New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osd: set blkdevmapper capabilities #9158
Conversation
See the unit tests results, there are a few tests that need to be updated. |
@travisn yea I got the failure notification a moment ago. I was looking at those logs but I have no clue what I am looking and what it has to do with anything being changed here. The one that fails is
(for the record, it passed locally when I did |
It may be an intermittent test unrelated, I retriggered the tests now to check... |
The unit tests are passing now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small request, otherwise LGTM.
The OSD blkdevmapper init container relies on the MKNOD capability, which it does not actually request. As a result, deployments fail on Kubernetes clusters that do not happen to assign this capability to all containers by default. Solve this by updating the container spec securityContext to explicitly request the capability it relies on. Closes: #9156 Signed-off-by: Omar Pakker <Omar007@users.noreply.github.com>
osd: set blkdevmapper capabilities (backport #9158)
Description of your changes:
The OSD blkdevmapper init container relies on the MKNOD capability, which it does not actually request.
As a result, deployments fail on Kubernetes clusters that do not happen to assign this capability to all containers by default.
This PR introduces a function that constructs a securityContext tailored to the
blkdevmapper
use-case instead of relying on the controller.PodSecurityContext function.This change also implies
blkdevmapper
will no longer become privileged whenROOK_HOSTPATH_REQUIRES_PRIVILEGED
is true but as far as I can tell this should never be happening/needed for theblkdevmapper
use-case anyway. (unless I missed something?)Which issue is resolved by this Pull Request:
Resolves #9156
Checklist:
make codegen
) has been run to update object specifications, if necessary.