The storageclass-accessor webhook is an HTTP callback which responds to admission requests.
When creating PVC, it will take out the accessor related to this storage class, and the request will be allowed only when all accessors pass the verification.
Users can create accessors and set namespaceSelector to achieve namespace-level management and/or set workspaceSelector to achieve workspace-level management on the storage class which provisions the PVC.
helm install --create-namespace --namespace storageclass-accessor storageclass-accessor main/storageclass-accessorSee the Chart README.md for detailed documentation on the Helm Chart
The guide describes how to deploy a storageclass-accessor webhook to a cluster and provides an example accessor based on csi-qingcloud.
kubectl create -f client/config/crds./deploy/prepare.sh --namespace xyzkubectl apply -f ./deployCreate your accessor according to your needs by referring to Accessor CR and Examples.
Use the kubectl apply command to make the accessor you created operational.
Now you can try to create a PVC. If it is created in a namespace that is not allowed, the following error will be output:
Error from server: error when creating "PVC.yaml": admission webhook "pvc-accessor.storage.kubesphere.io" denied the request: The storageClass: StorageClassName does not allowed CREATE persistentVolumeClaim PVC-NAME in the namespace: TARGET-NS
A complete accessor should have the following fields:
-
spec.storageClassNameThe accessor knows the effective sc according to this field.
-
spec.namespaceSelectorThis field is used to fill in the limit of nameSpace, Including labelSelector and fieldSelector.
-
spec.namespaceSelector.fieldSelectorIt is an array of fieldExpressions that manages whether nameSpace is available through the label of nameSpace.
-
fieldExpressionsIt is an array of fieldRule. Every rule in the array needs to be verified.
labelRulehas the following fields:1.field: String. Required. Currently supports selection through the "Name" and "Status" fields. 2.operator: String. Required. Currently supports selection through the "In" and "NotIn" fields. 2.values: []String. Required. -
spec.namespaceSelector.labelSelectorIt is an array of matchExpressions that manages whether nameSpace is available through the label of nameSpace.
-
spec.namespaceSelector.labelSelector.matchExpressionsIt is an array of labelRule. Every rule in the array needs to be verified.
labelRulehas the following fields:1.key: String. Required. Currently supports selection through the "Name" and "Status" fields. 2.operator: String. Required. Currently supports selection through the "In" and "NotIn" fields. 2.values: []String. Required.
The following few examples of yaml may be helpful for you to design your own accessor.
- Only one
fieldExpression
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: onlyFieldSelector-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1"]After applying this accessor, you can create the PVC of csi-qingcloud only in namespace.name which in this array :["NS1"].
More than one fieldExpressions are allowed in a fieldSelector.
And multiple rules are also allowed in fieldExpressions.
- Multiple
fieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1"]
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS2", "NS3"]You can create the PVC of csi-qingcloud in the following namespace: (nameSpace.Name in ["NS1"]) or (nameSpace.Name in ["NS2", "NS3"]).
- Multiple rules in one
fieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "NotIn"
values: ["NS1", "NS2"]
- field: "Status"
operator: "In"
values: ["Active"]You can create the PVC of csi-qingcloud only in the following namespace: (nameSpace.Name NotIn ["NS1", "NS2"]) and (nameSpace.Status.Status in ["Active"])
It means that the rules in fieldExpressions must be followed at the same time.
- Only one
matchExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: csi-qingcloud-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1", "app2"]This requires nameSpace to have the key "app" label and the value in this array: ["app1", "app2"].
- Multiple
matchExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1", "app2"]
- matchExpressions:
- key: "owner"
operator: "In"
values: ["owner1", "owner2"]You can create the PVC of csi-qingcloud in the following namespace: (have the key "app" label and the value in ["app1", "app2"]) or (have the key "owner" label and the value in ["owner1", "owner2"]).
- Multiple rule in one
FieldExpressions
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: multipleFieldExpressions-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1"]
- key: "role"
operator: "In"
values: ["owner1", "owner2"]You can create the PVC of csi-qingcloud in the following namespace: (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"]).
apiVersion: storage.kubesphere.io/v1alpha1
kind: Accessor
metadata:
name: csi-qingcloud-accessor
spec:
storageClassName: "csi-qingcloud"
namespaceSelector:
fieldSelector:
- fieldExpressions:
- field: "Name"
operator: "In"
values: ["NS1", "NS2"]
- fieldExpressions:
- field: "Status"
operator: "In"
values: ["Active"]
labelSelector:
- matchExpressions:
- key: "app"
operator: "In"
values: ["app1"]
- key: "owner"
operator: "In"
values: ["owner1", "owner2"]
- matchExpressions:
- key: "app"
operator: "In"
values: ["app2", "app3"]It is allowed to create PVC in a namespace that meets one of the following conditions:
- (name in ["NS1", "NS2"]) and (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"])
- (name in ["NS1", "NS2"]) and (have the key "app" label and in the value in ["app2", "app3"])
- (status.Status in ["Active"]) and (have the key "app" label and in the value in ["app1"]) and (have the key "owner" label and the value in ["owner1", "owner2"])
- (status.Status in ["Active"]) and (have the key "app" label and in the value in ["app2", "app3"])