Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This can work for both linux and windows
- Loading branch information
Showing
15 changed files
with
1,316 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
deploy/kubernetes/kustomization/base_setup/controller.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
kind: StatefulSet | ||
apiVersion: apps/v1 | ||
metadata: | ||
name: csi-gce-pd-controller | ||
spec: | ||
serviceName: "csi-gce-pd" | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: gcp-compute-persistent-disk-csi-driver | ||
template: | ||
metadata: | ||
labels: | ||
app: gcp-compute-persistent-disk-csi-driver | ||
spec: | ||
# Host network must be used for interaction with Workload Identity in GKE | ||
# since it replaces GCE Metadata Server with GKE Metadata Server. Remove | ||
# this requirement when issue is resolved and before any exposure of | ||
# metrics ports | ||
nodeSelector: | ||
kubernetes.io/os: linux | ||
hostNetwork: true | ||
serviceAccountName: csi-gce-pd-controller-sa | ||
priorityClassName: csi-gce-pd-controller | ||
containers: | ||
- name: csi-provisioner | ||
image: gke.gcr.io/csi-provisioner | ||
args: | ||
- "--v=5" | ||
- "--csi-address=/csi/csi.sock" | ||
- "--feature-gates=Topology=true" | ||
- "--metrics-address=:22011" | ||
# - "--run-controller-service=false" # disable the controller service of the CSI driver | ||
# - "--run-node-service=false" # disable the node service of the CSI driver | ||
volumeMounts: | ||
- name: socket-dir | ||
mountPath: /csi | ||
- name: csi-attacher | ||
image: gke.gcr.io/csi-attacher | ||
args: | ||
- "--v=5" | ||
- "--csi-address=/csi/csi.sock" | ||
- "--metrics-address=:22012" | ||
volumeMounts: | ||
- name: socket-dir | ||
mountPath: /csi | ||
- name: csi-resizer | ||
image: gke.gcr.io/csi-resizer | ||
args: | ||
- "--v=5" | ||
- "--csi-address=/csi/csi.sock" | ||
- "--metrics-address=:22013" | ||
volumeMounts: | ||
- name: socket-dir | ||
mountPath: /csi | ||
- name: csi-snapshotter | ||
image: gke.gcr.io/csi-snapshotter | ||
args: | ||
- "--v=5" | ||
- "--csi-address=/csi/csi.sock" | ||
- "--metrics-address=:22014" | ||
volumeMounts: | ||
- name: socket-dir | ||
mountPath: /csi | ||
- name: gce-pd-driver | ||
# Don't change base image without changing pdImagePlaceholder in | ||
# test/k8s-integration/main.go | ||
image: gke.gcr.io/gcp-compute-persistent-disk-csi-driver | ||
args: | ||
- "--v=5" | ||
- "--endpoint=unix:/csi/csi.sock" | ||
env: | ||
- name: GOOGLE_APPLICATION_CREDENTIALS | ||
value: "/etc/cloud-sa/cloud-sa.json" | ||
volumeMounts: | ||
- name: socket-dir | ||
mountPath: /csi | ||
- name: cloud-sa-volume | ||
readOnly: true | ||
mountPath: "/etc/cloud-sa" | ||
volumes: | ||
- name: socket-dir | ||
emptyDir: {} | ||
- name: cloud-sa-volume | ||
secret: | ||
secretName: cloud-sa | ||
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | ||
# See "special case". This will tolerate everything. Node component should | ||
# be scheduled on all nodes. | ||
tolerations: | ||
- operator: Exists | ||
# This is needed due to https://github.com/kubernetes-sigs/kustomize/issues/504 | ||
volumeClaimTemplates: [] |
7 changes: 7 additions & 0 deletions
7
deploy/kubernetes/kustomization/base_setup/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
commonLabels: | ||
k8s-app: gcp-compute-persistent-disk-csi-driver | ||
namespace: | ||
gce-pd-csi-driver | ||
resources: | ||
- controller.yaml | ||
- setup-cluster.yaml |
246 changes: 246 additions & 0 deletions
246
deploy/kubernetes/kustomization/base_setup/setup-cluster.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,246 @@ | ||
##### Node Service Account, Roles, RoleBindings | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: csi-gce-pd-node-sa | ||
|
||
--- | ||
##### Controller Service Account, Roles, Rolebindings | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: csi-gce-pd-controller-sa | ||
|
||
--- | ||
# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-provisioner-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["persistentvolumes"] | ||
verbs: ["get", "list", "watch", "create", "delete"] | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims"] | ||
verbs: ["get", "list", "watch", "update"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["storageclasses"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["list", "watch", "create", "update", "patch"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["csinodes"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: [""] | ||
resources: ["nodes"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshots"] | ||
verbs: ["get", "list"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotcontents"] | ||
verbs: ["get", "list"] | ||
--- | ||
|
||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-controller-provisioner-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-controller-sa | ||
roleRef: | ||
kind: ClusterRole | ||
name: csi-gce-pd-provisioner-role | ||
apiGroup: rbac.authorization.k8s.io | ||
|
||
--- | ||
# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-attacher-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["persistentvolumes"] | ||
verbs: ["get", "list", "watch", "update", "patch"] | ||
- apiGroups: [""] | ||
resources: ["nodes"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["csinodes"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["volumeattachments"] | ||
verbs: ["get", "list", "watch", "update", "patch"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["volumeattachments/status"] | ||
verbs: ["patch"] | ||
--- | ||
|
||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-controller-attacher-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-controller-sa | ||
roleRef: | ||
kind: ClusterRole | ||
name: csi-gce-pd-attacher-role | ||
apiGroup: rbac.authorization.k8s.io | ||
|
||
--- | ||
|
||
apiVersion: scheduling.k8s.io/v1 | ||
kind: PriorityClass | ||
metadata: | ||
name: csi-gce-pd-controller | ||
value: 900000000 | ||
globalDefault: false | ||
description: "This priority class should be used for the GCE PD CSI driver controller deployment only." | ||
|
||
--- | ||
|
||
apiVersion: scheduling.k8s.io/v1 | ||
kind: PriorityClass | ||
metadata: | ||
name: csi-gce-pd-node | ||
value: 900001000 | ||
globalDefault: false | ||
description: "This priority class should be used for the GCE PD CSI driver node deployment only." | ||
|
||
--- | ||
|
||
# Resizer must be able to work with PVCs, PVs, SCs. | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-resizer-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["persistentvolumes"] | ||
verbs: ["get", "list", "watch", "update", "patch"] | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims/status"] | ||
verbs: ["update", "patch"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["list", "watch", "create", "update", "patch"] | ||
|
||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-resizer-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-controller-sa | ||
roleRef: | ||
kind: ClusterRole | ||
name: csi-gce-pd-resizer-role | ||
apiGroup: rbac.authorization.k8s.io | ||
|
||
--- | ||
apiVersion: policy/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: csi-gce-pd-node-psp | ||
spec: | ||
seLinux: | ||
rule: RunAsAny | ||
supplementalGroups: | ||
rule: RunAsAny | ||
runAsUser: | ||
rule: RunAsAny | ||
fsGroup: | ||
rule: RunAsAny | ||
privileged: true | ||
volumes: | ||
- '*' | ||
hostNetwork: true | ||
allowedHostPaths: | ||
- pathPrefix: "/var/lib/kubelet/plugins_registry/" | ||
- pathPrefix: "/var/lib/kubelet" | ||
- pathPrefix: "/var/lib/kubelet/plugins/pd.csi.storage.gke.io/" | ||
- pathPrefix: "/dev" | ||
- pathPrefix: "/etc/udev" | ||
- pathPrefix: "/lib/udev" | ||
- pathPrefix: "/run/udev" | ||
- pathPrefix: "/sys" | ||
--- | ||
|
||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-node-deploy | ||
rules: | ||
- apiGroups: ['policy'] | ||
resources: ['podsecuritypolicies'] | ||
verbs: ['use'] | ||
resourceNames: | ||
- csi-gce-pd-node-psp | ||
--- | ||
|
||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: csi-gce-pd-node | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: csi-gce-pd-node-deploy | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-node-sa | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: csi-gce-pd-controller | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: csi-gce-pd-node-deploy | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-controller-sa | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: csi-gce-pd-snapshotter-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["list", "watch", "create", "update", "patch"] | ||
# Secrets resource omitted since GCE PD snapshots does not require them | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotclasses"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotcontents"] | ||
verbs: ["create", "get", "list", "watch", "update", "delete"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotcontents/status"] | ||
verbs: ["update"] | ||
--- | ||
|
||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-gce-pd-controller-snapshotter-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-gce-pd-controller-sa | ||
roleRef: | ||
kind: ClusterRole | ||
name: csi-gce-pd-snapshotter-role | ||
apiGroup: rbac.authorization.k8s.io |
Oops, something went wrong.