Configuration for CephRBD dynamic provisioning on kubernetes 1.7

ceph permissions

ceph auth get-or-create client.kube mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=kubernetes' -o /etc/ceph/ceph.client.kube.keyring

gistfile1.txt

apiVersion: v1
kind: Secret
metadata:
  name: ceph-secret
  namespace: kube-system
type: kubernetes.io/rbd
data:
  key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
---
apiVersion: v1
kind: Secret
metadata:
  name: ceph-secret-user
type: kubernetes.io/rbd
data:
  key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: rbd
provisioner: ceph.com/rbd
parameters:
  monitors: 10.168.170.99:6789
  adminId: admin
  adminSecretName: ceph-secret
  adminSecretNamespace: kube-system
  pool: kubernetes
  userId: kube
  userSecretName: ceph-secret-user
  imageFormat: "2"
  imageFeatures: layering
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: rbd-provisioner
  namespace: kube-system
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: rbd-provisioner
    spec:
      containers:
      - name: rbd-provisioner
        image: "quay.io/external_storage/rbd-provisioner:latest"
        env:
        - name: PROVISIONER_NAME
          value: ceph.com/rbd
      serviceAccountName: persistent-volume-binder

Hello Rob,
Nice snippet. I followed it to create a rbd-provisioner pod but the PVC was stuck in the state - Pending. When I checked the container logs, i found this :
E0820 15:52:06.434456 1 leaderelection.go:268] Failed to update lock: endpoints "ceph.com-rbd" is forbidden: User "system:serviceaccount:kube-system:persistent-volume-binder" cannot update endpoints in the namespace "kube-system"
Can you help me with this? :)