Merge pull request #9191 from Omar007/fix/blkdevmapper-openshift-fall…

…back osd: add privileged support (back) to blkdevmapper securityContext (work-around)
rook · Nov 17, 2021 · 075b82b · 075b82b
2 parents 2d03a8e + 8f90558
commit 075b82b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go
@@ -777,12 +777,15 @@ func (c *Cluster) getActivateOSDInitContainer(configDir, namespace, osdID string
 // To be able to perform this action, the CAP_MKNOD capability is required.
 // Provide a securityContext which requests the MKNOD capability for the container to function properly.
 func getBlockDevMapperContext() *v1.SecurityContext {
+	privileged := controller.HostPathRequiresPrivileged()
+
 	return &v1.SecurityContext{
 		Capabilities: &v1.Capabilities{
 			Add: []v1.Capability{
 				"MKNOD",
 			},
 		},
+		Privileged: &privileged,
 	}
 }
 

diff --git a/pkg/operator/ceph/controller/spec.go b/pkg/operator/ceph/controller/spec.go
@@ -604,12 +604,13 @@ func (c *daemonConfig) buildAdminSocketCommand() string {
 	return command
 }
 
+func HostPathRequiresPrivileged() bool {
+	return os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true"
+}
+
 // PodSecurityContext detects if the pod needs privileges to run
 func PodSecurityContext() *v1.SecurityContext {
-	privileged := false
-	if os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true" {
-		privileged = true
-	}
+	privileged := HostPathRequiresPrivileged()
 
 	return &v1.SecurityContext{
 		Privileged: &privileged,