diff --git a/deploy/kubernetes-distributed/deploy.sh b/deploy/kubernetes-distributed/deploy.sh index b163aefc5..ae1d80a3f 100755 --- a/deploy/kubernetes-distributed/deploy.sh +++ b/deploy/kubernetes-distributed/deploy.sh @@ -119,9 +119,19 @@ function version_gt() { } +# In addition, the RBAC rules can be overridden separately. +# For snapshotter 2.0+, the directory has changed. +SNAPSHOTTER_RBAC_RELATIVE_PATH="rbac.yaml" +if version_gt $(rbac_version "${BASE_DIR}/hostpath/csi-hostpath-plugin.yaml" csi-snapshotter "${UPDATE_RBAC_RULES}") "v1.255.255"; then + SNAPSHOTTER_RBAC_RELATIVE_PATH="csi-snapshotter/rbac-csi-snapshotter.yaml" +fi + CSI_PROVISIONER_RBAC_YAML="https://raw.githubusercontent.com/kubernetes-csi/external-provisioner/$(rbac_version "${BASE_DIR}/hostpath/csi-hostpath-plugin.yaml" csi-provisioner false)/deploy/kubernetes/rbac.yaml" : ${CSI_PROVISIONER_RBAC:=https://raw.githubusercontent.com/kubernetes-csi/external-provisioner/$(rbac_version "${BASE_DIR}/hostpath/csi-hostpath-plugin.yaml" csi-provisioner "${UPDATE_RBAC_RULES}")/deploy/kubernetes/rbac.yaml} +CSI_SNAPSHOTTER_RBAC_YAML="https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/$(rbac_version "${BASE_DIR}/hostpath/csi-hostpath-plugin.yaml" csi-snapshotter false)/deploy/kubernetes/${SNAPSHOTTER_RBAC_RELATIVE_PATH}" +: ${CSI_SNAPSHOTTER_RBAC:=https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/$(rbac_version "${BASE_DIR}/hostpath/csi-hostpath-plugin.yaml" csi-snapshotter "${UPDATE_RBAC_RULES}")/deploy/kubernetes/${SNAPSHOTTER_RBAC_RELATIVE_PATH}} + # Some images are not affected by *_REGISTRY/*_TAG and IMAGE_* variables. # The default is to update unless explicitly excluded. update_image () { @@ -135,7 +145,7 @@ run () { # rbac rules echo "applying RBAC rules" -for component in CSI_PROVISIONER; do +for component in CSI_PROVISIONER CSI_SNAPSHOTTER; do eval current="\${${component}_RBAC}" eval original="\${${component}_RBAC_YAML}" if [ "$current" != "$original" ]; then @@ -174,7 +184,7 @@ done # changed via CSI_PROVISIONER_TAG, so we cannot just check for the version currently # listed in the YAML file. case "$CSI_PROVISIONER_TAG" in - *) csistoragecapacities_api=v1beta1;; # we currently always use that version + *) csistoragecapacities_api=v1;; # we currently always use that version esac get_csistoragecapacities=$(kubectl get csistoragecapacities.${csistoragecapacities_api}.storage.k8s.io 2>&1 || true) if echo "$get_csistoragecapacities" | grep -q "the server doesn't have a resource type"; then diff --git a/deploy/kubernetes-distributed/hostpath/csi-hostpath-plugin.yaml b/deploy/kubernetes-distributed/hostpath/csi-hostpath-plugin.yaml index c9404ef89..b37f13ab8 100644 --- a/deploy/kubernetes-distributed/hostpath/csi-hostpath-plugin.yaml +++ b/deploy/kubernetes-distributed/hostpath/csi-hostpath-plugin.yaml @@ -1,3 +1,86 @@ +# All of the individual sidecar RBAC roles get bound +# to this account. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: csi-hostpathplugin-sa + namespace: default + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: serviceaccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: provisioner-cluster-role + name: csi-hostpathplugin-provisioner-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-provisioner-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: snapshotter-cluster-role + name: csi-hostpathplugin-snapshotter-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-snapshotter-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: provisioner-role + name: csi-hostpathplugin-provisioner-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-provisioner-cfg +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: snapshotter-role + name: csi-hostpathplugin-snapshotter-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-snapshotter-leaderelection +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- kind: DaemonSet apiVersion: apps/v1 metadata: @@ -22,7 +105,7 @@ spec: app.kubernetes.io/name: csi-hostpathplugin app.kubernetes.io/component: plugin spec: - serviceAccountName: csi-provisioner + serviceAccountName: csi-hostpathplugin-sa containers: - name: csi-provisioner image: registry.k8s.io/sig-storage/csi-provisioner:v3.3.0 @@ -128,6 +211,7 @@ spec: name: csi-data-dir - mountPath: /dev name: dev-dir + - name: liveness-probe volumeMounts: - mountPath: /csi @@ -137,6 +221,27 @@ spec: - --csi-address=/csi/csi.sock - --health-port=9898 + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0 + args: + - -v=5 + - --csi-address=/csi/csi.sock + - --node-deployment + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: - hostPath: path: /var/lib/kubelet/plugins/csi-hostpath diff --git a/deploy/kubernetes-distributed/hostpath/csi-hostpath-snapshotclass.yaml b/deploy/kubernetes-distributed/hostpath/csi-hostpath-snapshotclass.yaml new file mode 100644 index 000000000..0382f2f67 --- /dev/null +++ b/deploy/kubernetes-distributed/hostpath/csi-hostpath-snapshotclass.yaml @@ -0,0 +1,13 @@ +# Usage of the v1 API implies that the cluster must have +# external-snapshotter v4.x installed. +apiVersion: snapshot.storage.k8s.io/v1 +kind: VolumeSnapshotClass +metadata: + name: csi-hostpath-snapclass + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapclass + app.kubernetes.io/component: volumesnapshotclass +driver: hostpath.csi.k8s.io #csi-hostpath +deletionPolicy: Delete