apiVersion: v1 kind: ServiceAccount metadata: name: csi-controller-sa namespace: synology-csi --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: synology-csi-controller-role rules: - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] # The following rule should be uncommented for plugins that require secrets # for provisioning. - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: synology-csi-controller-role namespace: synology-csi subjects: - kind: ServiceAccount name: csi-controller-sa namespace: synology-csi roleRef: kind: ClusterRole name: synology-csi-controller-role apiGroup: rbac.authorization.k8s.io --- # Provisioner must be able to work with endpoints in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: synology-csi name: synology-provisioner-cfg rules: # Only one of the following rules for endpoints or leases is required based on # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] # Permissions for CSIStorageCapacity are only needed enabling the publishing # of storage capacity information. - apiGroups: ["storage.k8s.io"] resources: ["csistoragecapacities"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # The GET permissions below are needed for walking up the ownership chain # for CSIStorageCapacity. They are sufficient for deployment via # StatefulSet (only needs to get Pod) and Deployment (needs to get # Pod and then ReplicaSet to find the Deployment). - apiGroups: [""] resources: ["pods"] verbs: ["get"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get"] - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["get"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: synology-csi-provisioner-role-cfg namespace: synology-csi subjects: - kind: ServiceAccount name: csi-controller-sa namespace: synology-csi roleRef: kind: Role name: synology-provisioner-cfg apiGroup: rbac.authorization.k8s.io --- kind: StatefulSet apiVersion: apps/v1 metadata: name: synology-csi-controller namespace: synology-csi spec: serviceName: "synology-csi-controller" replicas: 1 selector: matchLabels: app: synology-csi-controller template: metadata: labels: app: synology-csi-controller spec: serviceAccountName: csi-controller-sa hostNetwork: true containers: - name: csi-provisioner securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v3.0.0 args: - --timeout=60s - --csi-address=$(ADDRESS) - --leader-election # - --enable-capacity - --http-endpoint=:8080 - --v=1 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - containerPort: 8080 name: prov-port protocol: TCP livenessProbe: failureThreshold: 1 httpGet: path: /healthz/leader-election port: prov-port initialDelaySeconds: 10 timeoutSeconds: 10 periodSeconds: 20 - name: csi-attacher securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: gcr.io/k8s-staging-sig-storage/csi-attacher:v3.4.0 args: - --v=1 - --csi-address=$(ADDRESS) - --leader-election - --http-endpoint=:8081 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock - name: MY_NAME valueFrom: fieldRef: fieldPath: metadata.name imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - containerPort: 8081 name: attach-port protocol: TCP livenessProbe: failureThreshold: 1 httpGet: path: /healthz/leader-election port: attach-port initialDelaySeconds: 10 timeoutSeconds: 10 periodSeconds: 20 - name: csi-resizer securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: gcr.io/k8s-staging-sig-storage/csi-resizer:v1.3.0 args: - --v=1 - --csi-address=$(ADDRESS) - --leader-election - --http-endpoint=:8082 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - containerPort: 8082 name: resizer-port protocol: TCP livenessProbe: failureThreshold: 1 httpGet: path: /healthz/leader-election port: resizer-port initialDelaySeconds: 10 timeoutSeconds: 10 periodSeconds: 20 - name: csi-plugin securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: cristicalin/synology-csi:v1.0.0 args: - --nodeid=NotUsed - --endpoint=$(CSI_ENDPOINT) - --client-info - /etc/synology/client-info.yml - --log-level=info env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: IfNotPresent volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: client-info mountPath: /etc/synology readOnly: true volumes: - name: socket-dir emptyDir: {} - name: client-info secret: secretName: client-info-secret