Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUILD-256: update local dev and install doc for new operator approach #66

Merged
merged 1 commit into from Oct 26, 2021
Merged

BUILD-256: update local dev and install doc for new operator approach #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
34 changes: 25 additions & 9 deletions README.md
View file
Open in desktop
Expand Up @@ -17,7 +17,6 @@ serves as the resource in Kubernetes Subject Access Review checks
- Initial pod requests for `SharedConfigMap` or `SharedSecret` CSI volumes are denied without both a valid `SharedConfigMap` or `SharedSecret` reference and
permissions to access that `SharedConfigMap` or `SharedSecret`.
- Changes to the `SharedConfigMap` or `SharedSecret` backing resource (namespace, name) get reflected in data stored in the user pod's CSI volume.
- //TODO - do we now change the ability to change within a Pod between `SharedConfigMap` and `SharedSecret`
- Subsequent removal of permissions for a `SharedConfigMap` or `SharedSecret` results in removal of the associated data stored in the user pod's CSI volume.
- Re-granting of permission for a `SharedConfigMap` or `SharedSecret` (after having the permissions initially, then removed) results in the associated
data getting stored in the user pod's CSI volume.
Expand All @@ -34,17 +33,18 @@ NOTE: see [CSI Volume Specifics](docs/csi.md) for restrictions around these feat

## Getting Started

Check out the [current installation options](docs/install.md) to get the driver up and going. You'll need to have
sufficient privileges to create namespaces and ServiceAccounts, and then create `ClusterRoles`, `ClusterRoleBindings`, `DaemonSets` with the privileged bit set,
and the creation of `CSIDrivers`.
The maintenance of the related API objects and the deployment of this CSI driver are handled via the [Openshift CSI Driver for Shared Resources Operator](https://github.com/openshift/csi-driver-shared-resource-operator)
when you are using a Tech Preview OpenShift Cluster in 4.10. The 4.10 release docs are not out yet with 4.10 still under development,
but these [4.9 docs](https://docs.openshift.com/container-platform/4.9/post_installation_configuration/cluster-tasks.html#post-install-tp-tasks) are
sufficient for explaining how to turn on Tech Preview features after install.

Then, check out our [entry level example](docs/simple-example.md). You'll need to have sufficient privileges to create
namespaces, `Roles` and `RoleBindings`, instances of our new `SharedConfigMap` or `SharedSecret` CRD, and pods.
For running on a 4.10 cluster which is *NOT* a Tech Preview cluster, you must employ the methodology described in the [Local Devlopment](#local-development)
section.

The permission semantics in summary:
- the `ServiceAccount` associated with a `Pod` needs access to the 'use' verb on the `SharedConfigMap` or `SharedSecret` referenced any `CSIVolume`
Once installed, the permission semantics around sharing resources is the next concern to consider. In summary:
- the `ServiceAccount` associated with a `Pod` needs access to the 'use' verb on the `SharedConfigMap` or `SharedSecret` referenced by any `CSIVolume`
specified in a `Pod` that uses this repository's CSI Driver.
- separately, any `User` can discover cluster scoped `SharedResources` based on the permissions granted to them by their cluster
- separately, any `User` can discover cluster scoped `SharedResources` based on the 'get' or 'list' permissions granted to them by their cluster
or namespace administrator.

The full definition of the `SharedConfigMap` can be found [here](deploy/0000_10_sharedconfigmap.crd.yaml) or `SharedSecret` custom resource can be found [here](deploy/0000_10_sharedsecret.crd.yaml).
Expand All @@ -56,3 +56,19 @@ Next, for some details around support for updating `SharedConfigMap` or `SharedS
please visit [here](docs/content-update-details.md).

Lastly, for a depiction of details around the [features noted above](#features), check out this [FAQ](docs/faq.md).

## Local Development

If you are going to make code changes to this driver, and you'd like to test them against an OpenShift cluster, run the
`build-image` make target in this repository to capture those changes in an image reference whose remote registry and repository you can push
to, and then employ the steps described in the [Openshift CSI Driver for Shared Resources Operator Quick Start](https://github.com/openshift/csi-driver-shared-resource-operator/blob/master/README.md#quick-start),
where you set the `DRIVER_IMAGE` environment variable to the image reference created by your `make build-image` against
your local clone of this repository.

See that operator's [quick start guide](https://github.com/openshift/csi-driver-shared-resource-operator#quick-start) for
complete details.

NOTE: changes to API objects that act in concert with the driver (RBAC, CSI Driver definition, service, serviceaccounts, etc)
are defined at [https://github.com/openshift/csi-driver-shared-resource-operator/tree/master/assets](https://github.com/openshift/csi-driver-shared-resource-operator/tree/master/assets).
If your changes need adjustments to those objects, you'll need to use `make deploy` to rollout a new version of the operator,
per the same quick start guide.
155 changes: 0 additions & 155 deletions docs/install.md
View file
Open in desktop

This file was deleted.