diff --git a/charts/longhorn/Chart.yaml b/charts/longhorn/Chart.yaml index d69784c0..ce617fec 100644 --- a/charts/longhorn/Chart.yaml +++ b/charts/longhorn/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: longhorn -version: 1.0.1 -appVersion: v1.0.1 +version: 1.0.2 +appVersion: v1.0.2 kubeVersion: ">=v1.14.0-r0" description: Longhorn is a distributed block storage system for Kubernetes. keywords: diff --git a/charts/longhorn/questions.yml b/charts/longhorn/questions.yml index 781f7a01..61a5033a 100644 --- a/charts/longhorn/questions.yml +++ b/charts/longhorn/questions.yml @@ -17,7 +17,7 @@ questions: label: Longhorn Manager Image Name group: "Longhorn Images Settings" - variable: image.longhorn.managerTag - default: v1.0.1 + default: v1.0.2 description: "Specify Longhorn Manager Image Tag" type: string label: Longhorn Manager Image Tag @@ -29,7 +29,7 @@ questions: label: Longhorn Engine Image Name group: "Longhorn Images Settings" - variable: image.longhorn.engineTag - default: v1.0.1 + default: v1.0.2 description: "Specify Longhorn Engine Image Tag" type: string label: Longhorn Engine Image Tag @@ -41,7 +41,7 @@ questions: label: Longhorn UI Image Name group: "Longhorn Images Settings" - variable: image.longhorn.uiTag - default: v1.0.1 + default: v1.0.2 description: "Specify Longhorn UI Image Tag" type: string label: Longhorn UI Image Tag @@ -59,29 +59,53 @@ questions: label: Longhorn Instance Manager Image Tag group: "Longhorn Images Settings" - variable: csi.attacherImage - default: + default: longhornio/csi-attacher description: "Specify CSI attacher image. Leave blank to autodetect." type: string label: Longhorn CSI Attacher Image group: "Longhorn CSI Driver Images" + - variable: csi.attacherImageTag + default: v2.0.0 + description: "Specify CSI attacher image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Attacher Image Tag + group: "Longhorn CSI Driver Images" - variable: csi.provisionerImage - default: + default: longhornio/csi-provisioner description: "Specify CSI provisioner image. Leave blank to autodetect." type: string label: Longhorn CSI Provisioner Image group: "Longhorn CSI Driver Images" + - variable: csi.provisionerImageTag + default: v1.4.0 + description: "Specify CSI provisioner image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Provisioner Image Tag + group: "Longhorn CSI Driver Images" - variable: csi.nodeDriverRegistrarImage - default: + default: longhornio/csi-node-driver-registrar description: "Specify CSI Node Driver Registrar image. Leave blank to autodetect." type: string label: Longhorn CSI Node Driver Registrar Image group: "Longhorn CSI Driver Images" + - variable: csi.nodeDriverRegistrarImageTag + default: v1.2.0 + description: "Specify CSI Node Driver Registrar image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Node Driver Registrar Image Tag + group: "Longhorn CSI Driver Images" - variable: csi.resizerImage - default: + default: longhornio/csi-resizer description: "Specify CSI Driver Resizer image. Leave blank to autodetect." type: string label: Longhorn CSI Driver Resizer Image group: "Longhorn CSI Driver Images" + - variable: csi.resizerImageTag + default: v0.3.0 + description: "Specify CSI Driver Resizer image tag. Leave blank to autodetect." + type: string + label: Longhorn CSI Driver Resizer Image Tag + group: "Longhorn CSI Driver Images" - variable: privateRegistry.registryUrl label: Private registry URL description: "URL of private registry" @@ -314,3 +338,9 @@ WARNING: DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES.' max: 32767 show_if: "service.ui.type=NodePort||service.ui.type=LoadBalancer" label: UI Service NodePort number +- variable: enablePSP + default: "true" + description: "Setup a pod security policy for Longhorn workloads." + label: Pod Security Policy + type: boolean + group: "Other Settings" \ No newline at end of file diff --git a/charts/longhorn/templates/daemonset-sa.yaml b/charts/longhorn/templates/daemonset-sa.yaml index ab79c97a..5282dd37 100644 --- a/charts/longhorn/templates/daemonset-sa.yaml +++ b/charts/longhorn/templates/daemonset-sa.yaml @@ -16,7 +16,11 @@ spec: spec: containers: - name: longhorn-manager + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- else }} image: "{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- end }} imagePullPolicy: IfNotPresent securityContext: privileged: true @@ -25,11 +29,23 @@ spec: - -d - daemon - --engine-image + {{- if .Values.privateRegistry.registryUrl }} + - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.engine }}:{{ .Values.image.longhorn.engineTag }}" + {{- else }} - "{{ .Values.image.longhorn.engine }}:{{ .Values.image.longhorn.engineTag }}" + {{- end }} - --instance-manager-image + {{- if .Values.privateRegistry.registryUrl }} + - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.instanceManager }}:{{ .Values.image.longhorn.instanceManagerTag }}" + {{- else }} - "{{ .Values.image.longhorn.instanceManager }}:{{ .Values.image.longhorn.instanceManagerTag }}" + {{- end }} - --manager-image + {{- if .Values.privateRegistry.registryUrl }} + - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- else }} - "{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- end }} - --service-account - longhorn-service-account ports: @@ -45,6 +61,7 @@ spec: mountPath: /host/proc/ - name: varrun mountPath: /var/run/ + mountPropagation: Bidirectional - name: longhorn mountPath: /var/lib/longhorn/ mountPropagation: Bidirectional diff --git a/charts/longhorn/templates/deployment-driver.yaml b/charts/longhorn/templates/deployment-driver.yaml index b0f5529e..43c1af09 100644 --- a/charts/longhorn/templates/deployment-driver.yaml +++ b/charts/longhorn/templates/deployment-driver.yaml @@ -16,18 +16,30 @@ spec: spec: initContainers: - name: wait-longhorn-manager + {{- if .Values.privateRegistry.registryUrl }} + image: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- else }} image: {{ printf "%s:%s" .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- end }} command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done'] containers: - name: longhorn-driver-deployer + {{- if .Values.privateRegistry.registryUrl }} + image: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- else }} image: {{ printf "%s:%s" .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- end }} imagePullPolicy: IfNotPresent command: - longhorn-manager - -d - deploy-driver - --manager-image + {{- if .Values.privateRegistry.registryUrl }} + - {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- else }} - {{ printf "%s:%s" .Values.image.longhorn.manager .Values.image.longhorn.managerTag | quote }} + {{- end }} - --manager-url - http://longhorn-backend:9500/v1 env: @@ -47,22 +59,41 @@ spec: - name: KUBELET_ROOT_DIR value: {{ .Values.csi.kubeletRootDir }} {{- end }} - {{- if .Values.csi.attacherImage }} + {{- if .Values.privateRegistry.registryUrl }} + {{- if and .Values.csi.attacherImage .Values.csi.attacherImageTag }} + - name: CSI_ATTACHER_IMAGE + value: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.csi.attacherImage .Values.csi.attacherImageTag | quote }} + {{- end }} + {{- if and .Values.csi.provisionerImage .Values.csi.provisionerImageTag }} + - name: CSI_PROVISIONER_IMAGE + value: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.csi.provisionerImage .Values.csi.provisionerImageTag | quote }} + {{- end }} + {{- if and .Values.csi.nodeDriverRegistrarImage .Values.csi.nodeDriverRegistrarImageTag }} + - name: CSI_NODE_DRIVER_REGISTRAR_IMAGE + value: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.csi.nodeDriverRegistrarImage .Values.csi.nodeDriverRegistrarImageTag | quote }} + {{- end }} + {{- if and .Values.csi.resizerImage .Values.csi.resizerImageTag }} + - name: CSI_RESIZER_IMAGE + value: {{ printf "%s/%s:%s" .Values.privateRegistry.registryUrl .Values.csi.resizerImage .Values.csi.resizerImageTag | quote }} + {{- end }} + {{- else }} + {{- if and .Values.csi.attacherImage .Values.csi.attacherImageTag }} - name: CSI_ATTACHER_IMAGE - value: {{ .Values.csi.attacherImage }} + value: {{ printf "%s:%s" .Values.csi.attacherImage .Values.csi.attacherImageTag | quote }} {{- end }} - {{- if .Values.csi.provisionerImage }} + {{- if and .Values.csi.provisionerImage .Values.csi.provisionerImageTag }} - name: CSI_PROVISIONER_IMAGE - value: {{ .Values.csi.provisionerImage }} + value: {{ printf "%s:%s" .Values.csi.provisionerImage .Values.csi.provisionerImageTag | quote }} {{- end }} - {{- if .Values.csi.nodeDriverRegistrarImage }} + {{- if and .Values.csi.nodeDriverRegistrarImage .Values.csi.nodeDriverRegistrarImageTag }} - name: CSI_NODE_DRIVER_REGISTRAR_IMAGE - value: {{ .Values.csi.nodeDriverRegistrarImage }} + value: {{ printf "%s:%s" .Values.csi.nodeDriverRegistrarImage .Values.csi.nodeDriverRegistrarImageTag | quote }} {{- end }} - {{- if .Values.csi.resizerImage }} + {{- if and .Values.csi.resizerImage .Values.csi.resizerImageTag }} - name: CSI_RESIZER_IMAGE - value: {{ .Values.csi.resizerImage }} + value: {{ printf "%s:%s" .Values.csi.resizerImage .Values.csi.resizerImageTag | quote }} {{- end }} + {{- end }} {{- if .Values.csi.attacherReplicaCount }} - name: CSI_ATTACHER_REPLICA_COUNT value: {{ .Values.csi.attacherReplicaCount | quote }} diff --git a/charts/longhorn/templates/deployment-ui.yaml b/charts/longhorn/templates/deployment-ui.yaml index d24a8a17..f75671be 100644 --- a/charts/longhorn/templates/deployment-ui.yaml +++ b/charts/longhorn/templates/deployment-ui.yaml @@ -17,7 +17,11 @@ spec: spec: containers: - name: longhorn-ui + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.ui }}:{{ .Values.image.longhorn.uiTag }}" + {{- else }} image: "{{ .Values.image.longhorn.ui }}:{{ .Values.image.longhorn.uiTag }}" + {{- end }} imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 diff --git a/charts/longhorn/templates/postupgrade-job.yaml b/charts/longhorn/templates/postupgrade-job.yaml index 7a58eb8f..41287c79 100644 --- a/charts/longhorn/templates/postupgrade-job.yaml +++ b/charts/longhorn/templates/postupgrade-job.yaml @@ -17,7 +17,11 @@ spec: spec: containers: - name: longhorn-post-upgrade + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- else }} image: "{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- end }} imagePullPolicy: Always command: - longhorn-manager diff --git a/charts/longhorn/templates/psp.yaml b/charts/longhorn/templates/psp.yaml new file mode 100644 index 00000000..66479b4f --- /dev/null +++ b/charts/longhorn/templates/psp.yaml @@ -0,0 +1,66 @@ +{{- if .Values.enablePSP }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: longhorn-psp + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + requiredDropCapabilities: + - NET_RAW + allowedCapabilities: + - SYS_ADMIN + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + fsGroup: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: longhorn-psp-role + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - longhorn-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: longhorn-psp-binding + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: longhorn-psp-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/longhorn/templates/storageclass.yaml b/charts/longhorn/templates/storageclass.yaml index 73cc607a..3fee340f 100644 --- a/charts/longhorn/templates/storageclass.yaml +++ b/charts/longhorn/templates/storageclass.yaml @@ -2,13 +2,8 @@ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: longhorn - {{- if .Values.persistence.defaultClass }} annotations: - storageclass.beta.kubernetes.io/is-default-class: "true" - {{- else }} - annotations: - storageclass.beta.kubernetes.io/is-default-class: "false" - {{- end }} + storageclass.kubernetes.io/is-default-class: {{ .Values.persistence.defaultClass | quote }} labels: {{- include "longhorn.labels" . | nindent 4 }} provisioner: driver.longhorn.io allowVolumeExpansion: true diff --git a/charts/longhorn/templates/uninstall-job.yaml b/charts/longhorn/templates/uninstall-job.yaml index a30d04f0..f5696dd0 100644 --- a/charts/longhorn/templates/uninstall-job.yaml +++ b/charts/longhorn/templates/uninstall-job.yaml @@ -17,7 +17,11 @@ spec: spec: containers: - name: longhorn-uninstall + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- else }} image: "{{ .Values.image.longhorn.manager }}:{{ .Values.image.longhorn.managerTag }}" + {{- end }} imagePullPolicy: Always command: - longhorn-manager diff --git a/charts/longhorn/values.yaml b/charts/longhorn/values.yaml index a1a7d263..95406785 100644 --- a/charts/longhorn/values.yaml +++ b/charts/longhorn/values.yaml @@ -4,11 +4,11 @@ image: longhorn: engine: longhornio/longhorn-engine - engineTag: v1.0.1 + engineTag: v1.0.2 manager: longhornio/longhorn-manager - managerTag: v1.0.1 + managerTag: v1.0.2 ui: longhornio/longhorn-ui - uiTag: v1.0.1 + uiTag: v1.0.2 instanceManager: longhornio/longhorn-instance-manager instanceManagerTag: v1_20200514 pullPolicy: IfNotPresent @@ -26,10 +26,14 @@ persistence: defaultClassReplicaCount: 3 csi: - attacherImage: ~ - provisionerImage: ~ - nodeDriverRegistrarImage: ~ - resizerImage: ~ + attacherImage: longhornio/csi-attacher + attacherImageTag: v2.0.0 + provisionerImage: longhornio/csi-provisioner + provisionerImageTag: v1.4.0 + nodeDriverRegistrarImage: longhornio/csi-node-driver-registrar + nodeDriverRegistrarImageTag: v1.2.0 + resizerImage: longhornio/csi-resizer + resizerImageTag: v0.3.0 kubeletRootDir: ~ attacherReplicaCount: ~ provisionerReplicaCount: ~ @@ -114,3 +118,6 @@ ingress: # - name: longhorn.local-tls # key: # certificate: + +# Configure a pod security policy in the Longhorn namespace to allow privileged pods +enablePSP: true