From e54132c827c44934b60c77ce7ed9f0c597e9984f Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Mon, 11 Aug 2025 08:44:46 +0300 Subject: [PATCH] aws: Update EBS CSI driver to v1.47.0 --- pkg/model/components/awsebscsidriver.go | 3 +- .../k8s-1.17.yaml.template | 1088 +++++++++-------- 2 files changed, 551 insertions(+), 540 deletions(-) diff --git a/pkg/model/components/awsebscsidriver.go b/pkg/model/components/awsebscsidriver.go index 269b480ace..0290d29201 100644 --- a/pkg/model/components/awsebscsidriver.go +++ b/pkg/model/components/awsebscsidriver.go @@ -43,8 +43,7 @@ func (b *AWSEBSCSIDriverOptionsBuilder) BuildOptions(o *kops.Cluster) error { c := aws.EBSCSIDriver if c.Version == nil { - version := "v1.38.1" - c.Version = &version + c.Version = fi.PtrTo("v1.47.0") } return nil diff --git a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template index c307580331..d22e1c58c5 100644 --- a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template +++ b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template @@ -1,8 +1,8 @@ -# helm template aws-ebs-csi-driver . -n kube-system \ -# --set controller.volumeModificationFeature.enabled=true \ -# --set sidecars.snapshotter.forceEnable=true \ -# --set controller.enableMetrics=true \ -# --no-hooks | grep -vi helm +#helm template aws-ebs-csi-driver aws-ebs-csi-driver/aws-ebs-csi-driver -n kube-system \ +# --set controller.volumeModificationFeature.enabled=true \ +# --set sidecars.snapshotter.forceEnable=true \ +# --set controller.enableMetrics=true \ +# --no-hooks | grep -vi helm {{ with .CloudProvider.AWS.EBSCSIDriver }} --- @@ -64,18 +64,18 @@ metadata: # Do not modify the rules below manually, see `make update-sidecar-dependencies` # BEGIN AUTOGENERATED RULES rules: -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] # END AUTOGENERATED RULES --- # Source: aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml @@ -89,15 +89,15 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "patch", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get"] --- # Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml kind: ClusterRole @@ -112,47 +112,47 @@ metadata: # Do not modify the rules below manually, see `make update-sidecar-dependencies` # BEGIN AUTOGENERATED RULES rules: -# The following rule should be uncommented for plugins that require secrets -# for provisioning. -# - apiGroups: [""] -# resources: ["secrets"] -# verbs: ["get", "list"] -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "patch", "delete"] -- apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] -- apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] -# Access to volumeattachments is only needed when the CSI driver -# has the PUBLISH_UNPUBLISH_VOLUME controller capability. -# In that case, external-provisioner will watch volumeattachments -# to determine when it is safe to delete a volume. -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch"] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] # END AUTOGENERATED RULES -# Extra rule: VAC rules not present in upstream example -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattributesclasses"] - verbs: ["get"] + # Extra rule: VAC rules not present in upstream example + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get"] --- # Source: aws-ebs-csi-driver/templates/clusterrole-resizer.yaml kind: ClusterRole @@ -167,30 +167,30 @@ metadata: # Do not modify the rules below manually, see `make update-sidecar-dependencies` # BEGIN AUTOGENERATED RULES rules: -# The following rule should be uncommented for plugins that require secrets -# for provisioning. -# - apiGroups: [""] -# resources: ["secrets"] -# verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["patch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -# only required if enabling the alpha volume modify feature -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattributesclasses"] - verbs: ["get", "list", "watch"] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # only required if enabling the alpha volume modify feature + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get", "list", "watch"] # END AUTOGENERATED RULES --- # Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml @@ -206,37 +206,37 @@ metadata: # Do not modify the rules below manually, see `make update-sidecar-dependencies` # BEGIN AUTOGENERATED RULES rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -# Secret permission is optional. -# Enable it if your driver needs secret. -# For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. -# See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. -# - apiGroups: [""] -# resources: ["secrets"] -# verbs: ["get", "list"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update", "patch", "create"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list", "watch", "update", "patch", "create"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "patch"] -- apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents"] - verbs: ["get", "list", "watch", "update", "patch"] -- apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents/status"] - verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # Secret permission is optional. + # Enable it if your driver needs secret. + # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. + # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["update", "patch"] # END AUTOGENERATED RULES --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml @@ -250,9 +250,9 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-attacher-role @@ -269,9 +269,9 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver subjects: -- kind: ServiceAccount - name: ebs-csi-node-sa - namespace: kube-system + - kind: ServiceAccount + name: ebs-csi-node-sa + namespace: kube-system roleRef: kind: ClusterRole name: ebs-csi-node-role @@ -288,9 +288,9 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-provisioner-role @@ -307,9 +307,9 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-resizer-role @@ -326,9 +326,9 @@ metadata: app.kubernetes.io/version: {{ .Version }} app.kubernetes.io/component: csi-driver subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-snapshotter-role @@ -382,9 +382,9 @@ spec: selector: app: ebs-csi-controller ports: - - name: metrics - port: 3301 - targetPort: 3301 + - name: metrics + port: 3301 + targetPort: 3301 type: ClusterIP --- # Source: aws-ebs-csi-driver/templates/node.yaml @@ -451,7 +451,7 @@ spec: terminationGracePeriodSeconds: 30 priorityClassName: system-node-critical tolerations: - - operator: Exists + - operator: Exists hostNetwork: {{ .HostNetwork }} securityContext: fsGroup: 0 @@ -459,153 +459,160 @@ spec: runAsNonRoot: false runAsUser: 0 containers: - - name: ebs-plugin - image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:{{ .Version }} - imagePullPolicy: IfNotPresent - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ - {{- if .VolumeAttachLimit }} - - --volume-attach-limit={{ .VolumeAttachLimit }} - {{- end }} - - --logging-format=text - - --v=2 - env: - {{- if IsIPv6Only }} - - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE - value: IPv6 - {{- end }} - - name: AWS_REGION - value: {{ Region }} - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: + - name: ebs-plugin + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }} + imagePullPolicy: IfNotPresent + args: + - node + - --endpoint=$(CSI_ENDPOINT) + - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ + {{- if .VolumeAttachLimit }} + - --volume-attach-limit={{ .VolumeAttachLimit }} + {{- end }} + - --logging-format=text + - --v=5 + env: + {{- if IsIPv6Only }} + - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE + value: IPv6 + {{- end }} + - name: AWS_REGION + value: {{ Region }} + - name: CSI_ENDPOINT + value: unix:/csi/csi.sock + - name: CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /csi + - name: device-dir + mountPath: /dev +{{ if KopsFeatureEnabled "SELinuxMount" }} + - name: etc-selinux + mountPath: /etc/selinux + - name: sys-fs + mountPath: /sys/fs +{{ end }} + ports: + - name: healthz + containerPort: 9808 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: healthz + timeoutSeconds: 3 + periodSeconds: 5 + failureThreshold: 3 + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + privileged: true + readOnlyRootFilesystem: true + lifecycle: + preStop: + exec: + command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"] + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.14.0 + imagePullPolicy: IfNotPresent + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=5 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock + livenessProbe: + exec: + command: + - /csi-node-driver-registrar + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --mode=kubelet-registration-probe + initialDelaySeconds: 30 + periodSeconds: 90 + timeoutSeconds: 15 + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: probe-dir + mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 + imagePullPolicy: IfNotPresent + args: + - --csi-address=/csi/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: /csi + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumes: - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: "Bidirectional" + hostPath: + path: /var/lib/kubelet + type: Directory - name: plugin-dir - mountPath: /csi + hostPath: + path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory - name: device-dir - mountPath: /dev + hostPath: + path: /dev + type: Directory {{ if KopsFeatureEnabled "SELinuxMount" }} - name: etc-selinux - mountPath: /etc/selinux + hostPath: + path: /etc/selinux + type: DirectoryOrCreate - name: sys-fs - mountPath: /sys/fs + hostPath: + path: /sys/fs + type: Directory {{ end }} - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - privileged: true - readOnlyRootFilesystem: true - lifecycle: - preStop: - exec: - command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"] - - name: node-driver-registrar - image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.12.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=2 - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - livenessProbe: - exec: - command: - - /csi-node-driver-registrar - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --mode=kubelet-registration-probe - initialDelaySeconds: 30 - periodSeconds: 90 - timeoutSeconds: 15 - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - name: probe-dir - mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - - name: liveness-probe - image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.14.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: /csi - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumes: - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: device-dir - hostPath: - path: /dev - type: Directory -{{ if KopsFeatureEnabled "SELinuxMount" }} - - name: etc-selinux - hostPath: - path: /etc/selinux - type: DirectoryOrCreate - - name: sys-fs - hostPath: - path: /sys/fs - type: Directory -{{ end }} - - name: probe-dir - emptyDir: {} + emptyDir: {} --- # Source: aws-ebs-csi-driver/templates/controller.yaml # Controller Service @@ -714,11 +721,11 @@ spec: - operator: Exists {{ else }} tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - tolerationSeconds: 300 + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + tolerationSeconds: 300 {{ end }} securityContext: fsGroup: 1000 @@ -726,261 +733,266 @@ spec: runAsNonRoot: true runAsUser: 1000 containers: - - name: ebs-plugin - image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:{{ .Version }} - imagePullPolicy: IfNotPresent - args: - - controller - - --endpoint=$(CSI_ENDPOINT) - - --k8s-tag-cluster-id={{ ClusterName }} - - "--extra-tags={{ CloudLabels }}" - - --http-endpoint=0.0.0.0:3301 - - --batching=true - - --logging-format=text - - --v=5 - env: - {{- if IsIPv6Only }} - - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE - value: IPv6 - {{- end }} - - name: AWS_REGION - value: {{ Region }} - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - optional: true - - name: AWS_EC2_ENDPOINT - valueFrom: - configMapKeyRef: - name: aws-meta - key: endpoint - optional: true - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - - name: metrics - containerPort: 3301 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - - name: csi-provisioner - image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.1.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --feature-gates=Topology=true - - --extra-create-metadata - - --leader-election=true - - --default-fstype=ext4 - - --kube-api-qps={{ or .KubeAPIQPS "20" }} - - --kube-api-burst={{ or .KubeAPIBurst "100" }} - - --worker-threads=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - - name: csi-attacher - image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.7.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=5m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - {{ if HasSnapshotController }} - - name: csi-snapshotter - image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v8.1.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --csi-address=$(ADDRESS) - - --leader-election=true - - --v=5 - - --extra-create-metadata - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - {{ end }} - - name: volumemodifier - image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.5.0 - imagePullPolicy: IfNotPresent - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - - name: csi-resizer - image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.12.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --handle-volume-inuse-error=false - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --workers=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - - name: liveness-probe - image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.14.0-eks-1-32-1 - imagePullPolicy: IfNotPresent - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + - name: ebs-plugin + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }} + imagePullPolicy: IfNotPresent + args: + - controller + - --endpoint=$(CSI_ENDPOINT) + - --k8s-tag-cluster-id={{ ClusterName }} + - "--extra-tags={{ CloudLabels }}" + - --http-endpoint=0.0.0.0:3301 + - --batching=true + - --logging-format=text + - --v=5 + env: + {{- if IsIPv6Only }} + - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE + value: IPv6 + {{- end }} + - name: AWS_REGION + value: {{ Region }} + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-secret + key: key_id + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-secret + key: access_key + optional: true + - name: AWS_EC2_ENDPOINT + valueFrom: + configMapKeyRef: + name: aws-meta + key: endpoint + optional: true + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + ports: + - name: healthz + containerPort: 9808 + protocol: TCP + - name: metrics + containerPort: 3301 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 5 + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 + imagePullPolicy: IfNotPresent + args: + - --timeout=60s + - --csi-address=$(ADDRESS) + - --v=5 + - --feature-gates=Topology=true + - --extra-create-metadata + - --leader-election=true + - --default-fstype=ext4 + - --kube-api-qps={{ or .KubeAPIQPS "20" }} + - --kube-api-burst={{ or .KubeAPIBurst "100" }} + - --worker-threads=100 + - --retry-interval-max=30m + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + - name: csi-attacher + image: registry.k8s.io/sig-storage/csi-attacher:v4.9.0 + imagePullPolicy: IfNotPresent + args: + - --timeout=6m + - --csi-address=$(ADDRESS) + - --v=5 + - --leader-election=true + - --kube-api-qps=20 + - --kube-api-burst=100 + - --worker-threads=100 + - --retry-interval-max=5m + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + {{ if HasSnapshotController }} + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.3.0 + imagePullPolicy: IfNotPresent + args: + - --csi-address=$(ADDRESS) + - --leader-election=true + - --v=5 + - --extra-create-metadata + - --kube-api-qps=20 + - --kube-api-burst=100 + - --worker-threads=100 + - --retry-interval-max=30m + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + {{ end }} + {{ if IsKubernetesLT "1.31.0" }} + # volume-modifier-for-k8s is no longer needed starting with Kubernetes 1.31. + # https://github.com/awslabs/volume-modifier-for-k8s/issues/46 + - name: volumemodifier + image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.7.0 + imagePullPolicy: IfNotPresent + args: + - --timeout=60s + - --csi-address=$(ADDRESS) + - --v=5 + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + {{ end }} + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 + imagePullPolicy: IfNotPresent + args: + - --timeout=60s + - --extra-modify-metadata + - --csi-address=$(ADDRESS) + - --v=5 + - --handle-volume-inuse-error=false + - --leader-election=true + - --kube-api-qps=20 + - --kube-api-burst=100 + - --workers=100 + - --retry-interval-max=30m + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 + imagePullPolicy: IfNotPresent + args: + - --csi-address=/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumes: - - name: socket-dir - emptyDir: {} + - name: socket-dir + emptyDir: {} --- # Source: aws-ebs-csi-driver/templates/csidriver.yaml apiVersion: storage.k8s.io/v1