Page MenuHomePhabricator
Create Task
Maniphest T376406

Import the upstream ceph-csi-cephfs chart and adapt it to our needs
Closed, ResolvedPublic
Actions

Description

The URL for this chart is https://github.com/ceph/ceph-csi/tree/devel/charts/ceph-csi-cephfs

It should be very similar to the ceph-csi-rbd chart that we already use and has already been through the review process by the k8s-sig team.

We should take care, once again, to ensure that we use a version that matches our Kubernetes version closely.

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

BTullis created this task.Oct 3 2024, 5:08 PM
BTullis triaged this task as High priority.
BTullis added a subtask: T376408: Deploy the ceph-csi-cephfs chart to the dse-k8s-cluster.Oct 3 2024, 5:12 PM
BTullis assigned this task to brouberol.Oct 3 2024, 11:57 PM
brouberol moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2024.09.28 - 2024.10.18) board.Oct 4 2024, 7:03 AM
gerritbot added a comment.Oct 4 2024, 7:32 AM

Change #1077872 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Import ceph-csi-cephfs chart

https://gerrit.wikimedia.org/r/1077872

gerritbot added a project: Patch-For-Review.Oct 4 2024, 7:32 AM

Change #1077873 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Make it possible to deploy provisioner without the snahshotter

https://gerrit.wikimedia.org/r/1077873

gerritbot added a comment.Oct 4 2024, 7:33 AM

Change #1077874 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Run the driver-registrar as root

https://gerrit.wikimedia.org/r/1077874

gerritbot added a comment.Oct 4 2024, 7:33 AM

Change #1077875 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Disable the priviledged security context of the liveness-prometheus container

https://gerrit.wikimedia.org/r/1077875

gerritbot added a comment.Oct 4 2024, 7:43 AM

Change #1077878 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Define the ceph-csi-cephfs admin_ng helmfile

https://gerrit.wikimedia.org/r/1077878

gerritbot added a comment.Oct 7 2024, 12:00 PM

Change #1078387 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Make it possible to create several storage classes

https://gerrit.wikimedia.org/r/1078387

elukey subscribed.Oct 11 2024, 2:32 PM

Quick pass on the upstream's source code, here some ideas/noteworthy-things:

  • The last commit of the repo seemed from 2022, so it appears as if it was abandoned, but maybe nobody really send pull requests recently and the community is active. It is under ceph-csi and IIRC Ben had very nice interactions with them, so probably not an issue, just reporting it :)
  • The provisioner's cluster-role looks reasonable, I don't see anything clearly pointing to privileges escalations or similar (namely having rules that allow to modify and gather privileges at the k8s api level).
  • daemon sets: I see various privileged containers (driver-registrar, csi-cephplugin, http-metrics) with high pivileges. The first seems to need to access the Kubelet's sockets to register etc.., the second one needs to mount and work with /dev and the latter afaics only display metrics. The first two seem ok-ish use cases, but the latter is very weird (IIRC we had the same issue with the other ceph-related chart review).

Didn't find any big blocker except the http-metrics container. Going to review patches now.

gerritbot added a comment.Oct 14 2024, 1:56 PM

Change #1080032 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] ceph-csi-cephfs: replace the ClusterRole by a list of ns-scoped Roles

https://gerrit.wikimedia.org/r/1080032

brouberol moved this task from In Progress to Needs Review on the Data-Platform-SRE (2024.09.28 - 2024.10.18) board.Oct 15 2024, 8:56 AM
brouberol moved this task from Needs Review to To Be Deployed on the Data-Platform-SRE (2024.09.28 - 2024.10.18) board.Oct 16 2024, 4:40 PM
gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1077872 merged by jenkins-bot:

[operations/deployment-charts@master] Import ceph-csi-cephfs chart

https://gerrit.wikimedia.org/r/1077872

gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1077873 merged by jenkins-bot:

[operations/deployment-charts@master] Make it possible to deploy provisioner without the snahshotter

https://gerrit.wikimedia.org/r/1077873

gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1077874 merged by jenkins-bot:

[operations/deployment-charts@master] Run the driver-registrar as root

https://gerrit.wikimedia.org/r/1077874

gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1077875 merged by jenkins-bot:

[operations/deployment-charts@master] Disable the priviledged security context of the liveness-prometheus container

https://gerrit.wikimedia.org/r/1077875

gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1078387 merged by jenkins-bot:

[operations/deployment-charts@master] Make it possible to create several storage classes

https://gerrit.wikimedia.org/r/1078387

gerritbot added a comment.Oct 17 2024, 8:10 AM

Change #1080032 merged by jenkins-bot:

[operations/deployment-charts@master] ceph-csi-cephfs: replace the ClusterRole by a list of ns-scoped Roles

https://gerrit.wikimedia.org/r/1080032

brouberol closed this task as Resolved.Oct 17 2024, 8:14 AM
brouberol moved this task from To Be Deployed to Done on the Data-Platform-SRE (2024.09.28 - 2024.10.18) board.
gerritbot added a comment.Oct 17 2024, 8:48 AM

Change #1077878 merged by Brouberol:

[operations/deployment-charts@master] Define the ceph-csi-cephfs admin_ng helmfile

https://gerrit.wikimedia.org/r/1077878

gerritbot added a comment.Oct 17 2024, 9:13 AM

Change #1081079 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] admin_ng: add the ceph-csi-cephfs helmfile to the list of imported helmfiles

https://gerrit.wikimedia.org/r/1081079

gerritbot added a comment.Oct 17 2024, 9:19 AM

Change #1081079 merged by Brouberol:

[operations/deployment-charts@master] admin_ng: add the ceph-csi-cephfs helmfile to the list of imported helmfiles

https://gerrit.wikimedia.org/r/1081079

gerritbot added a comment.Oct 17 2024, 9:28 AM

Change #1081088 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] ceph-csi-cephfs: avoid name collison with ceph-csi-rbd configmaps

https://gerrit.wikimedia.org/r/1081088

gerritbot added a comment.Oct 17 2024, 9:38 AM

Change #1081088 merged by Brouberol:

[operations/deployment-charts@master] ceph-csi-cephfs: avoid name collison with ceph-csi-rbd configmaps

https://gerrit.wikimedia.org/r/1081088

Maintenance_bot removed a project: Patch-For-Review.Oct 17 2024, 10:31 AM
brouberol closed subtask T376408: Deploy the ceph-csi-cephfs chart to the dse-k8s-cluster as Resolved.Oct 17 2024, 4:08 PM
gerritbot added a comment.Oct 21 2024, 7:52 AM

Change #1081903 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] ceph-csi-cephs: fix RBAC by granting cluster-wide permisions on PVC and storageclasses

https://gerrit.wikimedia.org/r/1081903

gerritbot added a project: Patch-For-Review.Oct 21 2024, 7:52 AM
gerritbot added a comment.Oct 21 2024, 8:04 AM

Change #1081905 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] ceph/server: fix the dse-k8s-csi-cephfs according to the CSI doc

https://gerrit.wikimedia.org/r/1081905

gerritbot added a comment.Oct 21 2024, 8:20 AM

Change #1081903 merged by Brouberol:

[operations/deployment-charts@master] ceph-csi-cephs: fix RBAC by granting cluster-wide permisions on PVC and storageclasses

https://gerrit.wikimedia.org/r/1081903

gerritbot added a comment.Oct 21 2024, 8:24 AM

Change #1081905 merged by Brouberol:

[operations/puppet@production] ceph/server: fix the dse-k8s-csi-cephfs according to the CSI doc

https://gerrit.wikimedia.org/r/1081905

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2024, 8:30 AM
gerritbot added a comment.Oct 21 2024, 8:33 AM

Change #1081911 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] ceph/server: fix typo in caps

https://gerrit.wikimedia.org/r/1081911

gerritbot added a project: Patch-For-Review.Oct 21 2024, 8:33 AM
gerritbot added a comment.Oct 21 2024, 8:35 AM

Change #1081911 merged by Brouberol:

[operations/puppet@production] ceph/server: fix typo in caps

https://gerrit.wikimedia.org/r/1081911

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2024, 9:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits