# Copyright 2018 DigitalOcean # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Configuration to deploy release version of the CSI DigitalOcean # plugin (https://github.com/digitalocean/csi-digitalocean) compatible with # Kubernetes >=v1.10.5 # # example usage: kubectl create -f --- kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: do-block-storage namespace: kube-system annotations: storageclass.kubernetes.io/is-default-class: "true" provisioner: com.digitalocean.csi.dobs --- ############################################## ########### ############ ########### Controller plugin ############ ########### ############ ############################################## kind: StatefulSet apiVersion: apps/v1beta1 metadata: name: csi-do-controller namespace: kube-system spec: serviceName: "csi-do" replicas: 1 template: metadata: labels: app: csi-do-controller role: csi-do spec: priorityClassName: system-cluster-critical serviceAccount: csi-do-controller-sa containers: - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:v0.3.0 args: - "--provisioner=com.digitalocean.csi.dobs" - "--csi-address=$(ADDRESS)" - "--v=5" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "Always" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v0.3.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "Always" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-do-plugin image: digitalocean/do-csi-plugin:v0.2.0 args : - "--endpoint=$(CSI_ENDPOINT)" - "--token=$(DIGITALOCEAN_ACCESS_TOKEN)" - "--url=$(DIGITALOCEAN_API_URL)" env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: DIGITALOCEAN_API_URL value: https://api.digitalocean.com/ - name: DIGITALOCEAN_ACCESS_TOKEN valueFrom: secretKeyRef: name: digitalocean key: access-token imagePullPolicy: "Always" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ volumes: - name: socket-dir emptyDir: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: csi-do-controller-sa namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-do-controller-provisioner-binding namespace: kube-system subjects: - kind: ServiceAccount name: csi-do-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: system:csi-external-provisioner apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-do-controller-attacher-binding namespace: kube-system subjects: - kind: ServiceAccount name: csi-do-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: system:csi-external-attacher apiGroup: rbac.authorization.k8s.io --- ######################################## ########### ############ ########### Node plugin ############ ########### ############ ######################################## kind: DaemonSet apiVersion: apps/v1beta2 metadata: name: csi-do-node namespace: kube-system spec: selector: matchLabels: app: csi-do-node template: metadata: labels: app: csi-do-node role: csi-do spec: priorityClassName: system-node-critical serviceAccount: csi-do-node-sa hostNetwork: true containers: - name: driver-registrar image: quay.io/k8scsi/driver-registrar:v0.3.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /csi/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi/ # TODO(arslan): the registrar is not implemented yet # - name: registrar-socket-dir # mountPath: /var/lib/csi/sockets/ - name: csi-do-plugin image: digitalocean/do-csi-plugin:v0.2.0 args : - "--endpoint=$(CSI_ENDPOINT)" - "--token=$(DIGITALOCEAN_ACCESS_TOKEN)" - "--url=$(DIGITALOCEAN_API_URL)" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: DIGITALOCEAN_API_URL value: https://api.digitalocean.com/ - name: DIGITALOCEAN_ACCESS_TOKEN valueFrom: secretKeyRef: name: digitalocean key: access-token imagePullPolicy: "Always" securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true volumeMounts: - name: plugin-dir mountPath: /csi - name: pods-mount-dir mountPath: /var/lib/kubelet # needed so that any mounts setup inside this container are # propagated back to the host machine. mountPropagation: "Bidirectional" - name: device-dir mountPath: /dev volumes: # TODO(arslan): the registar is not implemented yet #- name: registrar-socket-dir # hostPath: # path: /var/lib/kubelet/device-plugins/ # type: DirectoryOrCreate - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/com.digitalocean.csi.dobs type: DirectoryOrCreate - name: pods-mount-dir hostPath: path: /var/lib/kubelet type: Directory - name: device-dir hostPath: path: /dev --- apiVersion: v1 kind: ServiceAccount metadata: name: csi-do-node-sa namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-do-driver-registrar-binding namespace: kube-system subjects: - kind: ServiceAccount name: csi-do-node-sa namespace: kube-system roleRef: kind: ClusterRole name: csi-do-driver-registrar-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-do-driver-registrar-role namespace: kube-system rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "update"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"]