apiVersion: v1 kind: ServiceAccount metadata: name: csi-controller-sa namespace: synology-csi --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: synology-csi-controller-role rules: - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: synology-csi-controller-role namespace: synology-csi subjects: - kind: ServiceAccount name: csi-controller-sa namespace: synology-csi roleRef: kind: ClusterRole name: synology-csi-controller-role apiGroup: rbac.authorization.k8s.io --- kind: StatefulSet apiVersion: apps/v1 metadata: name: synology-csi-controller namespace: synology-csi spec: serviceName: "synology-csi-controller" replicas: 1 selector: matchLabels: app: synology-csi-controller template: metadata: labels: app: synology-csi-controller spec: serviceAccountName: csi-controller-sa hostNetwork: true containers: - name: csi-provisioner securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: quay.io/k8scsi/csi-provisioner:v1.6.0 args: - --timeout=60s - --csi-address=$(ADDRESS) - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: quay.io/k8scsi/csi-attacher:v2.1.0 args: - --v=5 - --csi-address=$(ADDRESS) env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-resizer securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: quay.io/k8scsi/csi-resizer:v0.5.0 args: - --v=5 - --csi-address=$(ADDRESS) env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: Always volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-plugin securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: synology/synology-csi:v1.0.0 args: - --nodeid=NotUsed - --endpoint=$(CSI_ENDPOINT) - --client-info - /etc/synology/client-info.yml - --log-level=info env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: IfNotPresent volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: client-info mountPath: /etc/synology readOnly: true volumes: - name: socket-dir emptyDir: {} - name: client-info secret: secretName: client-info-secret