187 lines
4.1 KiB
YAML
187 lines
4.1 KiB
YAML
|
#################################################################################
|
||
|
# This example first defines some necessary namespace and RBAC security objects.
|
||
|
# The actual Ceph Cluster CRD example can be found at the bottom of this example.
|
||
|
#################################################################################
|
||
|
apiVersion: v1
|
||
|
kind: Namespace
|
||
|
metadata:
|
||
|
name: rook-ceph
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: Namespace
|
||
|
metadata:
|
||
|
name: rook-ceph-system
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
name: rook-ceph-osd
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
kind: Role
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-osd
|
||
|
namespace: rook-ceph
|
||
|
rules:
|
||
|
- apiGroups: [""]
|
||
|
resources: ["configmaps"]
|
||
|
verbs: [ "get", "list", "watch", "create", "update", "delete" ]
|
||
|
---
|
||
|
# Aspects of ceph-mgr that require access to the system namespace
|
||
|
kind: Role
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr-system
|
||
|
namespace: rook-ceph
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
---
|
||
|
# Aspects of ceph-mgr that operate within the cluster's namespace
|
||
|
kind: Role
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- pods
|
||
|
- services
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- batch
|
||
|
resources:
|
||
|
- jobs
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
- create
|
||
|
- update
|
||
|
- delete
|
||
|
- apiGroups:
|
||
|
- ceph.rook.io
|
||
|
resources:
|
||
|
- "*"
|
||
|
verbs:
|
||
|
- "*"
|
||
|
---
|
||
|
# Allow the operator to create resources in this cluster's namespace
|
||
|
kind: RoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-cluster-mgmt
|
||
|
namespace: rook-ceph
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: ClusterRole
|
||
|
name: rook-ceph-cluster-mgmt
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: rook-ceph-system
|
||
|
namespace: rook-ceph-system
|
||
|
---
|
||
|
# Allow the osd pods in this namespace to work with configmaps
|
||
|
kind: RoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-osd
|
||
|
namespace: rook-ceph
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: rook-ceph-osd
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: rook-ceph-osd
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
# Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
|
||
|
kind: RoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: rook-ceph-mgr
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
# Allow the ceph mgr to access the rook system resources necessary for the mgr modules
|
||
|
kind: RoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr-system
|
||
|
namespace: rook-ceph-system
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: rook-ceph-mgr-system
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
|
||
|
kind: RoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
|
metadata:
|
||
|
name: rook-ceph-mgr-cluster
|
||
|
namespace: rook-ceph
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: ClusterRole
|
||
|
name: rook-ceph-mgr-cluster
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: rook-ceph-mgr
|
||
|
namespace: rook-ceph
|
||
|
---
|
||
|
#################################################################################
|
||
|
# The Ceph Cluster CRD example
|
||
|
#################################################################################
|
||
|
apiVersion: ceph.rook.io/v1
|
||
|
kind: CephCluster
|
||
|
metadata:
|
||
|
name: rook-ceph
|
||
|
namespace: rook-ceph
|
||
|
spec:
|
||
|
cephVersion:
|
||
|
# For the latest ceph images, see https://hub.docker.com/r/ceph/ceph/tags
|
||
|
image: ceph/ceph:v13.2.4-20190109
|
||
|
dataDirHostPath: /rook
|
||
|
dashboard:
|
||
|
enabled: true
|
||
|
mon:
|
||
|
count: 3
|
||
|
allowMultiplePerNode: true
|
||
|
storage:
|
||
|
useAllNodes: true
|
||
|
useAllDevices: false
|
||
|
config:
|
||
|
databaseSizeMB: "1024"
|
||
|
journalSizeMB: "1024"
|
||
|
|