diff --git a/deploy/kubernetes/latest/attacher.yaml b/deploy/kubernetes/latest/attacher.yaml deleted file mode 100644 index 5a2f51a24a..0000000000 --- a/deploy/kubernetes/latest/attacher.yaml +++ /dev/null @@ -1,122 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-attacher-sa - namespace: default - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: external-attacher-runner - namespace: default -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-attacher-role - namespace: default -subjects: - - kind: ServiceAccount - name: csi-attacher-sa - namespace: default -roleRef: - kind: ClusterRole - name: external-attacher-runner - apiGroup: rbac.authorization.k8s.io - ---- - -kind: Service -apiVersion: v1 -metadata: - name: csi-attacher - labels: - app: csi-attacher -spec: - selector: - app: csi-attacher - clusterIP: None ---- - -kind: StatefulSet -apiVersion: apps/v1beta1 -metadata: - name: csi-attacher -spec: - serviceName: "csi-attacher" - replicas: 1 - template: - metadata: - labels: - app: csi-attacher - spec: - serviceAccount: csi-attacher-sa - containers: - - name: csi-attacher - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - image: quay.io/k8scsi/csi-attacher:v1.0-canary - args: - - --v=5 - - --csi-address=$(ADDRESS) - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: Always - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: ebs-plugin - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - image: amazon/aws-ebs-csi-driver:latest - args : - - --endpoint=$(CSI_ENDPOINT) - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - imagePullPolicy: Always - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - volumes: - - name: socket-dir - emptyDir: {} diff --git a/deploy/kubernetes/latest/controller.yaml b/deploy/kubernetes/latest/controller.yaml new file mode 100644 index 0000000000..c87d706470 --- /dev/null +++ b/deploy/kubernetes/latest/controller.yaml @@ -0,0 +1,199 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-sa + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: external-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-driver-registrar-role +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csidrivers"] + verbs: ["create", "delete"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-driver-registrar-binding +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: cluster-driver-registrar-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: StatefulSet +apiVersion: apps/v1beta1 +metadata: + name: csi-controller + namespace: kube-system +spec: + serviceName: csi-controller + replicas: 1 + template: + metadata: + labels: + app: csi-controller + spec: + serviceAccount: csi-controller-sa + priorityClassName: system-cluster-critical + tolerations: + - key: CriticalAddonsOnly + operator: Exists + containers: + - name: ebs-plugin + image: amazon/aws-ebs-csi-driver:latest + imagePullPolicy: Always + args : + - --endpoint=$(CSI_ENDPOINT) + - --logtostderr + - --v=5 + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-secret + key: key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-secret + key: access_key + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: cluster-driver-registrar + imagePullPolicy: Always + image: quay.io/k8scsi/csi-cluster-driver-registrar:v1.0.1 + args: + - --csi-address=$(ADDRESS) + - --driver-requires-attachment=true + - --v=5 + env: + - name: ADDRESS + value: /csi/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: csi-provisioner + image: quay.io/k8scsi/csi-provisioner:v1.0.1 + imagePullPolicy: Always + args: + - --provisioner=ebs.csi.aws.com + - --csi-address=$(ADDRESS) + - --v=5 + - --feature-gates=Topology=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-attacher + image: quay.io/k8scsi/csi-attacher:v1.0.1 + imagePullPolicy: Always + args: + - --csi-address=$(ADDRESS) + - --v=5 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + volumes: + - name: socket-dir + emptyDir: {} + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory \ No newline at end of file diff --git a/deploy/kubernetes/latest/node.yaml b/deploy/kubernetes/latest/node.yaml index b6157fe541..e49010864c 100644 --- a/deploy/kubernetes/latest/node.yaml +++ b/deploy/kubernetes/latest/node.yaml @@ -1,58 +1,8 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-node-sa - namespace: default - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-node - namespace: default -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch", "update"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-node - namespace: default -subjects: - - kind: ServiceAccount - name: csi-node-sa - namespace: default -roleRef: - kind: ClusterRole - name: csi-node - apiGroup: rbac.authorization.k8s.io - ---- - kind: DaemonSet apiVersion: apps/v1beta2 metadata: name: csi-node + namespace: kube-system spec: selector: matchLabels: @@ -62,35 +12,12 @@ spec: labels: app: csi-node spec: - serviceAccount: csi-node-sa hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - key: CriticalAddonsOnly + operator: Exists containers: - - name: csi-driver-registrar - securityContext: - privileged: true - imagePullPolicy: Always - image: quay.io/k8scsi/driver-registrar:v1.0-canary - args: - - --v=5 - - --csi-address=$(ADDRESS) - - --mode=node-register - - --driver-requires-attachment=true - - --pod-info-mount-version="v1" - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - name: ebs-plugin securityContext: privileged: true @@ -121,6 +48,27 @@ spec: mountPath: /csi - name: device-dir mountPath: /dev + - name: node-driver-registrar + imagePullPolicy: Always + image: quay.io/k8scsi/csi-node-driver-registrar:v1.0.2 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=5 + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"] + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration volumes: - name: kubelet-dir hostPath: diff --git a/deploy/kubernetes/latest/provisioner.yaml b/deploy/kubernetes/latest/provisioner.yaml deleted file mode 100644 index 34ef6ccd9b..0000000000 --- a/deploy/kubernetes/latest/provisioner.yaml +++ /dev/null @@ -1,140 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-provisioner-sa - namespace: default - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: external-provisioner-runner - namespace: default -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["list", "watch", "create", "update", "get"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-provisioner-role - namespace: default -subjects: - - kind: ServiceAccount - name: csi-provisioner-sa - namespace: default -roleRef: - kind: ClusterRole - name: external-provisioner-runner - apiGroup: rbac.authorization.k8s.io - ---- - -kind: Service -apiVersion: v1 -metadata: - name: csi-provisioner - labels: - app: csi-provisioner -spec: - selector: - app: csi-provisioner - clusterIP: None ---- - -kind: StatefulSet -apiVersion: apps/v1beta1 -metadata: - name: csi-provisioner -spec: - serviceName: "csi-provisioner" - replicas: 1 - template: - metadata: - labels: - app: csi-provisioner - spec: - serviceAccount: csi-provisioner-sa - containers: - - name: csi-provisioner - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - image: quay.io/k8scsi/csi-provisioner:v1.0-canary - args: - - --provisioner=ebs.csi.aws.com - - --csi-address=$(ADDRESS) - - --v=5 - - --feature-gates=Topology=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: Always - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - - name: ebs-plugin - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - image: amazon/aws-ebs-csi-driver:latest - args : - - --endpoint=$(CSI_ENDPOINT) - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - imagePullPolicy: Always - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - volumes: - - name: socket-dir - emptyDir: {} diff --git a/deploy/kubernetes/latest/secret.yaml b/deploy/kubernetes/latest/secret.yaml index a77fc16c10..e729d1a173 100644 --- a/deploy/kubernetes/latest/secret.yaml +++ b/deploy/kubernetes/latest/secret.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: aws-secret + namespace: kube-system stringData: - key_id: - access_key: + key_id: "" + access_key: "" diff --git a/docs/README.md b/docs/README.md index 13f68ebb15..5147477efc 100644 --- a/docs/README.md +++ b/docs/README.md @@ -68,9 +68,9 @@ There are several optional parameters that could be passed into `CreateVolumeReq ## Setup ### Kubernetes -1. Use the manifest files under the directory [deploy/kubernetes](../deploy/kubernetes), needed to deploy the CSI driver and sidecar containers. If you are using Kubernetes v1.12, use the manifest files under [deploy/kubernetes/v1.12](../deploy/kubernetes/v1.12); for kubernetes v1.10 and v1.11, use the files under [deploy/kubernetes/v1.[10,11]](../deploy/kubernetes/v1.[10,11]). +1. Use the manifest files under the directory [deploy/kubernetes](../deploy/kubernetes), needed to deploy the CSI driver and sidecar containers. -2. Add AWS credentials of the IAM user to the [deploy/kubernetes/v1.12/secrets.yaml](../deploy/kubernetes/v1.12/secrets.yaml) file. +2. The driver can use the EC2 instance roles, otherwise add AWS credentials of the IAM user to the [deploy/kubernetes/latest/secret.yaml](../deploy/kubernetes/latest/secret.yaml) file. ``` apiVersion: v1 @@ -82,22 +82,22 @@ stringData: access_key: [aws_secret_access_key] #aws_secret_access_key ``` -3. Apply the secret using `kubectl apply -f ../deploy/kubernetes/v1.12/secrets.yaml` +3. Apply the secret using `kubectl apply -f ../deploy/kubernetes/latest/secret.yaml` if required. 4. Grant only required permissions to the CSI driver. Use this sample [IAM policy](example-iam-policy.json) and add it to the worker nodes in the cluster. 5. Deploy the csi-provisioner, csi-attacher and csi-node manifests to the cluster in one step: ``` -kubectl apply -f deploy/kubernetes/v1.12 +kubectl apply -f deploy/kubernetes/latest ``` Now any user can start creating and using EBS volumes with the CSI driver. -6. Apply `deploy/kubernetes/v1.12/sample_app` that uses the recently deployed driver: +6. Apply `deploy/kubernetes/latest/sample_app` that uses the recently deployed driver: ``` -kubectl apply -f deploy/kubernetes/v1.12/sample_app +kubectl apply -f deploy/kubernetes/latest/sample_app ``` ## Development