From 77a52798d2847f5abfc2af72fa9a9be68b755d93 Mon Sep 17 00:00:00 2001 From: CALIN Cristian Andrei Date: Mon, 18 Apr 2022 19:14:23 +0300 Subject: [PATCH] [v1.23] add support for kubernetes 1.23 --- deploy/kubernetes/v1.23/controller.yml | 279 ++++++++++++++++++ deploy/kubernetes/v1.23/csi-driver.yml | 9 + deploy/kubernetes/v1.23/namespace.yml | 4 + deploy/kubernetes/v1.23/node.yml | 139 +++++++++ .../v1.23/snapshotter/snapshotter.yaml | 157 ++++++++++ .../snapshotter/volume-snapshot-class.yml | 13 + deploy/kubernetes/v1.23/storage-class.yml | 14 + 7 files changed, 615 insertions(+) create mode 100644 deploy/kubernetes/v1.23/controller.yml create mode 100644 deploy/kubernetes/v1.23/csi-driver.yml create mode 100644 deploy/kubernetes/v1.23/namespace.yml create mode 100644 deploy/kubernetes/v1.23/node.yml create mode 100644 deploy/kubernetes/v1.23/snapshotter/snapshotter.yaml create mode 100644 deploy/kubernetes/v1.23/snapshotter/volume-snapshot-class.yml create mode 100644 deploy/kubernetes/v1.23/storage-class.yml diff --git a/deploy/kubernetes/v1.23/controller.yml b/deploy/kubernetes/v1.23/controller.yml new file mode 100644 index 0000000..071fae2 --- /dev/null +++ b/deploy/kubernetes/v1.23/controller.yml @@ -0,0 +1,279 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-sa + namespace: synology-csi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-controller-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-controller-role + namespace: synology-csi +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: synology-csi +roleRef: + kind: ClusterRole + name: synology-csi-controller-role + apiGroup: rbac.authorization.k8s.io + +--- +# Provisioner must be able to work with endpoints in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: synology-csi + name: synology-provisioner-cfg +rules: +# Only one of the following rules for endpoints or leases is required based on +# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +# Permissions for CSIStorageCapacity are only needed enabling the publishing +# of storage capacity information. +- apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +# The GET permissions below are needed for walking up the ownership chain +# for CSIStorageCapacity. They are sufficient for deployment via +# StatefulSet (only needs to get Pod) and Deployment (needs to get +# Pod and then ReplicaSet to find the Deployment). +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +- apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-provisioner-role-cfg + namespace: synology-csi +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: synology-csi +roleRef: + kind: Role + name: synology-provisioner-cfg + apiGroup: rbac.authorization.k8s.io + +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: synology-csi-controller + namespace: synology-csi +spec: + serviceName: "synology-csi-controller" + replicas: 1 + selector: + matchLabels: + app: synology-csi-controller + template: + metadata: + labels: + app: synology-csi-controller + spec: + serviceAccountName: csi-controller-sa + hostNetwork: true + containers: + - name: csi-provisioner + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v3.0.0 + args: + - --timeout=60s + - --csi-address=$(ADDRESS) + - --leader-election +# - --enable-capacity + - --http-endpoint=:8080 + - --v=1 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + ports: + - containerPort: 8080 + name: prov-port + protocol: TCP + livenessProbe: + failureThreshold: 1 + httpGet: + path: /healthz/leader-election + port: prov-port + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 20 + - name: csi-attacher + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: gcr.io/k8s-staging-sig-storage/csi-attacher:v3.4.0 + args: + - --v=1 + - --csi-address=$(ADDRESS) + - --leader-election + - --http-endpoint=:8081 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + - name: MY_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + ports: + - containerPort: 8081 + name: attach-port + protocol: TCP + livenessProbe: + failureThreshold: 1 + httpGet: + path: /healthz/leader-election + port: attach-port + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 20 + - name: csi-resizer + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: gcr.io/k8s-staging-sig-storage/csi-resizer:v1.3.0 + args: + - --v=1 + - --csi-address=$(ADDRESS) + - --leader-election + - --http-endpoint=:8082 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + ports: + - containerPort: 8082 + name: resizer-port + protocol: TCP + livenessProbe: + failureThreshold: 1 + httpGet: + path: /healthz/leader-election + port: resizer-port + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 20 + - name: csi-plugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: cristicalin/synology-csi:v1.0.1 + args: + - --nodeid=NotUsed + - --endpoint=$(CSI_ENDPOINT) + - --client-info + - /etc/synology/client-info.yml + - --log-level=info + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: IfNotPresent + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: client-info + mountPath: /etc/synology + readOnly: true + volumes: + - name: socket-dir + emptyDir: {} + - name: client-info + secret: + secretName: client-info-secret diff --git a/deploy/kubernetes/v1.23/csi-driver.yml b/deploy/kubernetes/v1.23/csi-driver.yml new file mode 100644 index 0000000..ac8f464 --- /dev/null +++ b/deploy/kubernetes/v1.23/csi-driver.yml @@ -0,0 +1,9 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: csi.san.synology.com +spec: + attachRequired: true # Indicates the driver requires an attach operation (TODO: ControllerPublishVolume should be implemented) + podInfoOnMount: true + volumeLifecycleModes: + - Persistent diff --git a/deploy/kubernetes/v1.23/namespace.yml b/deploy/kubernetes/v1.23/namespace.yml new file mode 100644 index 0000000..57dda22 --- /dev/null +++ b/deploy/kubernetes/v1.23/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: synology-csi \ No newline at end of file diff --git a/deploy/kubernetes/v1.23/node.yml b/deploy/kubernetes/v1.23/node.yml new file mode 100644 index 0000000..62b29c6 --- /dev/null +++ b/deploy/kubernetes/v1.23/node.yml @@ -0,0 +1,139 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-node-sa + namespace: synology-csi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-node-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-node-role + namespace: synology-csi +subjects: + - kind: ServiceAccount + name: csi-node-sa + namespace: synology-csi +roleRef: + kind: ClusterRole + name: synology-csi-node-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: synology-csi-node + namespace: synology-csi +spec: + selector: + matchLabels: + app: synology-csi-node + template: + metadata: + labels: + app: synology-csi-node + spec: + serviceAccount: csi-node-sa + hostNetwork: true + containers: + - name: csi-driver-registrar + securityContext: + privileged: true + imagePullPolicy: Always + image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 + args: + - --v=5 + - --csi-address=$(ADDRESS) # the csi socket path inside the pod + - --kubelet-registration-path=$(REGISTRATION_PATH) # the csi socket path on the host node + env: + - name: ADDRESS + value: /csi/csi.sock + - name: REGISTRATION_PATH + value: /var/lib/kubelet/plugins/csi.san.synology.com/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: csi-plugin + securityContext: + privileged: true + imagePullPolicy: IfNotPresent + image: cristicalin/synology-csi:v1.0.1 + args: + - --nodeid=$(KUBE_NODE_NAME) + - --endpoint=$(CSI_ENDPOINT) + - --client-info + - /etc/synology/client-info.yml + - --log-level=info + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /csi + - name: client-info + mountPath: /etc/synology + readOnly: true + - name: host-root + mountPath: /host + - name: device-dir + mountPath: /dev + volumes: + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.san.synology.com/ + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + - name: client-info + secret: + secretName: client-info-secret + - name: host-root + hostPath: + path: / + type: Directory + - name: device-dir + hostPath: + path: /dev + type: Directory diff --git a/deploy/kubernetes/v1.23/snapshotter/snapshotter.yaml b/deploy/kubernetes/v1.23/snapshotter/snapshotter.yaml new file mode 100644 index 0000000..6b00236 --- /dev/null +++ b/deploy/kubernetes/v1.23/snapshotter/snapshotter.yaml @@ -0,0 +1,157 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-snapshotter-sa + namespace: synology-csi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: synology-csi-snapshotter-role + namespace: synology-csi +subjects: + - kind: ServiceAccount + name: csi-snapshotter-sa + namespace: synology-csi +roleRef: + kind: ClusterRole + name: synology-csi-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: synology-csi + name: synology-csi-snapshotter-cfg +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: synology-csi + name: synology-csi-snapshotter-role-cfg +subjects: + - kind: ServiceAccount + name: csi-snapshotter-sa + namespace: synology-csi +roleRef: + kind: Role + name: synology-csi-snapshotter-cfg + apiGroup: rbac.authorization.k8s.io + +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: synology-csi-snapshotter + namespace: synology-csi +spec: + serviceName: "synology-csi-snapshotter" + replicas: 1 + selector: + matchLabels: + app: synology-csi-snapshotter + template: + metadata: + labels: + app: synology-csi-snapshotter + spec: + serviceAccountName: csi-snapshotter-sa + hostNetwork: true + containers: + - name: csi-snapshotter + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.1 + args: + - --v=1 + - --csi-address=$(ADDRESS) + - --leader-election + - --http-endpoint=:8083 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: Always + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + ports: + - containerPort: 8083 + name: snap-port + protocol: TCP + livenessProbe: + failureThreshold: 1 + httpGet: + path: /healthz/leader-election + port: snap-port + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 20 + - name: csi-plugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: cristicalin/synology-csi:v1.0.1 + args: + - --nodeid=$(KUBE_NODE_NAME) + - --endpoint=$(CSI_ENDPOINT) + - --client-info + - /etc/synology/client-info.yml + - --log-level=info + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: IfNotPresent + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: client-info + mountPath: /etc/synology + readOnly: true + volumes: + - name: socket-dir + emptyDir: {} + - name: client-info + secret: + secretName: client-info-secret diff --git a/deploy/kubernetes/v1.23/snapshotter/volume-snapshot-class.yml b/deploy/kubernetes/v1.23/snapshotter/volume-snapshot-class.yml new file mode 100644 index 0000000..2767942 --- /dev/null +++ b/deploy/kubernetes/v1.23/snapshotter/volume-snapshot-class.yml @@ -0,0 +1,13 @@ +apiVersion: snapshot.storage.k8s.io/v1beta1 +kind: VolumeSnapshotClass +metadata: + name: synology-snapshotclass + annotations: + storageclass.kubernetes.io/is-default-class: "false" + labels: + velero.io/csi-volumesnapshot-class: "true" +driver: csi.san.synology.com +deletionPolicy: Retain +# parameters: +# description: 'Kubernetes CSI' +# is_locked: 'false' diff --git a/deploy/kubernetes/v1.23/storage-class.yml b/deploy/kubernetes/v1.23/storage-class.yml new file mode 100644 index 0000000..ba0e5c6 --- /dev/null +++ b/deploy/kubernetes/v1.23/storage-class.yml @@ -0,0 +1,14 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: synology-iscsi-storage + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: csi.san.synology.com +# if all params are empty, synology CSI will choose an available location to create volume +# parameters: +# dsm: '1.1.1.1' +# location: '/volume1' +# fsType: 'ext4' +reclaimPolicy: Retain +allowVolumeExpansion: true