Last active
January 15, 2025 08:01
-
-
Save blankdots/551a2babe3ce2927d033f4569ed2b6bd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # This YAML file contains RBAC API objects, | |
| # which are necessary to run csi controller plugin | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: csi-cinder-controller-sa | |
| namespace: kube-system | |
| --- | |
| # external attacher | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-attacher-role | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["persistentvolumes"] | |
| verbs: ["get", "list", "watch", "patch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["csinodes"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["volumeattachments"] | |
| verbs: ["get", "list", "watch", "patch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["volumeattachments/status"] | |
| verbs: ["patch"] | |
| - apiGroups: ["coordination.k8s.io"] | |
| resources: ["leases"] | |
| verbs: ["get", "watch", "list", "delete", "update", "create"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-attacher-binding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: csi-cinder-controller-sa | |
| namespace: kube-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: csi-attacher-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # external Provisioner | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-provisioner-role | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["persistentvolumes"] | |
| verbs: ["get", "list", "watch", "create", "delete", "patch"] | |
| - apiGroups: [""] | |
| resources: ["persistentvolumeclaims"] | |
| verbs: ["get", "list", "watch", "update"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["storageclasses"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["nodes"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["csinodes"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["list", "watch", "create", "update", "patch"] | |
| - apiGroups: ["snapshot.storage.k8s.io"] | |
| resources: ["volumesnapshots"] | |
| verbs: ["get", "list"] | |
| - apiGroups: ["snapshot.storage.k8s.io"] | |
| resources: ["volumesnapshotcontents"] | |
| verbs: ["get", "list"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["volumeattachments"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["coordination.k8s.io"] | |
| resources: ["leases"] | |
| verbs: ["get", "watch", "list", "delete", "update", "create"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-provisioner-binding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: csi-cinder-controller-sa | |
| namespace: kube-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: csi-provisioner-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # external snapshotter | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-snapshotter-role | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["list", "watch", "create", "update", "patch"] | |
| # Secret permission is optional. | |
| # Enable it if your driver needs secret. | |
| # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. | |
| # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. | |
| # - apiGroups: [""] | |
| # resources: ["secrets"] | |
| # verbs: ["get", "list"] | |
| - apiGroups: ["snapshot.storage.k8s.io"] | |
| resources: ["volumesnapshotclasses"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["snapshot.storage.k8s.io"] | |
| resources: ["volumesnapshotcontents"] | |
| verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] | |
| - apiGroups: ["snapshot.storage.k8s.io"] | |
| resources: ["volumesnapshotcontents/status"] | |
| verbs: ["update", "patch"] | |
| - apiGroups: ["coordination.k8s.io"] | |
| resources: ["leases"] | |
| verbs: ["get", "watch", "list", "delete", "update", "create"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-snapshotter-binding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: csi-cinder-controller-sa | |
| namespace: kube-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: csi-snapshotter-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # External Resizer | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-resizer-role | |
| rules: | |
| # The following rule should be uncommented for plugins that require secrets | |
| # for provisioning. | |
| # - apiGroups: [""] | |
| # resources: ["secrets"] | |
| # verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["persistentvolumes"] | |
| verbs: ["get", "list", "watch", "patch"] | |
| - apiGroups: [""] | |
| resources: ["persistentvolumeclaims"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["pods"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: [""] | |
| resources: ["persistentvolumeclaims/status"] | |
| verbs: ["patch"] | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["list", "watch", "create", "update", "patch"] | |
| - apiGroups: ["coordination.k8s.io"] | |
| resources: ["leases"] | |
| verbs: ["get", "watch", "list", "delete", "update", "create"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: csi-resizer-binding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: csi-cinder-controller-sa | |
| namespace: kube-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: csi-resizer-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # This YAML file contains CSI Controller Plugin Sidecars | |
| # external-attacher, external-provisioner, external-snapshotter | |
| # external-resize, liveness-probe | |
| kind: Deployment | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: csi-cinder-controllerplugin | |
| namespace: kube-system | |
| spec: | |
| replicas: 1 | |
| strategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxUnavailable: 0 | |
| maxSurge: 1 | |
| selector: | |
| matchLabels: | |
| app: csi-cinder-controllerplugin | |
| template: | |
| metadata: | |
| labels: | |
| app: csi-cinder-controllerplugin | |
| spec: | |
| serviceAccount: csi-cinder-controller-sa | |
| containers: | |
| - name: csi-attacher | |
| image: registry.k8s.io/sig-storage/csi-attacher:v4.2.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--leader-election=true" | |
| - "--default-fstype=ext4" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: csi-provisioner | |
| image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.1 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--default-fstype=ext4" | |
| - "--extra-create-metadata" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: csi-snapshotter | |
| image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--extra-create-metadata" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: Always | |
| volumeMounts: | |
| - mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| name: socket-dir | |
| - name: csi-resizer | |
| image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--handle-volume-inuse-error=false" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: liveness-probe | |
| image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| volumeMounts: | |
| - mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| name: socket-dir | |
| - name: cinder-csi-plugin | |
| image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
| args: | |
| - /bin/cinder-csi-plugin | |
| - "--endpoint=$(CSI_ENDPOINT)" | |
| - "--cloud-config=$(CLOUD_CONFIG)" | |
| - "--cluster=$(CLUSTER_NAME)" | |
| - "--v=1" | |
| env: | |
| - name: CSI_ENDPOINT | |
| value: unix://csi/csi.sock | |
| - name: CLOUD_CONFIG | |
| value: /etc/config/cloud.conf | |
| - name: CLUSTER_NAME | |
| value: kubernetes | |
| imagePullPolicy: "IfNotPresent" | |
| ports: | |
| - containerPort: 9808 | |
| name: healthz | |
| protocol: TCP | |
| # The probe | |
| livenessProbe: | |
| failureThreshold: 5 | |
| httpGet: | |
| path: /healthz | |
| port: healthz | |
| initialDelaySeconds: 10 | |
| timeoutSeconds: 10 | |
| periodSeconds: 60 | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /csi | |
| - name: secret-cinderplugin | |
| mountPath: /etc/config | |
| readOnly: true | |
| # - name: cacert | |
| # mountPath: /etc/cacert | |
| # readOnly: true | |
| volumes: | |
| - name: socket-dir | |
| emptyDir: | |
| - name: secret-cinderplugin | |
| secret: | |
| secretName: cloud-config | |
| # - name: cacert | |
| # hostPath: | |
| # path: /etc/cacert | |
| --- | |
| # This YAML file contains CSI Controller Plugin Sidecars | |
| # external-attacher, external-provisioner, external-snapshotter | |
| # external-resize, liveness-probe | |
| kind: Deployment | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: csi-cinder-controllerplugin | |
| namespace: kube-system | |
| spec: | |
| replicas: 1 | |
| strategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxUnavailable: 0 | |
| maxSurge: 1 | |
| selector: | |
| matchLabels: | |
| app: csi-cinder-controllerplugin | |
| template: | |
| metadata: | |
| labels: | |
| app: csi-cinder-controllerplugin | |
| spec: | |
| serviceAccount: csi-cinder-controller-sa | |
| containers: | |
| - name: csi-attacher | |
| image: registry.k8s.io/sig-storage/csi-attacher:v4.7.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--leader-election=true" | |
| - "--default-fstype=ext4" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: csi-provisioner | |
| image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.1 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--default-fstype=ext4" | |
| - "--extra-create-metadata" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: csi-snapshotter | |
| image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--extra-create-metadata" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: Always | |
| volumeMounts: | |
| - mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| name: socket-dir | |
| - name: csi-resizer | |
| image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--timeout=3m" | |
| - "--handle-volume-inuse-error=false" | |
| - "--leader-election=true" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| - name: liveness-probe | |
| image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| env: | |
| - name: ADDRESS | |
| value: /var/lib/csi/sockets/pluginproxy/csi.sock | |
| volumeMounts: | |
| - mountPath: /var/lib/csi/sockets/pluginproxy/ | |
| name: socket-dir | |
| - name: cinder-csi-plugin | |
| image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
| args: | |
| - /bin/cinder-csi-plugin | |
| - "--endpoint=$(CSI_ENDPOINT)" | |
| - "--cloud-config=$(CLOUD_CONFIG)" | |
| - "--cluster=$(CLUSTER_NAME)" | |
| - "--v=1" | |
| env: | |
| - name: CSI_ENDPOINT | |
| value: unix://csi/csi.sock | |
| - name: CLOUD_CONFIG | |
| value: /etc/config/cloud.conf | |
| - name: CLUSTER_NAME | |
| value: kubernetes | |
| imagePullPolicy: "IfNotPresent" | |
| ports: | |
| - containerPort: 9808 | |
| name: healthz | |
| protocol: TCP | |
| # The probe | |
| livenessProbe: | |
| failureThreshold: 5 | |
| httpGet: | |
| path: /healthz | |
| port: healthz | |
| initialDelaySeconds: 10 | |
| timeoutSeconds: 10 | |
| periodSeconds: 60 | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /csi | |
| - name: secret-cinderplugin | |
| mountPath: /etc/config | |
| readOnly: true | |
| # - name: cacert | |
| # mountPath: /etc/cacert | |
| # readOnly: true | |
| volumes: | |
| - name: socket-dir | |
| emptyDir: | |
| - name: secret-cinderplugin | |
| secret: | |
| secretName: cloud-config | |
| # - name: cacert | |
| # hostPath: | |
| # path: /etc/cacert | |
| --- | |
| # This YAML file contains driver-registrar & csi driver nodeplugin API objects, | |
| # which are necessary to run csi nodeplugin for cinder. | |
| kind: DaemonSet | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: csi-cinder-nodeplugin | |
| namespace: kube-system | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: csi-cinder-nodeplugin | |
| template: | |
| metadata: | |
| labels: | |
| app: csi-cinder-nodeplugin | |
| spec: | |
| tolerations: | |
| - operator: Exists | |
| serviceAccount: csi-cinder-node-sa | |
| hostNetwork: true | |
| containers: | |
| - name: node-driver-registrar | |
| image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 | |
| args: | |
| - "--csi-address=$(ADDRESS)" | |
| - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" | |
| env: | |
| - name: ADDRESS | |
| value: /csi/csi.sock | |
| - name: DRIVER_REG_SOCK_PATH | |
| value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock | |
| - name: KUBE_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| imagePullPolicy: "IfNotPresent" | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /csi | |
| - name: registration-dir | |
| mountPath: /registration | |
| - name: liveness-probe | |
| image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 | |
| args: | |
| - --csi-address=/csi/csi.sock | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /csi | |
| - name: cinder-csi-plugin | |
| securityContext: | |
| privileged: true | |
| capabilities: | |
| add: ["SYS_ADMIN"] | |
| allowPrivilegeEscalation: true | |
| image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.3 | |
| args: | |
| - /bin/cinder-csi-plugin | |
| - "--endpoint=$(CSI_ENDPOINT)" | |
| - "--provide-controller-service=false" | |
| - "--cloud-config=$(CLOUD_CONFIG)" | |
| - "--v=1" | |
| env: | |
| - name: CSI_ENDPOINT | |
| value: unix://csi/csi.sock | |
| - name: CLOUD_CONFIG | |
| value: /etc/config/cloud.conf | |
| imagePullPolicy: "IfNotPresent" | |
| ports: | |
| - containerPort: 9808 | |
| name: healthz | |
| protocol: TCP | |
| # The probe | |
| livenessProbe: | |
| failureThreshold: 5 | |
| httpGet: | |
| path: /healthz | |
| port: healthz | |
| initialDelaySeconds: 10 | |
| timeoutSeconds: 3 | |
| periodSeconds: 10 | |
| volumeMounts: | |
| - name: socket-dir | |
| mountPath: /csi | |
| - name: kubelet-dir | |
| mountPath: /var/lib/kubelet | |
| mountPropagation: "Bidirectional" | |
| - name: pods-probe-dir | |
| mountPath: /dev | |
| mountPropagation: "HostToContainer" | |
| - name: secret-cinderplugin | |
| mountPath: /etc/config | |
| readOnly: true | |
| # - name: cacert | |
| # mountPath: /etc/cacert | |
| # readOnly: true | |
| volumes: | |
| - name: socket-dir | |
| hostPath: | |
| path: /var/lib/kubelet/plugins/cinder.csi.openstack.org | |
| type: DirectoryOrCreate | |
| - name: registration-dir | |
| hostPath: | |
| path: /var/lib/kubelet/plugins_registry/ | |
| type: Directory | |
| - name: kubelet-dir | |
| hostPath: | |
| path: /var/lib/kubelet | |
| type: Directory | |
| - name: pods-probe-dir | |
| hostPath: | |
| path: /dev | |
| type: Directory | |
| - name: secret-cinderplugin | |
| secret: | |
| secretName: cloud-config | |
| # - name: cacert | |
| # hostPath: | |
| # path: /etc/cacert | |
| --- | |
| apiVersion: storage.k8s.io/v1 | |
| kind: CSIDriver | |
| metadata: | |
| name: cinder.csi.openstack.org | |
| spec: | |
| attachRequired: true | |
| podInfoOnMount: true | |
| volumeLifecycleModes: | |
| - Persistent | |
| - Ephemeral |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment