kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k.../k8s-1.17.yaml.template

1016 lines
32 KiB
Plaintext
Raw Blame History

#helm template aws-ebs-csi-driver aws-ebs-csi-driver/aws-ebs-csi-driver -n kube-system \
# --set controller.volumeModificationFeature.enabled=true \
# --set sidecars.snapshotter.forceEnable=true \
# --set controller.enableMetrics=true \
# --no-hooks | grep -vi helm
{{ with .CloudProvider.AWS.EBSCSIDriver }}
---
# Source: aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec:
selector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
maxUnavailable: 1
---
# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-controller-sa
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
automountServiceAccountToken: true
---
# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-node-sa
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
automountServiceAccountToken: true
---
# Source: aws-ebs-csi-driver/templates/clusterrole-attacher.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-attacher-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
# Do not modify the rules below manually, see `make update-sidecar-dependencies`
# BEGIN AUTOGENERATED RULES
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
# END AUTOGENERATED RULES
---
# Source: aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "patch", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get"]
---
# Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-provisioner-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
# Do not modify the rules below manually, see `make update-sidecar-dependencies`
# BEGIN AUTOGENERATED RULES
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
# Access to volumeattachments is only needed when the CSI driver
# has the PUBLISH_UNPUBLISH_VOLUME controller capability.
# In that case, external-provisioner will watch volumeattachments
# to determine when it is safe to delete a volume.
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch"]
# END AUTOGENERATED RULES
# Extra rule: VAC rules not present in upstream example
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattributesclasses"]
verbs: ["get"]
---
# Source: aws-ebs-csi-driver/templates/clusterrole-resizer.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-resizer-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
# Do not modify the rules below manually, see `make update-sidecar-dependencies`
# BEGIN AUTOGENERATED RULES
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
# only required if enabling the alpha volume modify feature
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattributesclasses"]
verbs: ["get", "list", "watch"]
# END AUTOGENERATED RULES
---
# Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-snapshotter-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
# Do not modify the rules below manually, see `make update-sidecar-dependencies`
# BEGIN AUTOGENERATED RULES
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
# Secret permission is optional.
# Enable it if your driver needs secret.
# For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
# See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update", "patch", "create"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents/status"]
verbs: ["update", "patch"]
# END AUTOGENERATED RULES
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-attacher-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-attacher-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-getter-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-node-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-csi-node-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-provisioner-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-provisioner-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-resizer-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-resizer-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshotter-binding
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-snapshotter-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/role-leases.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: ebs-csi-leases-role
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: aws-ebs-csi-driver/templates/rolebinding-leases.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-leases-rolebinding
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: Role
name: ebs-csi-leases-role
apiGroup: rbac.authorization.k8s.io
---
# Source: aws-ebs-csi-driver/templates/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app: ebs-csi-controller
spec:
selector:
app: ebs-csi-controller
ports:
- name: metrics
port: 3301
targetPort: 3301
type: ClusterIP
---
# Source: aws-ebs-csi-driver/templates/node.yaml
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: ebs-csi-node
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
app: ebs-csi-node
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
type: RollingUpdate
template:
metadata:
labels:
app: ebs-csi-node
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
annotations:
{{- range $key, $value := .PodAnnotations }}
{{ $key }}: "{{ $value }}"
{{- end }}
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- if not .HostNetwork }}
- key: topology.kubernetes.io/zone
operator: Exists
{{- end }}
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- auto
- hybrid
- key: node.kubernetes.io/instance-type
operator: NotIn
values:
- a1.medium
- a1.large
- a1.xlarge
- a1.2xlarge
- a1.4xlarge
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ebs-csi-node-sa
terminationGracePeriodSeconds: 30
priorityClassName: system-node-critical
tolerations:
- operator: Exists
hostNetwork: {{ .HostNetwork }}
securityContext:
fsGroup: 0
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
containers:
- name: ebs-plugin
image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }}
imagePullPolicy: IfNotPresent
args:
- node
- --endpoint=$(CSI_ENDPOINT)
- --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/
{{- if .VolumeAttachLimit }}
- --volume-attach-limit={{ .VolumeAttachLimit }}
{{- end }}
- --logging-format=text
- --v=5
env:
{{- if IsIPv6Only }}
- name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
value: IPv6
{{- end }}
- name: AWS_REGION
value: {{ Region }}
- name: CSI_ENDPOINT
value: unix:/csi/csi.sock
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: device-dir
mountPath: /dev
{{ if KopsFeatureEnabled "SELinuxMount" }}
- name: etc-selinux
mountPath: /etc/selinux
- name: sys-fs
mountPath: /sys/fs
{{ end }}
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: healthz
timeoutSeconds: 3
periodSeconds: 5
failureThreshold: 3
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
lifecycle:
preStop:
exec:
command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"]
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.14.0
imagePullPolicy: IfNotPresent
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --v=5
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
livenessProbe:
exec:
command:
- /csi-node-driver-registrar
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --mode=kubelet-registration-probe
initialDelaySeconds: 30
periodSeconds: 90
timeoutSeconds: 15
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
- name: probe-dir
mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0
imagePullPolicy: IfNotPresent
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /csi
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumes:
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory
{{ if KopsFeatureEnabled "SELinuxMount" }}
- name: etc-selinux
hostPath:
path: /etc/selinux
type: DirectoryOrCreate
- name: sys-fs
hostPath:
path: /sys/fs
type: Directory
{{ end }}
- name: probe-dir
emptyDir: {}
---
# Source: aws-ebs-csi-driver/templates/controller.yaml
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec:
replicas: {{ ControlPlaneControllerReplicas true }}
revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
template:
metadata:
labels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
annotations:
{{- range $key, $value := .PodAnnotations }}
{{ $key }}: "{{ $value }}"
{{- end }}
spec:
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ebs-csi-controller-sa
priorityClassName: system-cluster-critical
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{ if not UseServiceAccountExternalPermissions }}
- key: node-role.kubernetes.io/control-plane
operator: Exists
{{ end }}
- key: kubernetes.io/os
operator: In
values:
- linux
- matchExpressions:
{{ if not UseServiceAccountExternalPermissions }}
- key: node-role.kubernetes.io/master
operator: Exists
{{ end }}
- key: kubernetes.io/os
operator: In
values:
- linux
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- auto
- hybrid
weight: 1
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- ebs-csi-controller
topologyKey: kubernetes.io/hostname
weight: 100
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "topology.kubernetes.io/zone"
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: ebs-csi-controller
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
{{ if not UseServiceAccountExternalPermissions }}
hostNetwork: true
tolerations:
- operator: Exists
{{ else }}
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
tolerationSeconds: 300
{{ end }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
containers:
- name: ebs-plugin
image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }}
imagePullPolicy: IfNotPresent
args:
- controller
- --endpoint=$(CSI_ENDPOINT)
- --k8s-tag-cluster-id={{ ClusterName }}
- "--extra-tags={{ CloudLabels }}"
- --http-endpoint=0.0.0.0:3301
- --batching=true
- --logging-format=text
- --v=5
env:
{{- if IsIPv6Only }}
- name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
value: IPv6
{{- end }}
- name: AWS_REGION
value: {{ Region }}
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-secret
key: key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-secret
key: access_key
optional: true
- name: AWS_EC2_ENDPOINT
valueFrom:
configMapKeyRef:
name: aws-meta
key: endpoint
optional: true
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
ports:
- name: healthz
containerPort: 9808
protocol: TCP
- name: metrics
containerPort: 3301
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- name: csi-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0
imagePullPolicy: IfNotPresent
args:
- --timeout=60s
- --csi-address=$(ADDRESS)
- --v=5
- --feature-gates=Topology=true
- --extra-create-metadata
- --leader-election=true
- --default-fstype=ext4
- --kube-api-qps={{ or .KubeAPIQPS "20" }}
- --kube-api-burst={{ or .KubeAPIBurst "100" }}
- --worker-threads=100
- --retry-interval-max=30m
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- name: csi-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v4.9.0
imagePullPolicy: IfNotPresent
args:
- --timeout=6m
- --csi-address=$(ADDRESS)
- --v=5
- --leader-election=true
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
- --retry-interval-max=5m
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{ if HasSnapshotController }}
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v8.3.0
imagePullPolicy: IfNotPresent
args:
- --csi-address=$(ADDRESS)
- --leader-election=true
- --v=5
- --extra-create-metadata
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
- --retry-interval-max=30m
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{ end }}
{{ if IsKubernetesLT "1.31.0" }}
# volume-modifier-for-k8s is no longer needed starting with Kubernetes 1.31.
# https://github.com/awslabs/volume-modifier-for-k8s/issues/46
- name: volumemodifier
image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.7.0
imagePullPolicy: IfNotPresent
args:
- --timeout=60s
- --csi-address=$(ADDRESS)
- --v=5
- --leader-election=true
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
{{ end }}
- name: csi-resizer
image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0
imagePullPolicy: IfNotPresent
args:
- --timeout=60s
- --extra-modify-metadata
- --csi-address=$(ADDRESS)
- --v=5
- --handle-volume-inuse-error=false
- --leader-election=true
- --kube-api-qps=20
- --kube-api-burst=100
- --workers=100
- --retry-interval-max=30m
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0
imagePullPolicy: IfNotPresent
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /csi
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumes:
- name: socket-dir
emptyDir: {}
---
# Source: aws-ebs-csi-driver/templates/csidriver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: ebs.csi.aws.com
labels:
app.kubernetes.io/name: aws-ebs-csi-driver
app.kubernetes.io/instance: aws-ebs-csi-driver
app.kubernetes.io/version: {{ .Version }}
app.kubernetes.io/component: csi-driver
spec:
attachRequired: true
podInfoOnMount: false
# Disabled because the field is immutable and kOps doesn't have a way to delete and recreate the resource
# fsGroupPolicy: File
{{ if KopsFeatureEnabled "SELinuxMount" }}
seLinuxMount: true
{{ end }}
{{ end }}
Reference in New Issue View Git Blame Copy Permalink