Add cephfs deployment rbac yaml files and docs.

ceph/cephfs/README.md

@@ -4,25 +4,30 @@
 
 Using Ceph volume client
 
-# Test instruction
+## Development
 
 Compile the provisioner
-``` console
+```console
 make
 ```
 
 Make the container image and push to the registry
-``` console
+```console
 make push
 ```
 
+## Test instruction
+
 * Start Kubernetes local cluster
 
+See https://kubernetes.io/.
+
 * Create a Ceph admin secret
 
 ```bash
 ceph auth get client.admin 2>&1 |grep "key = " |awk '{print  $3'} |xargs echo -n > /tmp/secret
-kubectl create secret generic ceph-secret-admin --from-file=/tmp/secret --namespace=kube-system
+kubectl create ns cephfs
+kubectl create secret generic ceph-secret-admin --from-file=/tmp/secret --namespace=cephfs
 ```
 
 * Start CephFS provisioner
@@ -32,38 +37,36 @@ The following example uses `cephfs-provisioner-1` as the identity for the instan
 ```bash
 docker run -ti -v /root/.kube:/kube -v /var/run/kubernetes:/var/run/kubernetes --privileged --net=host  cephfs-provisioner /usr/local/bin/cephfs-provisioner -master=http://127.0.0.1:8080 -kubeconfig=/kube/config -id=cephfs-provisioner-1
 ```
-Alternatively, start a deployment:
 
-```bash
-kubectl create -f deployment.yaml
-```
+Alternatively, deploy it in kubernetes, see [deployment](deploy/README.md).
 
 * Create a CephFS Storage Class
 
-Replace Ceph monitor's IP in [class.yaml](class.yaml) with your own and create storage class:
+Replace Ceph monitor's IP in [example/class.yaml](example/class.yaml) with your own and create storage class:
 
 ```bash
-kubectl create -f class.yaml
+kubectl create -f example/class.yaml
 ```
 
 * Create a claim
 
 ```bash
-kubectl create -f claim.yaml
+kubectl create -f example/claim.yaml
 ```
 
 * Create a Pod using the claim
 
 ```bash
-kubectl create -f test-pod.yaml
+kubectl create -f example/test-pod.yaml
 ```
 
 
-# Known limitations
+## Known limitations
 
 * Kernel CephFS doesn't work with SELinux, setting SELinux label in Pod's securityContext will not work.
 * Kernel CephFS doesn't support quota or capacity, capacity requested by PVC is not enforced or validated.
 * Currently each Ceph user created by the provisioner has `allow r` MDS cap to permit CephFS mount.
 
-# Acknowledgement
+## Acknowledgement
+
 Inspired by CephFS Manila provisioner and conversation with John Spray

ceph/cephfs/deploy/README.md

@@ -0,0 +1,22 @@
+# Deployment
+
+## Table of contents
+
+* [Install without RBAC roles](#install-without-rbac-roles)
+* [Install with RBAC roles](#install-with-rbac-roles)
+
+## Install without RBAC roles
+
+```
+cd $GOPATH/src/github.com/kubernetes-incubator/external-storage/ceph/cephfs/deploy
+kubectl apply -f ./non-rbac
+```
+
+## Install with RBAC roles
+
+```
+cd $GOPATH/src/github.com/kubernetes-incubator/external-storage/ceph/cephfs/deploy
+NAMESPACE=cephfs # change this if you want to deploy it in another namespace
+sed -r -i "s/namespace: [^ ]+/namespace: $NAMESPACE/g" ./rbac/*.yaml
+kubectl -n $NAMESPACE apply -f ./rbac
+```

ceph/cephfs/deployment.yaml → ceph/cephfs/deploy/non-rbac/deployment.yaml

@@ -16,10 +16,7 @@ spec:
         image: "quay.io/external_storage/cephfs-provisioner:latest"
         env:
         - name: PROVISIONER_NAME
-          valueFrom:
-            configMapKeyRef:
-              key: provisioner.name
-              name: cephfs-provisioner
+          value: ceph.com/cephfs
         command:
           - "/usr/local/bin/cephfs-provisioner"
         args:

ceph/cephfs/deploy/rbac/clusterrole.yaml

@@ -0,0 +1,18 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]

ceph/cephfs/deploy/rbac/clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs
+subjects:
+  - kind: ServiceAccount
+    name: cephfs-provisioner
+    namespace: cephfs
+roleRef:
+  kind: ClusterRole
+  name: cephfs-provisioner
+  apiGroup: rbac.authorization.k8s.io

ceph/cephfs/deploy/rbac/deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: cephfs-provisioner
+    spec:
+      containers:
+      - name: cephfs-provisioner
+        image: "quay.io/external_storage/cephfs-provisioner:latest"
+        env:
+        - name: PROVISIONER_NAME
+          value: ceph.com/cephfs
+        command:
+        - "/usr/local/bin/cephfs-provisioner"
+        args:
+        - "-id=cephfs-provisioner-1"
+      serviceAccount: cephfs-provisioner

ceph/cephfs/deploy/rbac/role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "get", "delete"]

ceph/cephfs/deploy/rbac/rolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cephfs-provisioner
+subjects:
+- kind: ServiceAccount
+  name: cephfs-provisioner

ceph/cephfs/deploy/rbac/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cephfs-provisioner
+  namespace: cephfs