoped resources required for the hostpath
provisioner [1]. The hostpath provisioner lets us allocate host-local storage
using PersistentVolumeClaims.

[1]: https://github.com/kubevirt/hostpath-provisioner

Part of: nerc-project/operations#49

cluster-scope/base/core/namespaces/kubevirt-hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - namespace.yaml

cluster-scope/base/core/namespaces/kubevirt-hostpath-provisioner/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubevirt-hostpath-provisioner

cluster-scope/base/machineconfiguration.openshift.io/machineconfigs/hostpath-provisioner-selinux/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - machineconfig.yaml

cluster-scope/base/machineconfiguration.openshift.io/machineconfigs/hostpath-provisioner-selinux/machineconfig.yaml

@@ -0,0 +1,24 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: hostpath-provisioner-selinux
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    systemd:
+      units:
+        - name: hostpath-provisioner-selinux.service
+          enabled: true
+          contents: |
+            [Unit]
+            Description=Set SELinux chcon for hostpath-provisioner
+            Before=kubelet.service
+
+            [Service]
+            ExecStart=/usr/bin/chcon -Rt container_file_t /var/hpvolumes
+
+            [Install]
+            WantedBy=multi-user.target

cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/kubevirt-hostpath-provisioner/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubevirt-hostpath-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: kubevirt-hostpath-provisioner-admin
+    namespace: kubevirt-hostpath-provisioner
+roleRef:
+  kind: ClusterRole
+  name: kubevirt-hostpath-provisioner
+  apiGroup: rbac.authorization.k8s.io

cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/kubevirt-hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - clusterrolebinding.yaml

cluster-scope/base/rbac.authorization.k8s.io/clusterroles/kubevirt-hostpath-provisioner/clusterrole.yaml

@@ -0,0 +1,28 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubevirt-hostpath-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups:
+    - security.openshift.io
+    resources:
+    - securitycontextconstraints
+    resourceNames:
+    - hostpath-provisioner
+    verbs:
+    - use

cluster-scope/base/rbac.authorization.k8s.io/clusterroles/kubevirt-hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - clusterrole.yaml

cluster-scope/base/security.openshift.io/securitycontextconstraints/hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - securitycontextconstraints.yaml

cluster-scope/base/security.openshift.io/securitycontextconstraints/hostpath-provisioner/securitycontextconstraints.yaml

@@ -0,0 +1,30 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: hostpath-provisioner
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SETUID
+- SETGID
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: true
+readOnlyRootFilesystem: false
+users:
+- system:serviceaccount:kubevirt-hostpath-provisioner:kubevirt-hostpath-provisioner
+volumes:
+- hostPath
+- downwardAPI
+- projected

cluster-scope/base/storage.k8s.io/storageclasses/kubevirt-hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - storageclass.yaml

cluster-scope/base/storage.k8s.io/storageclasses/kubevirt-hostpath-provisioner/storageclass.yaml

@@ -0,0 +1,7 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: kubevirt-hostpath-provisioner
+provisioner: kubevirt.io/hostpath-provisioner
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer

cluster-scope/bundles/hostpath-provisioner/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  nerc.mghpcc.org/bundle: hostpath-provisioner
+
+resources:
+- ../../base/core/namespaces/kubevirt-hostpath-provisioner
+- ../../base/rbac.authorization.k8s.io/clusterrolebindings/kubevirt-hostpath-provisioner
+- ../../base/storage.k8s.io/storageclasses/kubevirt-hostpath-provisioner
+- ../../base/security.openshift.io/securitycontextconstraints/hostpath-provisioner
+- ../../base/rbac.authorization.k8s.io/clusterroles/kubevirt-hostpath-provisioner
+- ../../base/machineconfiguration.openshift.io/machineconfigs/hostpath-provisioner-selinux