Last active
January 15, 2025 08:01
-
-
Save blankdots/551a2babe3ce2927d033f4569ed2b6bd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This YAML file contains RBAC API objects, | |
# which are necessary to run csi controller plugin | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: csi-cinder-controller-sa | |
namespace: kube-system | |
--- | |
# external attacher | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-attacher-role | |
rules: | |
- apiGroups: [""] | |
resources: ["persistentvolumes"] | |
verbs: ["get", "list", "watch", "patch"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["csinodes"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["volumeattachments"] | |
verbs: ["get", "list", "watch", "patch"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["volumeattachments/status"] | |
verbs: ["patch"] | |
- apiGroups: ["coordination.k8s.io"] | |
resources: ["leases"] | |
verbs: ["get", "watch", "list", "delete", "update", "create"] | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-attacher-binding | |
subjects: | |
- kind: ServiceAccount | |
name: csi-cinder-controller-sa | |
namespace: kube-system | |
roleRef: | |
kind: ClusterRole | |
name: csi-attacher-role | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# external Provisioner | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-provisioner-role | |
rules: | |
- apiGroups: [""] | |
resources: ["persistentvolumes"] | |
verbs: ["get", "list", "watch", "create", "delete", "patch"] | |
- apiGroups: [""] | |
resources: ["persistentvolumeclaims"] | |
verbs: ["get", "list", "watch", "update"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["storageclasses"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["nodes"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["csinodes"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["events"] | |
verbs: ["list", "watch", "create", "update", "patch"] | |
- apiGroups: ["snapshot.storage.k8s.io"] | |
resources: ["volumesnapshots"] | |
verbs: ["get", "list"] | |
- apiGroups: ["snapshot.storage.k8s.io"] | |
resources: ["volumesnapshotcontents"] | |
verbs: ["get", "list"] | |
- apiGroups: ["storage.k8s.io"] | |
resources: ["volumeattachments"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["coordination.k8s.io"] | |
resources: ["leases"] | |
verbs: ["get", "watch", "list", "delete", "update", "create"] | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-provisioner-binding | |
subjects: | |
- kind: ServiceAccount | |
name: csi-cinder-controller-sa | |
namespace: kube-system | |
roleRef: | |
kind: ClusterRole | |
name: csi-provisioner-role | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# external snapshotter | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-snapshotter-role | |
rules: | |
- apiGroups: [""] | |
resources: ["events"] | |
verbs: ["list", "watch", "create", "update", "patch"] | |
# Secret permission is optional. | |
# Enable it if your driver needs secret. | |
# For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. | |
# See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. | |
# - apiGroups: [""] | |
# resources: ["secrets"] | |
# verbs: ["get", "list"] | |
- apiGroups: ["snapshot.storage.k8s.io"] | |
resources: ["volumesnapshotclasses"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: ["snapshot.storage.k8s.io"] | |
resources: ["volumesnapshotcontents"] | |
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] | |
- apiGroups: ["snapshot.storage.k8s.io"] | |
resources: ["volumesnapshotcontents/status"] | |
verbs: ["update", "patch"] | |
- apiGroups: ["coordination.k8s.io"] | |
resources: ["leases"] | |
verbs: ["get", "watch", "list", "delete", "update", "create"] | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-snapshotter-binding | |
subjects: | |
- kind: ServiceAccount | |
name: csi-cinder-controller-sa | |
namespace: kube-system | |
roleRef: | |
kind: ClusterRole | |
name: csi-snapshotter-role | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# External Resizer | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-resizer-role | |
rules: | |
# The following rule should be uncommented for plugins that require secrets | |
# for provisioning. | |
# - apiGroups: [""] | |
# resources: ["secrets"] | |
# verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["persistentvolumes"] | |
verbs: ["get", "list", "watch", "patch"] | |
- apiGroups: [""] | |
resources: ["persistentvolumeclaims"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["pods"] | |
verbs: ["get", "list", "watch"] | |
- apiGroups: [""] | |
resources: ["persistentvolumeclaims/status"] | |
verbs: ["patch"] | |
- apiGroups: [""] | |
resources: ["events"] | |
verbs: ["list", "watch", "create", "update", "patch"] | |
- apiGroups: ["coordination.k8s.io"] | |
resources: ["leases"] | |
verbs: ["get", "watch", "list", "delete", "update", "create"] | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: csi-resizer-binding | |
subjects: | |
- kind: ServiceAccount | |
name: csi-cinder-controller-sa | |
namespace: kube-system | |
roleRef: | |
kind: ClusterRole | |
name: csi-resizer-role | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# This YAML file contains CSI Controller Plugin Sidecars | |
# external-attacher, external-provisioner, external-snapshotter | |
# external-resize, liveness-probe | |
kind: Deployment | |
apiVersion: apps/v1 | |
metadata: | |
name: csi-cinder-controllerplugin | |
namespace: kube-system | |
spec: | |
replicas: 1 | |
strategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxUnavailable: 0 | |
maxSurge: 1 | |
selector: | |
matchLabels: | |
app: csi-cinder-controllerplugin | |
template: | |
metadata: | |
labels: | |
app: csi-cinder-controllerplugin | |
spec: | |
serviceAccount: csi-cinder-controller-sa | |
containers: | |
- name: csi-attacher | |
image: registry.k8s.io/sig-storage/csi-attacher:v4.2.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--leader-election=true" | |
- "--default-fstype=ext4" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: csi-provisioner | |
image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.1 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--default-fstype=ext4" | |
- "--extra-create-metadata" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: csi-snapshotter | |
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--extra-create-metadata" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: Always | |
volumeMounts: | |
- mountPath: /var/lib/csi/sockets/pluginproxy/ | |
name: socket-dir | |
- name: csi-resizer | |
image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--handle-volume-inuse-error=false" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: liveness-probe | |
image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
volumeMounts: | |
- mountPath: /var/lib/csi/sockets/pluginproxy/ | |
name: socket-dir | |
- name: cinder-csi-plugin | |
image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
args: | |
- /bin/cinder-csi-plugin | |
- "--endpoint=$(CSI_ENDPOINT)" | |
- "--cloud-config=$(CLOUD_CONFIG)" | |
- "--cluster=$(CLUSTER_NAME)" | |
- "--v=1" | |
env: | |
- name: CSI_ENDPOINT | |
value: unix://csi/csi.sock | |
- name: CLOUD_CONFIG | |
value: /etc/config/cloud.conf | |
- name: CLUSTER_NAME | |
value: kubernetes | |
imagePullPolicy: "IfNotPresent" | |
ports: | |
- containerPort: 9808 | |
name: healthz | |
protocol: TCP | |
# The probe | |
livenessProbe: | |
failureThreshold: 5 | |
httpGet: | |
path: /healthz | |
port: healthz | |
initialDelaySeconds: 10 | |
timeoutSeconds: 10 | |
periodSeconds: 60 | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /csi | |
- name: secret-cinderplugin | |
mountPath: /etc/config | |
readOnly: true | |
# - name: cacert | |
# mountPath: /etc/cacert | |
# readOnly: true | |
volumes: | |
- name: socket-dir | |
emptyDir: | |
- name: secret-cinderplugin | |
secret: | |
secretName: cloud-config | |
# - name: cacert | |
# hostPath: | |
# path: /etc/cacert | |
--- | |
# This YAML file contains CSI Controller Plugin Sidecars | |
# external-attacher, external-provisioner, external-snapshotter | |
# external-resize, liveness-probe | |
kind: Deployment | |
apiVersion: apps/v1 | |
metadata: | |
name: csi-cinder-controllerplugin | |
namespace: kube-system | |
spec: | |
replicas: 1 | |
strategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxUnavailable: 0 | |
maxSurge: 1 | |
selector: | |
matchLabels: | |
app: csi-cinder-controllerplugin | |
template: | |
metadata: | |
labels: | |
app: csi-cinder-controllerplugin | |
spec: | |
serviceAccount: csi-cinder-controller-sa | |
containers: | |
- name: csi-attacher | |
image: registry.k8s.io/sig-storage/csi-attacher:v4.7.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--leader-election=true" | |
- "--default-fstype=ext4" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: csi-provisioner | |
image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.1 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--default-fstype=ext4" | |
- "--extra-create-metadata" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: csi-snapshotter | |
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--extra-create-metadata" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: Always | |
volumeMounts: | |
- mountPath: /var/lib/csi/sockets/pluginproxy/ | |
name: socket-dir | |
- name: csi-resizer | |
image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--timeout=3m" | |
- "--handle-volume-inuse-error=false" | |
- "--leader-election=true" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /var/lib/csi/sockets/pluginproxy/ | |
- name: liveness-probe | |
image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
env: | |
- name: ADDRESS | |
value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
volumeMounts: | |
- mountPath: /var/lib/csi/sockets/pluginproxy/ | |
name: socket-dir | |
- name: cinder-csi-plugin | |
image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
args: | |
- /bin/cinder-csi-plugin | |
- "--endpoint=$(CSI_ENDPOINT)" | |
- "--cloud-config=$(CLOUD_CONFIG)" | |
- "--cluster=$(CLUSTER_NAME)" | |
- "--v=1" | |
env: | |
- name: CSI_ENDPOINT | |
value: unix://csi/csi.sock | |
- name: CLOUD_CONFIG | |
value: /etc/config/cloud.conf | |
- name: CLUSTER_NAME | |
value: kubernetes | |
imagePullPolicy: "IfNotPresent" | |
ports: | |
- containerPort: 9808 | |
name: healthz | |
protocol: TCP | |
# The probe | |
livenessProbe: | |
failureThreshold: 5 | |
httpGet: | |
path: /healthz | |
port: healthz | |
initialDelaySeconds: 10 | |
timeoutSeconds: 10 | |
periodSeconds: 60 | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /csi | |
- name: secret-cinderplugin | |
mountPath: /etc/config | |
readOnly: true | |
# - name: cacert | |
# mountPath: /etc/cacert | |
# readOnly: true | |
volumes: | |
- name: socket-dir | |
emptyDir: | |
- name: secret-cinderplugin | |
secret: | |
secretName: cloud-config | |
# - name: cacert | |
# hostPath: | |
# path: /etc/cacert | |
--- | |
# This YAML file contains driver-registrar & csi driver nodeplugin API objects, | |
# which are necessary to run csi nodeplugin for cinder. | |
kind: DaemonSet | |
apiVersion: apps/v1 | |
metadata: | |
name: csi-cinder-nodeplugin | |
namespace: kube-system | |
spec: | |
selector: | |
matchLabels: | |
app: csi-cinder-nodeplugin | |
template: | |
metadata: | |
labels: | |
app: csi-cinder-nodeplugin | |
spec: | |
tolerations: | |
- operator: Exists | |
serviceAccount: csi-cinder-node-sa | |
hostNetwork: true | |
containers: | |
- name: node-driver-registrar | |
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 | |
args: | |
- "--csi-address=$(ADDRESS)" | |
- "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" | |
env: | |
- name: ADDRESS | |
value: /csi/csi.sock | |
- name: DRIVER_REG_SOCK_PATH | |
value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock | |
- name: KUBE_NODE_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.nodeName | |
imagePullPolicy: "IfNotPresent" | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /csi | |
- name: registration-dir | |
mountPath: /registration | |
- name: liveness-probe | |
image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
args: | |
- --csi-address=/csi/csi.sock | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /csi | |
- name: cinder-csi-plugin | |
securityContext: | |
privileged: true | |
capabilities: | |
add: ["SYS_ADMIN"] | |
allowPrivilegeEscalation: true | |
image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
args: | |
- /bin/cinder-csi-plugin | |
- "--endpoint=$(CSI_ENDPOINT)" | |
- "--provide-controller-service=false" | |
- "--cloud-config=$(CLOUD_CONFIG)" | |
- "--v=1" | |
env: | |
- name: CSI_ENDPOINT | |
value: unix://csi/csi.sock | |
- name: CLOUD_CONFIG | |
value: /etc/config/cloud.conf | |
imagePullPolicy: "IfNotPresent" | |
ports: | |
- containerPort: 9808 | |
name: healthz | |
protocol: TCP | |
# The probe | |
livenessProbe: | |
failureThreshold: 5 | |
httpGet: | |
path: /healthz | |
port: healthz | |
initialDelaySeconds: 10 | |
timeoutSeconds: 3 | |
periodSeconds: 10 | |
volumeMounts: | |
- name: socket-dir | |
mountPath: /csi | |
- name: kubelet-dir | |
mountPath: /var/lib/kubelet | |
mountPropagation: "Bidirectional" | |
- name: pods-probe-dir | |
mountPath: /dev | |
mountPropagation: "HostToContainer" | |
- name: secret-cinderplugin | |
mountPath: /etc/config | |
readOnly: true | |
# - name: cacert | |
# mountPath: /etc/cacert | |
# readOnly: true | |
volumes: | |
- name: socket-dir | |
hostPath: | |
path: /var/lib/kubelet/plugins/cinder.csi.openstack.org | |
type: DirectoryOrCreate | |
- name: registration-dir | |
hostPath: | |
path: /var/lib/kubelet/plugins_registry/ | |
type: Directory | |
- name: kubelet-dir | |
hostPath: | |
path: /var/lib/kubelet | |
type: Directory | |
- name: pods-probe-dir | |
hostPath: | |
path: /dev | |
type: Directory | |
- name: secret-cinderplugin | |
secret: | |
secretName: cloud-config | |
# - name: cacert | |
# hostPath: | |
# path: /etc/cacert | |
--- | |
apiVersion: storage.k8s.io/v1 | |
kind: CSIDriver | |
metadata: | |
name: cinder.csi.openstack.org | |
spec: | |
attachRequired: true | |
podInfoOnMount: true | |
volumeLifecycleModes: | |
- Persistent | |
- Ephemeral |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment