README
¶
storageclass-accessor
Contents
Introduction
The storageclass-accessor webhook is an HTTP callback which responds to admission requests.
When creating PVC, it will take out the accessor related to this storage class, and the request will be allowed only when all accessors pass the verification.
Users can create accessors and set namespaceSelector to achieve namespace-level management and/or set workspaceSelector to achieve workspace-level management on the storage class which provisions the PVC.
Installation
Installation by helm-charts
helm install --create-namespace --namespace storageclass-accessor storageclass-accessor main/storageclass-accessor
See the Chart README.md for detailed documentation on the Helm Chart
Quick start
The guide describes how to deploy a storageclass-accessor webhook to a cluster and provides an example accessor based on csi-qingcloud.
1. Install CRD and CR
kubectl create -f client/config/crds
2. Prepare deployment
./deploy/prepare.sh --namespace xyz
3. Deploy
kubectl apply -f ./deploy
4. Write a CR
Create your accessor according to your needs by referring to Accessor CR and Examples.
5. Apply CR
Use the kubectl apply command to make the accessor you created operational.
6. Test
Now you can try to create a PVC. If it is created in a namespace that is not allowed, the following error will be output:
Error from server: error when creating "PVC.yaml": admission webhook "pvc-accessor.storage.kubesphere.io" denied the request: The storageClass: StorageClassName does not allowed CREATE persistentVolumeClaim PVC-NAME in the namespace: TARGET-NS
Accessor CR
A complete accessor should have the following fields:
-
spec.storageClassNameThe accessor knows the effective sc according to this field.
-
spec.namespaceSelectorThis field is used to fill in the limit of nameSpace, Including labelSelector and fieldSelector.
-
spec.namespaceSelector.fieldSelectorIt is an array of fieldExpressions that manages whether nameSpace is available through the label of nameSpace.
-
fieldExpressionsIt is an array of fieldRule. Every rule in the array needs to be verified.
labelRulehas the following fields:1.field: String. Required. Currently supports selection through the "Name" and "Status" fields. 2.operator: String. Required. Currently supports selection through the "In" and "NotIn" fields. 2.values: []String. Required. -
spec.namespaceSelector.labelSelectorIt is an array of matchExpressions that manages whether nameSpace is available through the label of nameSpace.
-
spec.namespaceSelector.labelSelector.matchExpressionsIt is an array of labelRule. Every rule in the array needs to be verified.
labelRulehas the following fields:1.key: String. Required. Currently supports selection through the "Name" and "Status" fields. 2.operator: String. Required. Currently supports selection through the "In" and "NotIn" fields. 2.values: []String. Required.
Examples
The following few examples of yaml may be helpful for you to design your own accessor.
Only fieldSelector
- Only one
fieldExpression
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: onlyFieldSelector-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1"]
After applying this accessor, you can create the PVC of csi-qingcloud only in namespace.name which in this array :["NS1"].
More than one fieldExpressions are allowed in a fieldSelector.
And multiple rules are also allowed in fieldExpressions.
- Multiple
fieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1"]
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS2", "NS3"]
You can create the PVC of csi-qingcloud in the following namespace: (nameSpace.Name in ["NS1"]) or (nameSpace.Name in ["NS2", "NS3"]).
- Multiple rules in one
fieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "NotIn"
values: ["NS1", "NS2"]
- field: "Status"
operator: "In"
values: ["Active"]
You can create the PVC of csi-qingcloud only in the following namespace: (nameSpace.Name NotIn ["NS1", "NS2"]) and (nameSpace.Status.Status in ["Active"])
It means that the rules in fieldExpressions must be followed at the same time.
Only labelSelector
- Only one
matchExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: csi-qingcloud-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1", "app2"]
This requires nameSpace to have the key "app" label and the value in this array: ["app1", "app2"].
- Multiple
matchExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1", "app2"]
- matchExpressions:
- key: "owner"
operator: "In"
values: ["owner1", "owner2"]
You can create the PVC of csi-qingcloud in the following namespace: (have the key "app" label and the value in ["app1", "app2"]) or (have the key "owner" label and the value in ["owner1", "owner2"]).
- Multiple rule in one
FieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1"]
- key: "role"
operator: "In"
values: ["owner1", "owner2"]
You can create the PVC of csi-qingcloud in the following namespace: (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"]).
Both fieldSelector and labelSelector
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: csi-qingcloud-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1", "NS2"]
- fieldExpressions:
- field: "Status"
operator: "In"
values: ["Active"]
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1"]
- key: "owner"
operator: "In"
values: ["owner1", "owner2"]
- matchExpressions:
- key: "app"
operator: "In"
values: ["app2", "app3"]
It is allowed to create PVC in a namespace that meets one of the following conditions:
- (name in ["NS1", "NS2"]) and (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"])
- (name in ["NS1", "NS2"]) and (have the key "app" label and in the value in ["app2", "app3"])
- (status.Status in ["Active"]) and (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"])
- (status.Status in ["Active"]) and (have the key "app" label and in the value in ["app2", "app3"])
Notice
⚠ Warning: Too many accessors may cause unexpected errors in your webhook. It is recommended that one storage class should correspond to one accessor.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
client
|
|
|
apis/accessor/v1alpha1
Package v1alpha1 contains API Schema definitions for the storage v1alpha1 API group +kubebuilder:object:generate=true +groupName=storage.kubesphere.io
|
Package v1alpha1 contains API Schema definitions for the storage v1alpha1 API group +kubebuilder:object:generate=true +groupName=storage.kubesphere.io |