- Ceph-csi Upgrade
In some scenarios there is an issue in the CSI driver that will cause application pods to be disconnected from their mounts when the CSI driver is restarted. Since the upgrade would cause the CSI driver to restart if it is updated, you need to be aware of whether this affects your applications. This issue will happen when using the Ceph fuse client.
If you provision volumes for CephFS and have a kernel less than version 4.17, the CSI driver will fall back to use the FUSE client.
If you are affected by this issue, you will need to proceed carefully during the upgrade to restart your application pods. The recommended step is to modify the update strategy of the CSI nodeplugin daemonsets to OnDelete so that you can control when the CSI driver pods are restarted on each node.
To avoid this issue in future upgrades, we recommend that you do not use the fuse client as of now.
This guide will walk you through the steps to upgrade the software in a cluster from v3.8 to v3.9
Its kubernetes distributor responsibility to install new snapshot controller and snapshot CRD. more info can be found here
| Snapshot API version | Kubernetes Version | Snapshot-Controller + CRDs Version | Sidecar Version |
|---|---|---|---|
| v1beta1 | v1.17 =< k8s < v1.20 | v2.x =< snapshot-controller < v4.x | sidecar >= v2.x |
| v1 | k8s >= v1.20 | snapshot-controller >= v4.x | sidecar >= v2.x |
Note: We recommend to use {sidecar, controller, crds} of same version
To upgrade from previous releases, refer to the following:
- upgrade-from-v3.2-v3.3 to upgrade from cephcsi v3.2 to v3.3
- upgrade-from-v3.3-v3.4 to upgrade from cephcsi v3.3 to v3.4
- upgrade-from-v3.4-v3.5 to upgrade from cephcsi v3.4 to v3.5
- upgrade-from-v3.5-v3.6 to upgrade from cephcsi v3.5 to v3.6
- upgrade-from-v3.6-v3.7 to upgrade from cephcsi v3.6 to v3.7
- upgrade-from-v3.7-v3.8 to upgrade from cephcsi v3.7 to v3.8
Ceph-csi releases from devel are expressly unsupported. It is strongly recommended that you use official releases of Ceph-csi. Unreleased versions from the devel branch are subject to changes and incompatibilities that will not be supported in the official releases. Builds from the devel branch can have functionality changed and even removed at any time without compatibility support and without prior notice.
Also, we do not recommend any direct upgrades to 3.9 except from 3.8 to 3.9. For example, upgrading from 3.7 to 3.9 is not recommended.
git checkout v3.9.0 tag
git clone https://github.com/ceph/ceph-csi.git
cd ./ceph-csi
git checkout v3.9.0Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl applyNote: While upgrading please Ignore above warning messages from kubectl output
If existing cephfs storageclasses' MountOptions are set, please refer to
modifying mount options
section.
Upgrading cephfs csi includes upgrade of cephfs driver and as well as
kubernetes sidecar containers and also the permissions required for the
kubernetes sidecar containers, lets upgrade the things one by one
Upgrade provisioner resources include updating the provisioner RBAC and Provisioner deployment
$ kubectl apply -f deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
serviceaccount/cephfs-csi-provisioner configured
clusterrole.rbac.authorization.k8s.io/cephfs-external-provisioner-runner configured
clusterrole.rbac.authorization.k8s.io/cephfs-external-provisioner-runner-rules configured
clusterrolebinding.rbac.authorization.k8s.io/cephfs-csi-provisioner-role configured
role.rbac.authorization.k8s.io/cephfs-external-provisioner-cfg configured
rolebinding.rbac.authorization.k8s.io/cephfs-csi-provisioner-role-cfg configured$ kubectl apply -f deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml
service/csi-cephfsplugin-provisioner configured
deployment.apps/csi-cephfsplugin-provisioner configuredwait for the deployment to complete
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
csi-cephfsplugin-provisioner 3/3 1 3 104mdeployment UP-TO-DATE value must be same as READY
Upgrading nodeplugin resources include updating the nodeplugin RBAC and nodeplugin daemonset
$ kubectl apply -f deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml
serviceaccount/cephfs-csi-nodeplugin configuredIf you determined in Pre-upgrade considerations that you were affected by the CSI driver restart issue that disconnects the application pods from their mounts, continue with this section. Otherwise, you can skip to step 2.2
vi deploy/cephfs/kubernetes/csi-cephfsplugin.yamlkind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-cephfsplugin
spec:
selector:
matchLabels:
app: csi-cephfsplugin
updateStrategy:
type: OnDelete
template:
metadata:
labels:
app: csi-cephfsplugin
spec:
serviceAccountName: cephfs-csi-nodepluginin the above template we have added updateStrategy and its type to the
daemonset spec
$ kubectl apply -f deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
daemonset.apps/csi-cephfsplugin configured
service/csi-metrics-cephfsplugin configuredIf you determined in Pre-upgrade considerations that you were affected by the CSI driver restart issue that disconnects the application pods from their mounts, continue with this section. Otherwise, you can skip this section.
As we have set the updateStrategy to OnDelete the CSI driver pods will not be updated until you delete them manually. This allows you to control when your application pods will be affected by the CSI driver restart.
For each node:
- Drain your application pods from the node
- Delete the CSI driver pods on the node
- The pods to delete will be named with a csi-cephfsplugin prefix and have a random suffix on each node. However, no need to delete the provisioner pods: csi-cephfsplugin-provisioner-* .
- The pod deletion causes the pods to be restarted and updated automatically on the node.
CephCSI, starting from release v3.9.0, will pass the options specified in the
StorageClass's MountOptions during both NodeStageVolume (kernel cephfs or
ceph-fuse mount operation) and NodePublishVolume (bind mount) operations.
Therefore, only common options that is acceptable during both the above
described operations needs to be set in StorageClass's MountOptions.
If invalid mount options are set in StorageClass's MountOptions
such as "debug", the mounting of cephFS PVCs will fail.
Follow the below steps to update the StorageClass's MountOptions:
- Take a backup of the StorageClass using
kubectl get sc <storageclass-name> -o yaml > sc.yaml. - Edit
sc.yamlto remove the invalid mount options fromMountOptionsfield. - Delete the StorageClass using
kubectl delete sc <storageclass-name>. - Recreate the StorageClass using
kubectl create -f sc.yaml.
Follow the below steps to update the PersistentVolume's MountOptions:
- Identify cephFS PersistentVolumes using
kubectl get pv | grep <storageclass-name>. - and remove invalid mount options from
MountOptionsfield in the PersistentVolume's usingkubectl edit pv <pv-name>.
As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP support for CephFS is removed.
kubectl delete psp cephfs-csi-provisioner-psp --ignore-not-found
kubectl delete role cephfs-csi-provisioner-psp --ignore-not-found
kubectl delete rolebinding cephfs-csi-provisioner-psp --ignore-not-found
kubectl delete psp cephfs-csi-nodeplugin-psp --ignore-not-found
kubectl delete role cephfs-csi-nodeplugin-psp --ignore-not-found
kubectl delete rolebinding cephfs-csi-nodeplugin-psp --ignore-not-foundwe have successfully upgraded cephfs csi from v3.8 to v3.9
Upgrading rbd csi includes upgrade of rbd driver and as well as kubernetes sidecar containers and also the permissions required for the kubernetes sidecar containers, lets upgrade the things one by one
Upgrading provisioner resources include updating the provisioner RBAC and Provisioner deployment
$ kubectl apply -f deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
serviceaccount/rbd-csi-provisioner configured
clusterrole.rbac.authorization.k8s.io/rbd-external-provisioner-runner configured
clusterrole.rbac.authorization.k8s.io/rbd-external-provisioner-runner-rules configured
clusterrolebinding.rbac.authorization.k8s.io/rbd-csi-provisioner-role configured
role.rbac.authorization.k8s.io/rbd-external-provisioner-cfg configured
rolebinding.rbac.authorization.k8s.io/rbd-csi-provisioner-role-cfg configured$ kubectl apply -f deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml
service/csi-rbdplugin-provisioner configured
deployment.apps/csi-rbdplugin-provisioner configuredwait for the deployment to complete
$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
csi-rbdplugin-provisioner 3/3 3 3 139mdeployment UP-TO-DATE value must be same as READY
Upgrading nodeplugin resources include updating the nodeplugin RBAC and nodeplugin daemonset
$ kubectl apply -f deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
serviceaccount/rbd-csi-nodeplugin configured
clusterrole.rbac.authorization.k8s.io/rbd-csi-nodeplugin configured
clusterrole.rbac.authorization.k8s.io/rbd-csi-nodeplugin-rules configured
clusterrolebinding.rbac.authorization.k8s.io/rbd-csi-nodeplugin configured$ kubectl apply -f deploy/rbd/kubernetes/csi-rbdplugin.yaml
daemonset.apps/csi-rbdplugin configured
service/csi-metrics-rbdplugin configuredAs PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP support for RBD is removed.
kubectl delete psp rbd-csi-provisioner-psp --ignore-not-found
kubectl delete role rbd-csi-provisioner-psp --ignore-not-found
kubectl delete rolebinding rbd-csi-provisioner-psp --ignore-not-found
kubectl delete psp rbd-csi-nodeplugin-psp --ignore-not-found
kubectl delete role rbd-csi-nodeplugin-psp --ignore-not-found
kubectl delete rolebinding rbd-csi-nodeplugin-psp --ignore-not-found
kubectl delete psp rbd-csi-vault-token-review-psp --ignore-not-found
kubectl delete role rbd-csi-vault-token-review-psp --ignore-not-found
kubectl delete rolebinding rbd-csi-vault-token-review-psp --ignore-not-foundwe have successfully upgraded RBD csi from v3.8 to v3.9
Upgrading nfs csi includes upgrade of nfs driver and as well as kubernetes sidecar containers and also the permissions required for the kubernetes sidecar containers, lets upgrade the things one by one
Upgrade provisioner resources include updating the provisioner RBAC and Provisioner deployment
$ kubectl apply -f deploy/nfs/kubernetes/csi-provisioner-rbac.yaml
serviceaccount/nfs-csi-provisioner configured
clusterrole.rbac.authorization.k8s.io/nfs-external-provisioner-runner configured
clusterrolebinding.rbac.authorization.k8s.io/nfs-csi-provisioner-role configured
role.rbac.authorization.k8s.io/nfs-external-provisioner-cfg configured
rolebinding.rbac.authorization.k8s.io/nfs-csi-provisioner-role-cfg configured$ kubectl apply -f deploy/nfs/kubernetes/csi-nfsplugin-provisioner.yaml
service/csi-nfsplugin-provisioner configured
deployment.apps/csi-nfsplugin-provisioner configuredwait for the deployment to complete
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
csi-nfsplugin-provisioner 5/5 1 5 104mdeployment UP-TO-DATE value must be same as READY
Upgrading nodeplugin resources include updating the nodeplugin RBAC and nodeplugin daemonset
$ kubectl apply -f deploy/nfs/kubernetes/csi-nodeplugin-rbac.yaml
serviceaccount/nfs-csi-nodeplugin configured$ kubectl apply -f deploy/nfs/kubernetes/csi-nfsplugin.yaml
daemonset.apps/csi-nfsplugin configured
service/csi-metrics-nfsplugin configuredwe have successfully upgraded nfs csi from v3.8 to v3.9
With 3.2.0 version of ceph-csi we have updated the versions of CSI sidecar containers. These versions are generally compatible with kubernetes version>=1.17 but based on the kubernetes version you are using, you need to update the templates with required sidecar versions. You also might need to update or remove a few arguments based on the sidecar versions you are using. Refer sidecar-compatibility for more details.