diff --git a/.travis.yml b/.travis.yml index b4da8be1d6..5c9344f46e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,3 +15,4 @@ script: - make - go test -covermode=count -coverprofile=profile.cov ./pkg/... - $GOPATH/bin/goveralls -coverprofile=profile.cov -service=travis-ci + - make kubeval diff --git a/Makefile b/Makefile index e36144961d..7b00f8e299 100644 --- a/Makefile +++ b/Makefile @@ -25,25 +25,43 @@ GOBIN=$(shell pwd)/bin .EXPORT_ALL_VARIABLES: -bin/aws-ebs-csi-driver: - mkdir -p bin +bin/aws-ebs-csi-driver: | bin CGO_ENABLED=0 GOOS=linux go build -ldflags ${LDFLAGS} -o bin/aws-ebs-csi-driver ./cmd/ -bin/mockgen: +bin /tmp/helm /tmp/kubeval: + @mkdir -p $@ + +bin/helm: | /tmp/helm bin + @curl -o /tmp/helm/helm.tar.gz -sSL https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz + @tar -zxf /tmp/helm/helm.tar.gz -C bin --strip-components=1 + @rm -rf /tmp/helm/* + +bin/kubeval: | /tmp/kubeval bin + @curl -o /tmp/kubeval/kubeval.tar.gz -sSL https://github.com/instrumenta/kubeval/releases/download/0.15.0/kubeval-linux-amd64.tar.gz + @tar -zxf /tmp/kubeval/kubeval.tar.gz -C bin kubeval + @rm -rf /tmp/kubeval/* + +bin/mockgen: | bin go get github.com/golang/mock/mockgen@latest -bin/golangci-lint: +bin/golangci-lint: | bin echo "Installing golangci-lint..." curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s v1.21.0 +.PHONY: kubeval +kubeval: bin/kubeval + bin/kubeval -d deploy/kubernetes/base,deploy/kubernetes/cluster,deploy/kubernetes/overlays -i kustomization.yaml,crd_.+\.yaml,controller_add + mockgen: bin/mockgen ./hack/update-gomock +.PHONY: verify verify: bin/golangci-lint echo "Running golangci-lint..." ./bin/golangci-lint run --deadline=10m echo "Congratulations! All Go source files have been linted." +.PHONY: test test: go test -v -race ./cmd/... ./pkg/... @@ -52,7 +70,7 @@ test-sanity: #go test -v ./tests/sanity/... echo "succeed" -bin/k8s-e2e-tester: +bin/k8s-e2e-tester: | bin go get github.com/aws/aws-k8s-tester/e2e/tester/cmd/k8s-e2e-tester@master .PHONY: test-e2e-single-az @@ -84,3 +102,24 @@ push-release: .PHONY: push push: docker push $(IMAGE):latest + +.PHONY: generate-kustomize +generate-kustomize: bin/helm + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrole-attacher.yaml > ../deploy/kubernetes/base/clusterrole-attacher.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrole-provisioner.yaml > ../deploy/kubernetes/base/clusterrole-provisioner.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrolebinding-attacher.yaml > ../deploy/kubernetes/base/clusterrolebinding-attacher.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrolebinding-provisioner.yaml > ../deploy/kubernetes/base/clusterrolebinding-provisioner.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/controller.yaml -f ../deploy/kubernetes/values/controller.yaml > ../deploy/kubernetes/base/controller.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/csidriver.yaml > ../deploy/kubernetes/base/csidriver.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/node.yaml -f ../deploy/kubernetes/values/controller.yaml > ../deploy/kubernetes/base/node.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/serviceaccount-csi-controller.yaml > ../deploy/kubernetes/base/serviceaccount-csi-controller.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrole-resizer.yaml -f ../deploy/kubernetes/values/resizer.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrole.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrole-snapshot-controller.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrole.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrole-snapshotter.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrole.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrolebinding-resizer.yaml -f ../deploy/kubernetes/values/resizer.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrolebinding.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrolebinding-snapshot-controller.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrolebinding.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/clusterrolebinding-snapshotter.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrolebinding.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/role-snapshot-controller-leaderelection.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_role.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/rolebinding-snapshot-controller-leaderelection.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_rolebinding.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/serviceaccount-snapshot-controller.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/serviceaccount-snapshot-controller.yaml + cd aws-ebs-csi-driver && ../bin/helm template kustomize . -s templates/statefulset.yaml -f ../deploy/kubernetes/values/snapshotter.yaml > ../deploy/kubernetes/overlays/alpha/snapshot_controller.yaml diff --git a/aws-ebs-csi-driver/Chart.yaml b/aws-ebs-csi-driver/Chart.yaml index df6d0fcbdc..dad30d53f9 100644 --- a/aws-ebs-csi-driver/Chart.yaml +++ b/aws-ebs-csi-driver/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "0.5.0" name: aws-ebs-csi-driver description: A Helm chart for AWS EBS CSI Driver -version: 0.3.0 +version: 0.4.0 kubeVersion: ">=1.13.0-0" home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver sources: diff --git a/aws-ebs-csi-driver/templates/_helpers.tpl b/aws-ebs-csi-driver/templates/_helpers.tpl index 7fa13305ae..fdc77c4ec8 100644 --- a/aws-ebs-csi-driver/templates/_helpers.tpl +++ b/aws-ebs-csi-driver/templates/_helpers.tpl @@ -35,13 +35,24 @@ Create chart name and version as used by the chart label. Common labels */}} {{- define "aws-ebs-csi-driver.labels" -}} -app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} +{{ include "aws-ebs-csi-driver.selectorLabels" . }} +{{- if ne .Release.Name "kustomize" }} helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} +{{- end -}} + +{{/* +Common selector labels +*/}} +{{- define "aws-ebs-csi-driver.selectorLabels" -}} +app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} +{{- if ne .Release.Name "kustomize" }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} {{- end -}} {{/* @@ -53,6 +64,6 @@ Convert the `--extra-volume-tags` command line arg from a map. {{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}} {{- end -}} {{- if gt (len $result.pairs) 0 -}} -- --extra-volume-tags={{- join "," $result.pairs -}} +{{- printf "%s=%s" "- --extra-volume-tags" (join "," $result.pairs) -}} {{- end -}} {{- end -}} diff --git a/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml new file mode 100644 index 0000000000..0b9672479b --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml @@ -0,0 +1,20 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-attacher-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] diff --git a/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml new file mode 100644 index 0000000000..84f122a039 --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml @@ -0,0 +1,35 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-provisioner-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_resizer.yaml b/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml similarity index 72% rename from deploy/kubernetes/overlays/alpha/rbac_add_resizer.yaml rename to aws-ebs-csi-driver/templates/clusterrole-resizer.yaml index dfc65fb57a..5f0c758c5c 100644 --- a/deploy/kubernetes/overlays/alpha/rbac_add_resizer.yaml +++ b/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml @@ -1,9 +1,11 @@ +{{- if .Values.enableVolumeResizing }} --- - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-resizer-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. @@ -26,18 +28,4 @@ rules: resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-resizer-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-resizer-role - apiGroup: rbac.authorization.k8s.io - +{{- end}} diff --git a/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml b/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml new file mode 100644 index 0000000000..ffdb1b7d5d --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml @@ -0,0 +1,35 @@ +{{- if .Values.enableVolumeSnapshot }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-snapshot-controller-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + +{{- end }} diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml b/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml similarity index 68% rename from deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml rename to aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml index 3793d9fd89..061b56582b 100644 --- a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml +++ b/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml @@ -1,9 +1,11 @@ +{{- if .Values.enableVolumeSnapshot }} --- - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-snapshotter-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["events"] @@ -20,19 +22,4 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update"] ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshotter-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-snapshotter-role - apiGroup: rbac.authorization.k8s.io - - +{{- end }} diff --git a/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml b/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml new file mode 100644 index 0000000000..1888a9b8b9 --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml @@ -0,0 +1,15 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-attacher-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-attacher-role + apiGroup: rbac.authorization.k8s.io diff --git a/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml b/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml new file mode 100644 index 0000000000..0fd549909c --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml @@ -0,0 +1,15 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-provisioner-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-provisioner-role + apiGroup: rbac.authorization.k8s.io diff --git a/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml new file mode 100644 index 0000000000..b23063aa1c --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enableVolumeResizing }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-resizer-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +{{- end}} diff --git a/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml b/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml new file mode 100644 index 0000000000..df4937a6c3 --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enableVolumeSnapshot }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-snapshot-controller-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-snapshot-controller + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml new file mode 100644 index 0000000000..6ebb1d91dc --- /dev/null +++ b/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enableVolumeSnapshot }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-snapshotter-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/aws-ebs-csi-driver/templates/deployment.yaml b/aws-ebs-csi-driver/templates/controller.yaml similarity index 88% rename from aws-ebs-csi-driver/templates/deployment.yaml rename to aws-ebs-csi-driver/templates/controller.yaml index 10b76f9559..1e7b68dc7e 100644 --- a/aws-ebs-csi-driver/templates/deployment.yaml +++ b/aws-ebs-csi-driver/templates/controller.yaml @@ -4,25 +4,26 @@ apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app: ebs-csi-controller - app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} template: metadata: labels: app: ebs-csi-controller - app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} {{- if .Values.podAnnotations }} annotations: {{ toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: nodeSelector: kubernetes.io/os: linux + kubernetes.io/arch: amd64 {{- with .Values.nodeSelector }} {{ toYaml . | indent 8 }} {{- end }} @@ -38,12 +39,18 @@ spec: {{- end }} containers: - name: ebs-plugin - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: + {{- if ne .Release.Name "kustomize" }} - controller + {{ else }} + # - {all,controller,node} # specify the driver mode + {{- end }} - --endpoint=$(CSI_ENDPOINT) - {{ include "aws-ebs-csi-driver.extra-volume-tags" . }} + {{- if .Values.extraVolumeTags }} + {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} + {{- end }} - --logtostderr - --v=5 env: diff --git a/aws-ebs-csi-driver/templates/csidriver.yaml b/aws-ebs-csi-driver/templates/csidriver.yaml index 6e427fd092..1858e39c35 100644 --- a/aws-ebs-csi-driver/templates/csidriver.yaml +++ b/aws-ebs-csi-driver/templates/csidriver.yaml @@ -2,6 +2,8 @@ apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: ebs.csi.aws.com + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: attachRequired: true podInfoOnMount: false diff --git a/aws-ebs-csi-driver/templates/daemonset.yaml b/aws-ebs-csi-driver/templates/node.yaml similarity index 91% rename from aws-ebs-csi-driver/templates/daemonset.yaml rename to aws-ebs-csi-driver/templates/node.yaml index 9a930ca4b1..8eea8a0f14 100644 --- a/aws-ebs-csi-driver/templates/daemonset.yaml +++ b/aws-ebs-csi-driver/templates/node.yaml @@ -4,18 +4,18 @@ apiVersion: apps/v1 metadata: name: ebs-csi-node namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: selector: matchLabels: app: ebs-csi-node - app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} template: metadata: labels: app: ebs-csi-node - app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} {{- if .Values.node.podAnnotations }} annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} {{- end }} @@ -31,6 +31,7 @@ spec: - fargate nodeSelector: kubernetes.io/os: linux + kubernetes.io/arch: amd64 hostNetwork: true priorityClassName: system-node-critical tolerations: @@ -42,7 +43,7 @@ spec: - name: ebs-plugin securityContext: privileged: true - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} args: - node - --endpoint=$(CSI_ENDPOINT) diff --git a/aws-ebs-csi-driver/templates/rbac.yaml b/aws-ebs-csi-driver/templates/rbac.yaml deleted file mode 100644 index 18d2d3d3dd..0000000000 --- a/aws-ebs-csi-driver/templates/rbac.yaml +++ /dev/null @@ -1,233 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-provisioner-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-provisioner-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-provisioner-role - apiGroup: rbac.authorization.k8s.io - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-attacher-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-attacher-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-attacher-role - apiGroup: rbac.authorization.k8s.io - -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-snapshotter-role -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshotter-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-snapshotter-role - apiGroup: rbac.authorization.k8s.io - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshot-controller-binding -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-snapshot-controller-role - apiGroup: rbac.authorization.k8s.io - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-leaderelection - namespace: kube-system -rules: -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-leaderelection - namespace: kube-system -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: Role - name: snapshot-controller-leaderelection - apiGroup: rbac.authorization.k8s.io - -{{- end }} - -{{- if .Values.enableVolumeResizing }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-resizer-role -rules: - # The following rule should be uncommented for plugins that require secrets - # for provisioning. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-resizer-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-resizer-role - apiGroup: rbac.authorization.k8s.io -{{- end}} diff --git a/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml b/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml new file mode 100644 index 0000000000..947d241e9c --- /dev/null +++ b/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml @@ -0,0 +1,15 @@ +{{- if .Values.enableVolumeSnapshot }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-snapshot-controller-leaderelection + namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +{{- end }} diff --git a/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml b/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml new file mode 100644 index 0000000000..11d8ed49b1 --- /dev/null +++ b/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml @@ -0,0 +1,19 @@ +{{- if .Values.enableVolumeSnapshot }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: snapshot-controller-leaderelection + namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: ebs-snapshot-controller + namespace: kube-system +roleRef: + kind: Role + name: snapshot-controller-leaderelection + apiGroup: rbac.authorization.k8s.io + +{{- end }} diff --git a/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml new file mode 100644 index 0000000000..9e2cf7cc70 --- /dev/null +++ b/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ebs-csi-controller-sa + namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.controller.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} + {{- if eq .Release.Name "kustomize" }} + #Enable if EKS IAM for SA is used + #annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role + {{- end }} diff --git a/aws-ebs-csi-driver/templates/serviceaccount.yaml b/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml similarity index 50% rename from aws-ebs-csi-driver/templates/serviceaccount.yaml rename to aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml index 95396d6239..baa39c84e6 100644 --- a/aws-ebs-csi-driver/templates/serviceaccount.yaml +++ b/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml @@ -1,18 +1,13 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-csi-controller-sa - namespace: kube-system - {{- with .Values.serviceAccount.controller.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - +{{- if .Values.enableVolumeSnapshot }} --- apiVersion: v1 kind: ServiceAccount metadata: name: ebs-snapshot-controller namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.snapshot.annotations }} annotations: {{ toYaml . | nindent 4 }} {{- end }} +{{- end }} diff --git a/aws-ebs-csi-driver/templates/statefulset.yaml b/aws-ebs-csi-driver/templates/statefulset.yaml index 30f0335801..b82460918d 100644 --- a/aws-ebs-csi-driver/templates/statefulset.yaml +++ b/aws-ebs-csi-driver/templates/statefulset.yaml @@ -5,18 +5,22 @@ apiVersion: apps/v1 metadata: name: ebs-snapshot-controller namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: serviceName: ebs-snapshot-controller replicas: 1 selector: matchLabels: app: ebs-snapshot-controller + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} template: metadata: labels: app: ebs-snapshot-controller + {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} spec: - serviceAccount: ebs-snapshot-controller + serviceAccountName: ebs-snapshot-controller containers: - name: snapshot-controller image: quay.io/k8scsi/snapshot-controller:v2.1.1 diff --git a/deploy/kubernetes/base/clusterrole-attacher.yaml b/deploy/kubernetes/base/clusterrole-attacher.yaml new file mode 100644 index 0000000000..92217026ad --- /dev/null +++ b/deploy/kubernetes/base/clusterrole-attacher.yaml @@ -0,0 +1,21 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-attacher-role + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] diff --git a/deploy/kubernetes/base/clusterrole-provisioner.yaml b/deploy/kubernetes/base/clusterrole-provisioner.yaml new file mode 100644 index 0000000000..827e8f06cd --- /dev/null +++ b/deploy/kubernetes/base/clusterrole-provisioner.yaml @@ -0,0 +1,36 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-provisioner-role + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/deploy/kubernetes/base/clusterrolebinding-attacher.yaml b/deploy/kubernetes/base/clusterrolebinding-attacher.yaml new file mode 100644 index 0000000000..9a97b8efcb --- /dev/null +++ b/deploy/kubernetes/base/clusterrolebinding-attacher.yaml @@ -0,0 +1,16 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-attacher-binding + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-attacher-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/base/clusterrolebinding-provisioner.yaml b/deploy/kubernetes/base/clusterrolebinding-provisioner.yaml new file mode 100644 index 0000000000..084bed9df9 --- /dev/null +++ b/deploy/kubernetes/base/clusterrolebinding-provisioner.yaml @@ -0,0 +1,16 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-provisioner-binding + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-provisioner-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/base/controller.yaml b/deploy/kubernetes/base/controller.yaml index 01c6ff7d42..0769a1a602 100644 --- a/deploy/kubernetes/base/controller.yaml +++ b/deploy/kubernetes/base/controller.yaml @@ -1,33 +1,38 @@ --- +# Source: aws-ebs-csi-driver/templates/controller.yaml # Controller Service kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver spec: replicas: 2 selector: matchLabels: app: ebs-csi-controller + app.kubernetes.io/name: aws-ebs-csi-driver template: metadata: labels: app: ebs-csi-controller + app.kubernetes.io/name: aws-ebs-csi-driver spec: nodeSelector: kubernetes.io/os: linux - beta.kubernetes.io/arch: amd64 - serviceAccount: ebs-csi-controller-sa + kubernetes.io/arch: amd64 + serviceAccountName: ebs-csi-controller-sa priorityClassName: system-cluster-critical tolerations: - - key: CriticalAddonsOnly - operator: Exists + - operator: Exists containers: - name: ebs-plugin image: amazon/aws-ebs-csi-driver:latest - args : - # - {all,controller,node} # specify the driver mode + imagePullPolicy: IfNotPresent + args: + # - {all,controller,node} # specify the driver mode - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 @@ -46,9 +51,6 @@ spec: name: aws-secret key: access_key optional: true - # overwrite the AWS region instead of looking it up dynamically via the AWS EC2 metadata svc - # - name: AWS_REGION - # value: us-east-1 volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ diff --git a/deploy/kubernetes/base/csidriver.yaml b/deploy/kubernetes/base/csidriver.yaml index 03c42368a7..357b3d71a2 100644 --- a/deploy/kubernetes/base/csidriver.yaml +++ b/deploy/kubernetes/base/csidriver.yaml @@ -1,9 +1,11 @@ --- - +# Source: aws-ebs-csi-driver/templates/csidriver.yaml apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: ebs.csi.aws.com + labels: + app.kubernetes.io/name: aws-ebs-csi-driver spec: attachRequired: true podInfoOnMount: false diff --git a/deploy/kubernetes/base/kustomization.yaml b/deploy/kubernetes/base/kustomization.yaml index 92a8c4a1b1..f6978d7e21 100644 --- a/deploy/kubernetes/base/kustomization.yaml +++ b/deploy/kubernetes/base/kustomization.yaml @@ -2,7 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kube-system resources: +- clusterrole-attacher.yaml +- clusterrole-provisioner.yaml +- clusterrolebinding-attacher.yaml +- clusterrolebinding-provisioner.yaml - controller.yaml -- node.yaml -- rbac.yaml - csidriver.yaml +- node.yaml +- serviceaccount-csi-controller.yaml diff --git a/deploy/kubernetes/base/node.yaml b/deploy/kubernetes/base/node.yaml index eb53fee463..7a84b8b72d 100644 --- a/deploy/kubernetes/base/node.yaml +++ b/deploy/kubernetes/base/node.yaml @@ -1,18 +1,23 @@ --- +# Source: aws-ebs-csi-driver/templates/node.yaml # Node Service kind: DaemonSet apiVersion: apps/v1 metadata: name: ebs-csi-node namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver spec: selector: matchLabels: app: ebs-csi-node + app.kubernetes.io/name: aws-ebs-csi-driver template: metadata: labels: app: ebs-csi-node + app.kubernetes.io/name: aws-ebs-csi-driver spec: affinity: nodeAffinity: @@ -25,7 +30,7 @@ spec: - fargate nodeSelector: kubernetes.io/os: linux - beta.kubernetes.io/arch: amd64 + kubernetes.io/arch: amd64 hostNetwork: true priorityClassName: system-node-critical tolerations: @@ -36,6 +41,7 @@ spec: privileged: true image: amazon/aws-ebs-csi-driver:latest args: + - node - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 diff --git a/deploy/kubernetes/base/rbac.yaml b/deploy/kubernetes/base/rbac.yaml deleted file mode 100644 index 77ddd2b2bf..0000000000 --- a/deploy/kubernetes/base/rbac.yaml +++ /dev/null @@ -1,95 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-csi-controller-sa - namespace: kube-system - #Enable if EKS IAM for SA is used - #annotations: - # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-provisioner-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-provisioner-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-provisioner-role - apiGroup: rbac.authorization.k8s.io - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-attacher-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-attacher-binding -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-attacher-role - apiGroup: rbac.authorization.k8s.io - - diff --git a/deploy/kubernetes/base/serviceaccount-csi-controller.yaml b/deploy/kubernetes/base/serviceaccount-csi-controller.yaml new file mode 100644 index 0000000000..529473f3a3 --- /dev/null +++ b/deploy/kubernetes/base/serviceaccount-csi-controller.yaml @@ -0,0 +1,12 @@ +--- +# Source: aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ebs-csi-controller-sa + namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver + #Enable if EKS IAM for SA is used + #annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role diff --git a/deploy/kubernetes/overlays/alpha/kustomization.yaml b/deploy/kubernetes/overlays/alpha/kustomization.yaml index a678164f62..8bdc46339d 100644 --- a/deploy/kubernetes/overlays/alpha/kustomization.yaml +++ b/deploy/kubernetes/overlays/alpha/kustomization.yaml @@ -2,11 +2,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../../base -patches: +patchesStrategicMerge: - controller_add_snapshotter.yaml - controller_add_resizer.yaml resources: -- rbac_add_snapshotter.yaml -- rbac_add_resizer.yaml -- rbac_add_snapshot_controller.yaml +- rbac_add_resizer_clusterrole.yaml +- rbac_add_resizer_clusterrolebinding.yaml +- rbac_add_snapshot_controller_clusterrole.yaml +- rbac_add_snapshot_controller_clusterrolebinding.yaml +- rbac_add_snapshot_controller_leaderelection_role.yaml +- rbac_add_snapshot_controller_leaderelection_rolebinding.yaml +- rbac_add_snapshotter_clusterrole.yaml +- rbac_add_snapshotter_clusterrolebinding.yaml +- serviceaccount-snapshot-controller.yaml - snapshot_controller.yaml diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrole.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrole.yaml new file mode 100644 index 0000000000..c24f13a6c6 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrole.yaml @@ -0,0 +1,29 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-resizer-role + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrolebinding.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrolebinding.yaml new file mode 100644 index 0000000000..a840f51b83 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_resizer_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-resizer-binding + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-resizer-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller.yaml deleted file mode 100644 index d97b6f1edf..0000000000 --- a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# RBAC file for the snapshot controller. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-snapshot-controller - namespace: kube-system - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshot-controller-binding -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-snapshot-controller-role - apiGroup: rbac.authorization.k8s.io - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-leaderelection - namespace: kube-system -rules: -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-leaderelection - namespace: kube-system -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: Role - name: snapshot-controller-leaderelection - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrole.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrole.yaml new file mode 100644 index 0000000000..48428cb673 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrole.yaml @@ -0,0 +1,33 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-snapshot-controller-role + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrolebinding.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrolebinding.yaml new file mode 100644 index 0000000000..10c021c889 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-snapshot-controller-binding + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-snapshot-controller + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-snapshot-controller-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_role.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_role.yaml new file mode 100644 index 0000000000..64ff52a264 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_role.yaml @@ -0,0 +1,13 @@ +--- +# Source: aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-snapshot-controller-leaderelection + namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_rolebinding.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_rolebinding.yaml new file mode 100644 index 0000000000..6cf00e14e8 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller_leaderelection_rolebinding.yaml @@ -0,0 +1,17 @@ +--- +# Source: aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: snapshot-controller-leaderelection + namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-snapshot-controller + namespace: kube-system +roleRef: + kind: Role + name: snapshot-controller-leaderelection + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrole.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrole.yaml new file mode 100644 index 0000000000..1cad85eb27 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrole.yaml @@ -0,0 +1,24 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-external-snapshotter-role + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrolebinding.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrolebinding.yaml new file mode 100644 index 0000000000..7720ca5d23 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter_clusterrolebinding.yaml @@ -0,0 +1,16 @@ +--- +# Source: aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-snapshotter-binding + labels: + app.kubernetes.io/name: aws-ebs-csi-driver +subjects: + - kind: ServiceAccount + name: ebs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: ebs-external-snapshotter-role + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/overlays/alpha/serviceaccount-snapshot-controller.yaml b/deploy/kubernetes/overlays/alpha/serviceaccount-snapshot-controller.yaml new file mode 100644 index 0000000000..a7d349c8b2 --- /dev/null +++ b/deploy/kubernetes/overlays/alpha/serviceaccount-snapshot-controller.yaml @@ -0,0 +1,9 @@ +--- +# Source: aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ebs-snapshot-controller + namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver diff --git a/deploy/kubernetes/overlays/alpha/snapshot_controller.yaml b/deploy/kubernetes/overlays/alpha/snapshot_controller.yaml index aeb0472037..5b28f4ca02 100644 --- a/deploy/kubernetes/overlays/alpha/snapshot_controller.yaml +++ b/deploy/kubernetes/overlays/alpha/snapshot_controller.yaml @@ -1,21 +1,27 @@ --- +# Source: aws-ebs-csi-driver/templates/statefulset.yaml +#Snapshot controller kind: StatefulSet apiVersion: apps/v1 metadata: name: ebs-snapshot-controller namespace: kube-system + labels: + app.kubernetes.io/name: aws-ebs-csi-driver spec: serviceName: ebs-snapshot-controller replicas: 1 selector: matchLabels: app: ebs-snapshot-controller + app.kubernetes.io/name: aws-ebs-csi-driver template: metadata: labels: app: ebs-snapshot-controller + app.kubernetes.io/name: aws-ebs-csi-driver spec: - serviceAccount: ebs-snapshot-controller + serviceAccountName: ebs-snapshot-controller containers: - name: snapshot-controller image: quay.io/k8scsi/snapshot-controller:v2.1.1 diff --git a/deploy/kubernetes/overlays/stable/kustomization.yaml b/deploy/kubernetes/overlays/stable/kustomization.yaml index 95a4ea5d1a..818d5b7b0e 100644 --- a/deploy/kubernetes/overlays/stable/kustomization.yaml +++ b/deploy/kubernetes/overlays/stable/kustomization.yaml @@ -4,18 +4,13 @@ bases: - ../../base images: - name: amazon/aws-ebs-csi-driver - newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-ebs-csi-driver newTag: v0.4.0 - name: quay.io/k8scsi/csi-provisioner - newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-provisioner newTag: v1.3.0 - name: quay.io/k8scsi/csi-attacher - newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-attacher newTag: v1.2.0 - name: quay.io/k8scsi/livenessprobe - newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-liveness-probe newTag: v1.1.0 - name: quay.io/k8scsi/csi-node-driver-registrar - newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-node-driver-registrar newTag: v1.1.0 diff --git a/deploy/kubernetes/values/controller.yaml b/deploy/kubernetes/values/controller.yaml new file mode 100644 index 0000000000..5748b62efd --- /dev/null +++ b/deploy/kubernetes/values/controller.yaml @@ -0,0 +1,4 @@ +image: + tag: latest + +enableVolumeScheduling: true diff --git a/deploy/kubernetes/values/node.yaml b/deploy/kubernetes/values/node.yaml new file mode 100644 index 0000000000..39afc69d27 --- /dev/null +++ b/deploy/kubernetes/values/node.yaml @@ -0,0 +1,2 @@ +image: + tag: latest \ No newline at end of file diff --git a/deploy/kubernetes/values/resizer.yaml b/deploy/kubernetes/values/resizer.yaml new file mode 100644 index 0000000000..048e433751 --- /dev/null +++ b/deploy/kubernetes/values/resizer.yaml @@ -0,0 +1 @@ +enableVolumeResizing: true \ No newline at end of file diff --git a/deploy/kubernetes/values/snapshotter.yaml b/deploy/kubernetes/values/snapshotter.yaml new file mode 100644 index 0000000000..0ff3e8cc91 --- /dev/null +++ b/deploy/kubernetes/values/snapshotter.yaml @@ -0,0 +1 @@ +enableVolumeSnapshot: true \ No newline at end of file diff --git a/docs/README.md b/docs/README.md index bc895445ab..53355c58b0 100644 --- a/docs/README.md +++ b/docs/README.md @@ -160,5 +160,13 @@ Dependencies are managed through go module. To build the project, first turn on * Build image and push it with latest tag: `make image && make push` * Build image and push it with release tag: `make image-release && make push-release` +### Helm and manifests +The helm chart for this project is in the `aws-ebs-csi-driver` directory. The manifests for this project are in the `deploy/kubernetes` directory. All of the manifests except kustomize patches are generated by running `helm template`. This keeps the helm chart and the manifests in sync. + +When updating the helm chart: +* Generate manifests: `make generate-kustomize` +* There are values files in `deploy/kubernetes/values` used for generating some of the manifests +* When adding a new resource template to the helm chart please update the `generate-kustomize` make target, the `deploy/kubernetes/values` files, and the appropriate kustomization.yaml file(s). + ## Milestone [Milestones page](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/milestones)