kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Upgrade AWS EBS CSI Driver to v1.25.0

This commit is contained in:
Peter Rifel 2023-11-20 20:43:42 -06:00
parent bcbf6c79a4
commit 386352ea17
No known key found for this signature in database
GPG Key ID: BC6469E5B16DB2B6
2 changed files with 359 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/model/components/awsebscsidriver.go
View File

@ -43,7 +43,7 @@ func (b *AWSEBSCSIDriverOptionsBuilder) BuildOptions(o interface{}) error {
c := aws.EBSCSIDriver c := aws.EBSCSIDriver
if c.Version == nil { if c.Version == nil {
version := "v1.14.1" version := "v1.25.0"
c.Version = &version c.Version = &version
} }

484
upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template
View File

@ -1,5 +1,23 @@
{{ with .CloudProvider.AWS.EBSCSIDriver }} {{ with .CloudProvider.AWS.EBSCSIDriver }}
# Latest Images Source: aws-ebs-csi-driver/values.yaml#L7-L34 ---
# Source: aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec:
selector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
maxUnavailable: 1
--- ---
# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml # Source: aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml
apiVersion: v1 apiVersion: v1
@ -11,6 +29,21 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
automountServiceAccountToken: true
---
# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-node-sa
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
automountServiceAccountToken: true
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrole-attacher.yaml # Source: aws-ebs-csi-driver/templates/clusterrole-attacher.yaml
kind: ClusterRole kind: ClusterRole
@ -21,23 +54,42 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["persistentvolumes"] resources: [ "persistentvolumes" ]
verbs: ["get", "list", "watch", "update", "patch"] verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["nodes"] resources: [ "nodes" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
- apiGroups: ["csi.storage.k8s.io"] - apiGroups: [ "csi.storage.k8s.io" ]
resources: ["csinodeinfos"] resources: [ "csinodeinfos" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
- apiGroups: ["storage.k8s.io"] - apiGroups: [ "storage.k8s.io" ]
resources: ["volumeattachments"] resources: [ "volumeattachments" ]
verbs: ["get", "list", "watch", "update", "patch"] verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [ "storage.k8s.io" ] - apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattachments/status" ] resources: [ "volumeattachments/status" ]
verbs: [ "patch" ] verbs: [ "patch" ]
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["list"]
---
# Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml # Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -47,6 +99,7 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules: rules:
- apiGroups: [ "" ] - apiGroups: [ "" ]
resources: [ "persistentvolumes" ] resources: [ "persistentvolumes" ]
@ -72,9 +125,6 @@ rules:
- apiGroups: [ "" ] - apiGroups: [ "" ]
resources: [ "nodes" ] resources: [ "nodes" ]
verbs: [ "get", "list", "watch" ] verbs: [ "get", "list", "watch" ]
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "get", "watch", "list", "delete", "update", "create" ]
- apiGroups: [ "storage.k8s.io" ] - apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattachments" ] resources: [ "volumeattachments" ]
verbs: [ "get", "list", "watch" ] verbs: [ "get", "list", "watch" ]
@ -88,30 +138,31 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules: rules:
# The following rule should be uncommented for plugins that require secrets # The following rule should be uncommented for plugins that require secrets
# for provisioning. # for provisioning.
# - apiGroups: [""] # - apiGroups: [""]
# resources: ["secrets"] # resources: ["secrets"]
# verbs: ["get", "list", "watch"] # verbs: ["get", "list", "watch"]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["persistentvolumes"] resources: [ "persistentvolumes" ]
verbs: ["get", "list", "watch", "update", "patch"] verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["persistentvolumeclaims"] resources: [ "persistentvolumeclaims" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["persistentvolumeclaims/status"] resources: [ "persistentvolumeclaims/status" ]
verbs: ["update", "patch"] verbs: [ "update", "patch" ]
- apiGroups: ["storage.k8s.io"] - apiGroups: [ "storage.k8s.io" ]
resources: ["storageclasses"] resources: [ "storageclasses" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["events"] resources: [ "events" ]
verbs: ["list", "watch", "create", "update", "patch"] verbs: [ "list", "watch", "create", "update", "patch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["pods"] resources: [ "pods" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml # Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml
kind: ClusterRole kind: ClusterRole
@ -122,22 +173,27 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["events"] resources: [ "events" ]
verbs: ["list", "watch", "create", "update", "patch"] verbs: [ "list", "watch", "create", "update", "patch" ]
- apiGroups: [""] # Secret permission is optional.
resources: ["secrets"] # Enable it if your driver needs secret.
verbs: ["get", "list"] # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
- apiGroups: ["snapshot.storage.k8s.io"] # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
resources: ["volumesnapshotclasses"] # - apiGroups: [ "" ]
verbs: ["get", "list", "watch"] # resources: [ "secrets" ]
- apiGroups: ["snapshot.storage.k8s.io"] # verbs: [ "get", "list" ]
resources: ["volumesnapshotcontents"] - apiGroups: [ "snapshot.storage.k8s.io" ]
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] resources: [ "volumesnapshotclasses" ]
- apiGroups: ["snapshot.storage.k8s.io"] verbs: [ "get", "list", "watch" ]
resources: ["volumesnapshotcontents/status"] - apiGroups: [ "snapshot.storage.k8s.io" ]
verbs: ["update"] resources: [ "volumesnapshotcontents" ]
verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotcontents/status" ]
verbs: [ "update" ]
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml # Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -148,6 +204,7 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: ebs-csi-controller-sa name: ebs-csi-controller-sa
@ -157,6 +214,25 @@ roleRef:
name: ebs-external-attacher-role name: ebs-external-attacher-role
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-getter-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-node-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-csi-node-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml # Source: aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -166,6 +242,7 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: ebs-csi-controller-sa name: ebs-csi-controller-sa
@ -184,6 +261,7 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: ebs-csi-controller-sa name: ebs-csi-controller-sa
@ -202,6 +280,7 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: ebs-csi-controller-sa name: ebs-csi-controller-sa
@ -211,47 +290,55 @@ roleRef:
name: ebs-external-snapshotter-role name: ebs-external-snapshotter-role
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
--- ---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml # Source: aws-ebs-csi-driver/templates/role-leases.yaml
kind: ClusterRoleBinding kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: ebs-csi-node-getter-binding namespace: kube-system
labels: name: ebs-csi-leases-role
app.kubernetes.io/name: aws-ebs-csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-node-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-csi-node-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
rules: rules:
- apiGroups: [""] - apiGroups: ["coordination.k8s.io"]
resources: ["nodes"] resources: ["leases"]
verbs: ["get"] verbs: ["get", "watch", "list", "delete", "update", "create"]
--- ---
# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml # Source: aws-ebs-csi-driver/templates/rolebinding-leases.yaml
apiVersion: v1 kind: RoleBinding
kind: ServiceAccount apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: ebs-csi-node-sa name: ebs-csi-leases-rolebinding
namespace: kube-system namespace: kube-system
labels: labels:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: Role
name: ebs-csi-leases-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app: ebs-csi-controller
spec:
selector:
app: ebs-csi-controller
ports:
- name: metrics
port: 3301
targetPort: 3301
type: ClusterIP
--- ---
# Source: aws-ebs-csi-driver/templates/node.yaml # Source: aws-ebs-csi-driver/templates/node.yaml
# Node Service
kind: DaemonSet kind: DaemonSet
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
@ -261,12 +348,17 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec: spec:
selector: selector:
matchLabels: matchLabels:
app: ebs-csi-node app: ebs-csi-node
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
type: RollingUpdate
template: template:
metadata: metadata:
labels: labels:
@ -274,28 +366,44 @@ spec:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
annotations: annotations:
{{- range $key, $value := .PodAnnotations }} {{- range $key, $value := .PodAnnotations }}
{{ $key }}: "{{ $value }}" {{ $key }}: "{{ $value }}"
{{- end }} {{- end }}
spec: spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- key: node.kubernetes.io/instance-type
operator: NotIn
values:
- a1.medium
- a1.large
- a1.xlarge
- a1.2xlarge
- a1.4xlarge
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
serviceAccountName: ebs-csi-node-sa serviceAccountName: ebs-csi-node-sa
priorityClassName: system-node-critical priorityClassName: system-node-critical
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
fsGroup: 0
tolerations: tolerations:
- operator: Exists - operator: Exists
hostNetwork: false
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
containers: containers:
- name: ebs-plugin - name: ebs-plugin
securityContext: image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:{{ .Version }}
privileged: true
readOnlyRootFilesystem: true
image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- node - node
@ -304,6 +412,7 @@ spec:
- --volume-attach-limit={{ .VolumeAttachLimit }} - --volume-attach-limit={{ .VolumeAttachLimit }}
{{- end }} {{- end }}
- --logtostderr - --logtostderr
- --logging-format=text
- --v=2 - --v=2
env: env:
{{- if IsIPv6Only }} {{- if IsIPv6Only }}
@ -342,8 +451,21 @@ spec:
timeoutSeconds: 3 timeoutSeconds: 3
periodSeconds: 10 periodSeconds: 10
failureThreshold: 5 failureThreshold: 5
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
lifecycle:
preStop:
exec:
command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"]
- name: node-driver-registrar - name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.9.1-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --csi-address=$(ADDRESS) - --csi-address=$(ADDRESS)
@ -354,25 +476,48 @@ spec:
value: /csi/csi.sock value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH - name: DRIVER_REG_SOCK_PATH
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
livenessProbe:
exec:
command:
- /csi-node-driver-registrar
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --mode=kubelet-registration-probe
initialDelaySeconds: 30
periodSeconds: 90
timeoutSeconds: 15
volumeMounts: volumeMounts:
- name: plugin-dir - name: plugin-dir
mountPath: /csi mountPath: /csi
- name: registration-dir - name: registration-dir
mountPath: /registration mountPath: /registration
- name: probe-dir
mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
- name: liveness-probe - name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.11.0-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts: volumeMounts:
- name: plugin-dir - name: plugin-dir
mountPath: /csi mountPath: /csi
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumes: volumes:
- name: kubelet-dir - name: kubelet-dir
hostPath: hostPath:
@ -400,6 +545,8 @@ spec:
path: /sys/fs path: /sys/fs
type: Directory type: Directory
{{ end }} {{ end }}
- name: probe-dir
emptyDir: {}
--- ---
# Source: aws-ebs-csi-driver/templates/controller.yaml # Source: aws-ebs-csi-driver/templates/controller.yaml
# Controller Service # Controller Service
@ -412,8 +559,13 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec: spec:
replicas: {{ ControlPlaneControllerReplicas true }} replicas: {{ ControlPlaneControllerReplicas true }}
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
selector: selector:
matchLabels: matchLabels:
app: ebs-csi-controller app: ebs-csi-controller
@ -426,11 +578,16 @@ spec:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
annotations: annotations:
{{- range $key, $value := .PodAnnotations }} {{- range $key, $value := .PodAnnotations }}
{{ $key }}: "{{ $value }}" {{ $key }}: "{{ $value }}"
{{- end }} {{- end }}
spec: spec:
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ebs-csi-controller-sa
priorityClassName: system-cluster-critical
affinity: affinity:
nodeAffinity: nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -453,6 +610,25 @@ spec:
operator: In operator: In
values: values:
- linux - linux
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
weight: 1
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- ebs-csi-controller
topologyKey: kubernetes.io/hostname
weight: 100
topologySpreadConstraints: topologySpreadConstraints:
- maxSkew: 1 - maxSkew: 1
topologyKey: "topology.kubernetes.io/zone" topologyKey: "topology.kubernetes.io/zone"
@ -471,21 +647,25 @@ spec:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
securityContext: securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
serviceAccountName: ebs-csi-controller-sa
priorityClassName: system-cluster-critical
nodeSelector: null
{{ if not UseServiceAccountExternalPermissions }} {{ if not UseServiceAccountExternalPermissions }}
hostNetwork: true hostNetwork: true
tolerations: tolerations:
- operator: Exists - operator: Exists
{{ else }}
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
tolerationSeconds: 300
{{ end }} {{ end }}
containers: containers:
- name: ebs-plugin - name: ebs-plugin
image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }} image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:{{ .Version }}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- controller - controller
@ -494,6 +674,8 @@ spec:
- --k8s-tag-cluster-id={{ ClusterName }} - --k8s-tag-cluster-id={{ ClusterName }}
- "--extra-tags={{ CloudLabels }}" - "--extra-tags={{ CloudLabels }}"
- --http-endpoint=0.0.0.0:3301 - --http-endpoint=0.0.0.0:3301
- --batching=true
- --logging-format=text
- --v=5 - --v=5
env: env:
{{- if IsIPv6Only }} {{- if IsIPv6Only }}
@ -519,6 +701,12 @@ spec:
name: aws-secret name: aws-secret
key: access_key key: access_key
optional: true optional: true
- name: AWS_EC2_ENDPOINT
valueFrom:
configMapKeyRef:
name: aws-meta
key: endpoint
optional: true
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/ mountPath: /var/lib/csi/sockets/pluginproxy/
@ -545,84 +733,141 @@ spec:
timeoutSeconds: 3 timeoutSeconds: 3
periodSeconds: 10 periodSeconds: 10
failureThreshold: 5 failureThreshold: 5
securityContext: resources:
readOnlyRootFilesystem: true limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- name: csi-provisioner - name: csi-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v3.6.2-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --timeout=60s
- --csi-address=$(ADDRESS) - --csi-address=$(ADDRESS)
- --v=5 - --v=5
- --feature-gates=Topology=true - --feature-gates=Topology=true
- --extra-create-metadata - --extra-create-metadata
- --leader-election=true - --leader-election=true
- --default-fstype=ext4 - --default-fstype=ext4
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
env: env:
- name: ADDRESS - name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/ mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
- name: csi-attacher - name: csi-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.4.2-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --timeout=60s
- --csi-address=$(ADDRESS) - --csi-address=$(ADDRESS)
- --v=5 - --v=5
- --leader-election=true - --leader-election=true
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
env: env:
- name: ADDRESS - name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/ mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
{{ if HasSnapshotController }} {{ if HasSnapshotController }}
- name: csi-snapshotter - name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.0.1 image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v6.3.2-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --csi-address=$(ADDRESS) - --csi-address=$(ADDRESS)
- --leader-election=true - --leader-election=true
- --extra-create-metadata
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
env: env:
- name: ADDRESS - name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/ mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
{{ end }} {{ end }}
- name: csi-resizer - name: csi-resizer
image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.9.2-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --timeout=60s
- --csi-address=$(ADDRESS) - --csi-address=$(ADDRESS)
- --v=5 - --v=5
- --handle-volume-inuse-error=false
- --leader-election=true
- --kube-api-qps=20
- --kube-api-burst=100
- --workers=100
env: env:
- name: ADDRESS - name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/ mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
- name: liveness-probe - name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.11.0-eks-1-28-9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
volumeMounts: volumeMounts:
- name: socket-dir - name: socket-dir
mountPath: /csi mountPath: /csi
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumes: volumes:
- name: socket-dir - name: socket-dir
emptyDir: {} emptyDir: {}
@ -636,26 +881,13 @@ metadata:
app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec: spec:
attachRequired: true attachRequired: true
podInfoOnMount: false podInfoOnMount: false
{{ if KopsFeatureEnabled "SELinuxMount" }} {{ if KopsFeatureEnabled "SELinuxMount" }}
seLinuxMount: true seLinuxMount: true
{{ end }} {{ end }}
--- {{- /* Disabled because the field is immutable and kOps doesn't have a way to delete and recreate the resource */}}
apiVersion: policy/v1 # fsGroupPolicy: File
kind: PodDisruptionBudget
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
spec:
selector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/instance: aws-ebs-csi-driver
maxUnavailable: 1
{{ end }} {{ end }}