Skip to content

Commit

Permalink
Nfs client provisioner (helm#7406)
Browse files Browse the repository at this point in the history 
* Update version to 3.0.2

Signed-off-by: Bart Verwilst <bart@verwilst.be>

* Add PodSecurityPolicy support

Signed-off-by: Bart Verwilst <bart@verwilst.be>

* update docs for psp

Signed-off-by: Bart Verwilst <bart@verwilst.be>

* add serviceaccount docs

Signed-off-by: Bart Verwilst <bart@verwilst.be>
  • Loading branch information
@verwilst @k8s-ci-robot
verwilst authored and k8s-ci-robot committed Aug 29, 2018
1 parent 5556912 commit 614d3e7
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 12 deletions.
2 changes: 1 addition & 1 deletion stable/nfs-client-provisioner/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: 3.0.2
description: nfs-client is an automatic provisioner that used your *already configured* NFS server, automatically creating Persistent Volumes.
name: nfs-client-provisioner
home: https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client
version: 0.1.2
version: 0.1.3
sources:
- https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client
maintainers:
Expand Down
26 changes: 15 additions & 11 deletions stable/nfs-client-provisioner/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,17 +45,21 @@ The following tables lists the configurable parameters of this chart and their d

| Parameter | Description | Default |
| --------------------------------- | ------------------------------------- | --------------------------------------------------------- |
| `replicaCount` | number of provisioner instances to deployed | `1` |
| `strategyType` | specifies the strategy used to replace old Pods by new ones | `Recreate` |
| `image.repository` | provisioner image | `quay.io/external_storage/nfs-client-provisioner` |
| `image.tag` | version of provisioner image | `v3.0.2-k8s1.11` |
| `image.pullPolicy` | image pull policy | `IfNotPresent` |
| `storageclass.name` | name of the storageclass | `nfs-client` |
| `replicaCount` | Number of provisioner instances to deployed | `1` |
| `strategyType` | Specifies the strategy used to replace old Pods by new ones | `Recreate` |
| `image.repository` | Provisioner image | `quay.io/external_storage/nfs-client-provisioner` |
| `image.tag` | Version of provisioner image | `v3.0.2-k8s1.11` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `storageclass.name` | Name of the storageclass | `nfs-client` |
| `storageclass.defaultClass` | Set as the default StorageClass | `false` |
| `storageclass.allowVolumeExpansion` | Allow expanding the volume | `true` |
| `storageclass.reclaimPolicy` | Method used to reclaim an obsoleted volume | `Delete` |
| `storageclass.provisionerName` | name of the provisionerName | null |
| `storageclass.archiveOnDelete` | archive pvc when deleting | `true` |
| `nfs.server` | hostname of the NFS server | null (ip or hostname) |
| `nfs.path` | basepath of the mount point to be used | `/ifs/kubernetes` |
| `storageclass.reclaimPolicy` | Method used to reclaim an obsoleted volume | `Delete` |
| `storageclass.provisionerName` | Name of the provisionerName | null |
| `storageclass.archiveOnDelete` | Archive pvc when deleting | `true` |
| `nfs.server` | Hostname of the NFS server | null (ip or hostname) |
| `nfs.path` | Basepath of the mount point to be used | `/ifs/kubernetes` |
| `resources` | Resources required (e.g. CPU, memory) | `{}` |
| `rbac.create` | Use Role-based Access Control | `true` |
| `rbac.pspEnabled` | Create & use Pod Security Policy resources | `false` |
| `serviceAccount.create` | Should we create a ServiceAccount | `true` |
| `serviceAccount.name` | Name of the ServiceAccount to use | null |
6 changes: 6 additions & 0 deletions stable/nfs-client-provisioner/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,9 @@ rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
{{- if .Values.rbac.pspEnabled }}
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ template "nfs-client-provisioner.fullname" . }}]
{{- end }}
31 changes: 31 additions & 0 deletions stable/nfs-client-provisioner/templates/podsecuritypolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{{- if .Values.rbac.pspEnabled }}
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "nfs-client-provisioner.fullname" . }}
labels:
app: {{ template "nfs-client-provisioner.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'secret'
- 'nfs'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}
4 changes: 4 additions & 0 deletions stable/nfs-client-provisioner/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ rbac:
# Specifies whether RBAC resources should be created
create: true

# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
pspEnabled: false

serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
Expand Down

0 comments on commit 614d3e7

Please sign in to comment.