diff --git a/.prow.sh b/.prow.sh index f320f123..34e7d04f 100755 --- a/.prow.sh +++ b/.prow.sh @@ -31,7 +31,7 @@ CSI_PROW_TESTS_SANITY="sanity" # # See: https://github.com/kubernetes-csi/csi-driver-host-path/pull/581#issuecomment-2634529098 # See: https://github.com/kubernetes-csi/external-resizer/blob/20072c0fdf8baaf919ef95d6e918538ba9d84eaf/.prow.sh -export CSI_PROW_E2E_VERSION="release-1.31" +export CSI_PROW_E2E_VERSION="release-1.34" . release-tools/prow.sh diff --git a/deploy/kubernetes-1.34-test/README.md b/deploy/kubernetes-1.34-test/README.md new file mode 100644 index 00000000..409bd148 --- /dev/null +++ b/deploy/kubernetes-1.34-test/README.md @@ -0,0 +1,10 @@ +The deployment for Kubernetes 1.30 uses the CSI snapshotter sidecar +4.x and thus is incompatible with Kubernetes clusters where older +snapshotter CRDs are installed. + +It uses separate pods and service accounts for each sidecar. This is +not how they would normally be deployed. It gets done this way to test +that the individual RBAC rules are correct. + +The health-monitor-agent is no longer getting deployed because its +functionality was moved into kubelet in Kubernetes 1.21. diff --git a/deploy/kubernetes-1.34-test/deploy.sh b/deploy/kubernetes-1.34-test/deploy.sh new file mode 120000 index 00000000..589c43f6 --- /dev/null +++ b/deploy/kubernetes-1.34-test/deploy.sh @@ -0,0 +1 @@ +../util/deploy-hostpath.sh \ No newline at end of file diff --git a/deploy/kubernetes-1.34-test/destroy.sh b/deploy/kubernetes-1.34-test/destroy.sh new file mode 120000 index 00000000..c6689435 --- /dev/null +++ b/deploy/kubernetes-1.34-test/destroy.sh @@ -0,0 +1 @@ +../util/destroy-hostpath.sh \ No newline at end of file diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-attacher.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-attacher.yaml new file mode 100644 index 00000000..f9aacc5d --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-attacher.yaml @@ -0,0 +1,57 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-attacher + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-attacher + app.kubernetes.io/component: attacher +spec: + serviceName: "csi-hostpath-attacher" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-attacher + app.kubernetes.io/component: attacher + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-attacher + app.kubernetes.io/component: attacher + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + serviceAccountName: csi-attacher + containers: + - name: csi-attacher + image: registry.k8s.io/sig-storage/csi-attacher:v4.8.0 + args: + - --v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-driverinfo.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-driverinfo.yaml new file mode 100644 index 00000000..0250a52c --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-driverinfo.yaml @@ -0,0 +1,20 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: hostpath.csi.k8s.io + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: hostpath.csi.k8s.io + app.kubernetes.io/component: csi-driver +spec: + # Supports persistent and ephemeral inline volumes. + volumeLifecycleModes: + - Persistent + - Ephemeral + # To determine at runtime which mode a volume uses, pod info and its + # "csi.storage.k8s.io/ephemeral" entry are needed. + podInfoOnMount: true + # Kubernetes may use fsGroup to change permissions and ownership + # of the volume to match user requested fsGroup in the pod's SecurityPolicy + fsGroupPolicy: File diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-plugin.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-plugin.yaml new file mode 100644 index 00000000..0071e998 --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-plugin.yaml @@ -0,0 +1,150 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpathplugin + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin +spec: + serviceName: "csi-hostpathplugin" + # One replica only: + # Host path driver only works when everything runs + # on a single node. We achieve that by starting it once and then + # co-locate all other pods via inter-pod affinity + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin + spec: + serviceAccountName: csi-external-health-monitor-controller + containers: + - name: hostpath + image: registry.k8s.io/sig-storage/hostpathplugin:v1.15.0 + args: + - "--drivername=hostpath.csi.k8s.io" + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + ports: + - containerPort: 9898 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 2 + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /var/lib/kubelet/plugins + mountPropagation: Bidirectional + name: plugins-dir + - mountPath: /csi-data-dir + name: csi-data-dir + - mountPath: /dev + name: dev-dir + + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: registry.k8s.io/sig-storage/livenessprobe:v2.15.0 + args: + - --csi-address=/csi/csi.sock + - --health-port=9898 + + - name: csi-external-health-monitor-controller + image: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.14.0 + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: socket-dir + mountPath: /csi + + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0 + args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - mountPath: /csi-data-dir + name: csi-data-dir + + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet/plugins + type: Directory + name: plugins-dir + - hostPath: + # 'path' is where PV data is persisted on host. + # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot + path: /var/lib/csi-hostpath-data/ + type: DirectoryOrCreate + name: csi-data-dir + - hostPath: + path: /dev + type: Directory + name: dev-dir diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-provisioner.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-provisioner.yaml new file mode 100644 index 00000000..6e341a0c --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-provisioner.yaml @@ -0,0 +1,57 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-provisioner + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-provisioner + app.kubernetes.io/component: provisioner +spec: + serviceName: "csi-hostpath-provisioner" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-provisioner + app.kubernetes.io/component: provisioner + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-provisioner + app.kubernetes.io/component: provisioner + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + serviceAccountName: csi-provisioner + containers: + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v5.2.0 + args: + - -v=5 + - --csi-address=/csi/csi.sock + - --feature-gates=Topology=true + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-resizer.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-resizer.yaml new file mode 100644 index 00000000..c9ca187d --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-resizer.yaml @@ -0,0 +1,56 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-resizer + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-resizer + app.kubernetes.io/component: resizer +spec: + serviceName: "csi-hostpath-resizer" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-resizer + app.kubernetes.io/component: resizer + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-resizer + app.kubernetes.io/component: resizer + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + serviceAccountName: csi-resizer + containers: + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v1.13.1 + args: + - -v=5 + - -csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotclass.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotclass.yaml new file mode 100644 index 00000000..0382f2f6 --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotclass.yaml @@ -0,0 +1,13 @@ +# Usage of the v1 API implies that the cluster must have +# external-snapshotter v4.x installed. +apiVersion: snapshot.storage.k8s.io/v1 +kind: VolumeSnapshotClass +metadata: + name: csi-hostpath-snapclass + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapclass + app.kubernetes.io/component: volumesnapshotclass +driver: hostpath.csi.k8s.io #csi-hostpath +deletionPolicy: Delete diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotter.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotter.yaml new file mode 100644 index 00000000..29901edb --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-snapshotter.yaml @@ -0,0 +1,56 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-snapshotter + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapshotter + app.kubernetes.io/component: snapshotter +spec: + serviceName: "csi-hostpath-snapshotter" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapshotter + app.kubernetes.io/component: snapshotter + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapshotter + app.kubernetes.io/component: snapshotter + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + serviceAccountName: csi-snapshotter + containers: + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.2.0 + args: + - -v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-testing.yaml b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-testing.yaml new file mode 100644 index 00000000..4fec38f0 --- /dev/null +++ b/deploy/kubernetes-1.34-test/hostpath/csi-hostpath-testing.yaml @@ -0,0 +1,85 @@ +# WARNING: this is only for testing purposes. Do not install in a production +# cluster. +# +# This exposes the hostpath's Unix domain csi.sock as a TCP port to the +# outside world. The mapping from Unix domain socket to TCP is done +# by socat. +# +# This is useful for testing with csi-sanity or csc. + +apiVersion: v1 +kind: Service +metadata: + name: hostpath-service + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat +spec: + type: NodePort + selector: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + ports: + - port: 10000 # fixed port inside the pod, dynamically allocated port outside +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-socat + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat +spec: + serviceName: "csi-hostpath-socat" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + containers: + - name: socat + image: registry.k8s.io/sig-storage/hostpathplugin:v1.15.0 + command: + - socat + args: + - tcp-listen:10000,fork,reuseaddr + - unix-connect:/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34-test/test-driver.yaml b/deploy/kubernetes-1.34-test/test-driver.yaml new file mode 100644 index 00000000..53d66932 --- /dev/null +++ b/deploy/kubernetes-1.34-test/test-driver.yaml @@ -0,0 +1,25 @@ +# This file describes how to test this deployment of the CSI hostpath driver +# using the Kubernetes 1.17 E2E test suite. For details see: +# https://github.com/kubernetes/kubernetes/tree/v1.17.0/test/e2e/storage/external + +StorageClass: + FromName: true +SnapshotClass: + FromName: true +DriverInfo: + Name: hostpath.csi.k8s.io + SupportedSizeRange: + Min: 1Mi + Capabilities: + block: true + controllerExpansion: true + exec: true + multipods: true + nodeExpansion: true + persistence: true + singleNodeVolume: true + snapshotDataSource: true + topology: true + FSResizeFromSourceNotSupported: true +InlineVolumes: +- shared: true diff --git a/deploy/kubernetes-1.34/README.md b/deploy/kubernetes-1.34/README.md new file mode 100644 index 00000000..fd27efb2 --- /dev/null +++ b/deploy/kubernetes-1.34/README.md @@ -0,0 +1,6 @@ +The deployment for Kubernetes 1.29 uses the CSI snapshotter sidecar +4.x and thus is incompatible with Kubernetes clusters where older +snapshotter CRDs are installed. + +The health-monitor-agent is no longer getting deployed because its +functionality was moved into kubelet in Kubernetes 1.21. diff --git a/deploy/kubernetes-1.34/deploy.sh b/deploy/kubernetes-1.34/deploy.sh new file mode 120000 index 00000000..589c43f6 --- /dev/null +++ b/deploy/kubernetes-1.34/deploy.sh @@ -0,0 +1 @@ +../util/deploy-hostpath.sh \ No newline at end of file diff --git a/deploy/kubernetes-1.34/destroy.sh b/deploy/kubernetes-1.34/destroy.sh new file mode 120000 index 00000000..c6689435 --- /dev/null +++ b/deploy/kubernetes-1.34/destroy.sh @@ -0,0 +1 @@ +../util/destroy-hostpath.sh \ No newline at end of file diff --git a/deploy/kubernetes-1.34/hostpath/csi-hostpath-driverinfo.yaml b/deploy/kubernetes-1.34/hostpath/csi-hostpath-driverinfo.yaml new file mode 100644 index 00000000..0250a52c --- /dev/null +++ b/deploy/kubernetes-1.34/hostpath/csi-hostpath-driverinfo.yaml @@ -0,0 +1,20 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: hostpath.csi.k8s.io + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: hostpath.csi.k8s.io + app.kubernetes.io/component: csi-driver +spec: + # Supports persistent and ephemeral inline volumes. + volumeLifecycleModes: + - Persistent + - Ephemeral + # To determine at runtime which mode a volume uses, pod info and its + # "csi.storage.k8s.io/ephemeral" entry are needed. + podInfoOnMount: true + # Kubernetes may use fsGroup to change permissions and ownership + # of the volume to match user requested fsGroup in the pod's SecurityPolicy + fsGroupPolicy: File diff --git a/deploy/kubernetes-1.34/hostpath/csi-hostpath-plugin.yaml b/deploy/kubernetes-1.34/hostpath/csi-hostpath-plugin.yaml new file mode 100644 index 00000000..080fe5cb --- /dev/null +++ b/deploy/kubernetes-1.34/hostpath/csi-hostpath-plugin.yaml @@ -0,0 +1,418 @@ + # All of the individual sidecar RBAC roles get bound +# to this account. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: csi-hostpathplugin-sa + namespace: default + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: serviceaccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: attacher-cluster-role + name: csi-hostpathplugin-attacher-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-attacher-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: health-monitor-controller-cluster-role + name: csi-hostpathplugin-health-monitor-controller-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-health-monitor-controller-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: provisioner-cluster-role + name: csi-hostpathplugin-provisioner-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-provisioner-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: resizer-cluster-role + name: csi-hostpathplugin-resizer-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-resizer-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: snapshotter-cluster-role + name: csi-hostpathplugin-snapshotter-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-snapshotter-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: snapshot-metadata-cluster-role + name: csi-hostpathplugin-snapshot-metadata-cluster-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-snapshot-metadata-runner +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: attacher-role + name: csi-hostpathplugin-attacher-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-attacher-cfg +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: health-monitor-controller-role + name: csi-hostpathplugin-health-monitor-controller-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-health-monitor-controller-cfg +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: provisioner-role + name: csi-hostpathplugin-provisioner-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-provisioner-cfg +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: resizer-role + name: csi-hostpathplugin-resizer-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-resizer-cfg +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: snapshotter-role + name: csi-hostpathplugin-snapshotter-role +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-snapshotter-leaderelection +subjects: +- kind: ServiceAccount + name: csi-hostpathplugin-sa +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpathplugin + namespace: default + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin +spec: + serviceName: "csi-hostpathplugin" + # One replica only: + # Host path driver only works when everything runs + # on a single node. + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpathplugin + app.kubernetes.io/component: plugin + spec: + serviceAccountName: csi-hostpathplugin-sa + containers: + - name: hostpath + image: registry.k8s.io/sig-storage/hostpathplugin:v1.17.0 + args: + - "--drivername=hostpath.csi.k8s.io" + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + # end hostpath args + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + securityContext: + privileged: true + ports: + - containerPort: 9898 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 2 + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /var/lib/kubelet/plugins + mountPropagation: Bidirectional + name: plugins-dir + - mountPath: /csi-data-dir + name: csi-data-dir + - mountPath: /dev + name: dev-dir + + - name: csi-external-health-monitor-controller + image: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.16.0 + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: socket-dir + mountPath: /csi + + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0 + args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - mountPath: /csi-data-dir + name: csi-data-dir + + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + args: + - --csi-address=/csi/csi.sock + - --health-port=9898 + + - name: csi-attacher + image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0 + args: + - --v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v6.0.0 + args: + - -v=5 + - --csi-address=/csi/csi.sock + - --feature-gates=Topology=true + # end csi-provisioner args + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v2.0.0 + args: + - -v=5 + - -csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0 + args: + - -v=5 + - --csi-address=/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + + # end csi containers + + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet/plugins + type: Directory + name: plugins-dir + - hostPath: + # 'path' is where PV data is persisted on host. + # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot + path: /var/lib/csi-hostpath-data/ + type: DirectoryOrCreate + name: csi-data-dir + - hostPath: + path: /dev + type: Directory + name: dev-dir + # end csi volumes diff --git a/deploy/kubernetes-1.34/hostpath/csi-hostpath-snapshotclass.yaml b/deploy/kubernetes-1.34/hostpath/csi-hostpath-snapshotclass.yaml new file mode 100644 index 00000000..0382f2f6 --- /dev/null +++ b/deploy/kubernetes-1.34/hostpath/csi-hostpath-snapshotclass.yaml @@ -0,0 +1,13 @@ +# Usage of the v1 API implies that the cluster must have +# external-snapshotter v4.x installed. +apiVersion: snapshot.storage.k8s.io/v1 +kind: VolumeSnapshotClass +metadata: + name: csi-hostpath-snapclass + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-snapclass + app.kubernetes.io/component: volumesnapshotclass +driver: hostpath.csi.k8s.io #csi-hostpath +deletionPolicy: Delete diff --git a/deploy/kubernetes-1.34/hostpath/csi-hostpath-testing.yaml b/deploy/kubernetes-1.34/hostpath/csi-hostpath-testing.yaml new file mode 100644 index 00000000..19c9888e --- /dev/null +++ b/deploy/kubernetes-1.34/hostpath/csi-hostpath-testing.yaml @@ -0,0 +1,87 @@ +# WARNING: this is only for testing purposes. Do not install in a production +# cluster. +# +# This exposes the hostpath's Unix domain csi.sock as a TCP port to the +# outside world. The mapping from Unix domain socket to TCP is done +# by socat. +# +# This is useful for testing with csi-sanity or csc. + +apiVersion: v1 +kind: Service +metadata: + name: hostpath-service + namespace: default + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat +spec: + type: NodePort + selector: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + ports: + - port: 10000 # fixed port inside the pod, dynamically allocated port outside +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-hostpath-socat + namespace: default + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat +spec: + serviceName: "csi-hostpath-socat" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + template: + metadata: + labels: + app.kubernetes.io/instance: hostpath.csi.k8s.io + app.kubernetes.io/part-of: csi-driver-host-path + app.kubernetes.io/name: csi-hostpath-socat + app.kubernetes.io/component: socat + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - hostpath.csi.k8s.io + topologyKey: kubernetes.io/hostname + containers: + - name: socat + image: registry.k8s.io/sig-storage/hostpathplugin:v1.15.0 + command: + - socat + args: + - tcp-listen:10000,fork,reuseaddr + - unix-connect:/csi/csi.sock + securityContext: + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/csi-hostpath + type: DirectoryOrCreate + name: socket-dir diff --git a/deploy/kubernetes-1.34/hostpath/csi-snapshot-metadata-sidecar.patch b/deploy/kubernetes-1.34/hostpath/csi-snapshot-metadata-sidecar.patch new file mode 100644 index 00000000..59de00bc --- /dev/null +++ b/deploy/kubernetes-1.34/hostpath/csi-snapshot-metadata-sidecar.patch @@ -0,0 +1,22 @@ + - name: csi-snapshot-metadata + image: registry.k8s.io/sig-storage/csi-snapshot-metadata:v0.1.0 + imagePullPolicy: "IfNotPresent" + command: + args: + - "--csi-address=/csi/csi.sock" + - "--tls-cert=/tmp/certificates/tls.crt" + - "--tls-key=/tmp/certificates/tls.key" + readinessProbe: + exec: + command: + - "/bin/grpc_health_probe" + - "-addr=:50051" + - "-tls" + - "-tls-no-verify" + initialDelaySeconds: 5 + volumeMounts: + - mountPath: /csi + name: socket-dir + - name: csi-snapshot-metadata-server-certs + mountPath: /tmp/certificates + readOnly: true diff --git a/deploy/kubernetes-1.34/test-driver.yaml b/deploy/kubernetes-1.34/test-driver.yaml new file mode 100644 index 00000000..55b07f84 --- /dev/null +++ b/deploy/kubernetes-1.34/test-driver.yaml @@ -0,0 +1,27 @@ +# This file describes how to test this deployment of the CSI hostpath driver +# using the Kubernetes 1.17 E2E test suite. For details see: +# https://github.com/kubernetes/kubernetes/tree/v1.17.0/test/e2e/storage/external + +StorageClass: + FromName: true +SnapshotClass: + FromName: true +VolumeAttributeClass: + FromName: true +DriverInfo: + Name: hostpath.csi.k8s.io + SupportedSizeRange: + Min: 1Mi + Capabilities: + block: true + controllerExpansion: true + exec: true + multipods: true + nodeExpansion: true + persistence: true + singleNodeVolume: true + snapshotDataSource: true + topology: true + FSResizeFromSourceNotSupported: true +InlineVolumes: +- shared: true