apiVersion: v1 kind: Namespace metadata: name: openebs --- apiVersion: v1 kind: ServiceAccount metadata: name: openebs-maya-operator namespace: openebs --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: openebs annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default spec: privileged: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - "*" --- # Allow OpenEBS to manage all core objects in its own namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: openebs-maya-operator namespace: openebs rules: - apiGroups: ["*"] resources: - services - pods - deployments - deployments/finalizers - replicationcontrollers - replicasets - statefulsets - daemonsets - events - endpoints - configmaps - secrets - jobs - cronjobs verbs: ["*"] - apiGroups: ["*"] resources: ["pods/exec"] verbs: ["create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: openebs-maya-operator namespace: openebs subjects: - kind: ServiceAccount name: openebs-maya-operator namespace: openebs roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: openebs-maya-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: openebs-maya-operator rules: # Tie OpenEBS to its PSP. - apiGroups: ["extensions"] resources: ["podsecuritypolicies"] resourceNames: ["openebs"] verbs: ["use"] # Allow OpenEBS read-only access to a few cluster-wide objects. - apiGroups: ["*"] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["*"] resources: ["nodes/proxy"] verbs: ["get"] - apiGroups: ["*"] resources: ["namespaces"] verbs: ["get", "watch"] # Allow OpenEBS to manage persistent storage cluster-wide. - apiGroups: ["*"] resources: - storageclasses - persistentvolumeclaims - persistentvolumes verbs: ["*"] # Allow OpenEBS to create events. - apiGroups: ["*"] resources: - events verbs: ["create", "patch"] # Allow OpenEBS to register its custom objects. - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] # Allow OpenEBS to manage its own custom objects cluster-wide. - apiGroups: ["*"] resources: - disks - blockdevices - blockdeviceclaims - cstorpoolclusters - storagepoolclaims - storagepoolclaims/finalizers - cstorpoolclusters/finalizers - storagepools - castemplates - runtasks - upgradetasks - cstorpools - cstorpools/finalizers - cstorvolumereplicas - cstorvolumes - cstorvolumeclaims - cstorpoolinstances - cstorpoolinstances/finalizers - cstorbackups - cstorrestores - cstorcompletedbackups verbs: ["*"] - apiGroups: ["volumesnapshot.external-storage.k8s.io"] resources: - volumesnapshots - volumesnapshotdatas verbs: ["*"] # Allow OpenEBS to install and manage its own admission webhooks. - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["list", "create"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] resourceNames: ["openebs-validation-webhook-cfg"] verbs: ["*"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-maya-operator subjects: - kind: ServiceAccount name: openebs-maya-operator namespace: openebs roleRef: kind: ClusterRole name: openebs-maya-operator apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: gravity-site namespace: openebs rules: - apiGroups: - "" resources: - configmaps verbs: - get - update - apiGroups: - apps resources: - daemonsets verbs: - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: gravity-site namespace: openebs roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gravity-site subjects: - kind: ServiceAccount name: gravity-site namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: maya-apiserver namespace: openebs labels: name: maya-apiserver openebs.io/component-name: maya-apiserver openebs.io/version: 1.7.0 spec: selector: matchLabels: name: maya-apiserver openebs.io/component-name: maya-apiserver replicas: 1 strategy: type: Recreate rollingUpdate: null template: metadata: labels: name: maya-apiserver openebs.io/component-name: maya-apiserver openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: maya-apiserver imagePullPolicy: Always image: quay.io/openebs/m-apiserver:0.0.0 ports: - containerPort: 5656 env: # OPENEBS_IO_KUBE_CONFIG enables maya api service to connect to K8s # based on this config. This is ignored if empty. # This is supported for maya api server version 0.5.2 onwards #- name: OPENEBS_IO_KUBE_CONFIG # value: "/home/ubuntu/.kube/config" # OPENEBS_IO_K8S_MASTER enables maya api service to connect to K8s # based on this address. This is ignored if empty. # This is supported for maya api server version 0.5.2 onwards #- name: OPENEBS_IO_K8S_MASTER # value: "http://172.28.128.3:8080" # OPENEBS_NAMESPACE provides the namespace of this deployment as an # environment variable - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as # environment variable - name: OPENEBS_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName # OPENEBS_MAYA_POD_NAME provides the name of this pod as # environment variable - name: OPENEBS_MAYA_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name # If OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG is false then OpenEBS default # storageclass and storagepool will not be created. - name: OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG value: "true" # OPENEBS_IO_INSTALL_DEFAULT_CSTOR_SPARSE_POOL decides whether default cstor sparse pool should be # configured as a part of openebs installation. # If "true" a default cstor sparse pool will be configured, if "false" it will not be configured. # This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG # is set to true - name: OPENEBS_IO_INSTALL_DEFAULT_CSTOR_SPARSE_POOL value: "false" # OPENEBS_IO_BASE_DIR is used to configure base directory for openebs on host path. # Where OpenEBS can store required files. Default base path will be /var/openebs - name: OPENEBS_IO_BASE_DIR value: "/var/lib/gravity/openebs" # OPENEBS_IO_CSTOR_TARGET_DIR can be used to specify the hostpath # to be used for saving the shared content between the side cars # of cstor volume pod. # The default path used is /var/openebs/sparse - name: OPENEBS_IO_CSTOR_TARGET_DIR value: "/var/lib/gravity/openebs/sparse" # OPENEBS_IO_CSTOR_POOL_SPARSE_DIR can be used to specify the hostpath # to be used for saving the shared content between the side cars # of cstor pool pod. This ENV is also used to indicate the location # of the sparse devices. # The default path used is /var/openebs/sparse - name: OPENEBS_IO_CSTOR_POOL_SPARSE_DIR value: "/var/lib/gravity/openebs/sparse" # OPENEBS_IO_JIVA_POOL_DIR can be used to specify the hostpath # to be used for default Jiva StoragePool loaded by OpenEBS # The default path used is /var/openebs # This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG # is set to true - name: OPENEBS_IO_JIVA_POOL_DIR value: "/var/lib/gravity/openebs" # OPENEBS_IO_LOCALPV_HOSTPATH_DIR can be used to specify the hostpath # to be used for default openebs-hostpath storageclass loaded by OpenEBS # The default path used is /var/openebs/local # This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG # is set to true - name: OPENEBS_IO_LOCALPV_HOSTPATH_DIR value: "/var/lib/gravity/openebs/local" - name: OPENEBS_IO_JIVA_CONTROLLER_IMAGE value: "registry.local:5000/openebs/jiva:1.7.0" - name: OPENEBS_IO_JIVA_REPLICA_IMAGE value: "registry.local:5000/openebs/jiva:1.7.0" - name: OPENEBS_IO_JIVA_REPLICA_COUNT value: "3" - name: OPENEBS_IO_CSTOR_TARGET_IMAGE value: "registry.local:5000/openebs/cstor-istgt:1.7.0" - name: OPENEBS_IO_CSTOR_POOL_IMAGE value: "registry.local:5000/openebs/cstor-pool:1.7.0" - name: OPENEBS_IO_CSTOR_POOL_MGMT_IMAGE value: "registry.local:5000/openebs/cstor-pool-mgmt:1.7.0" - name: OPENEBS_IO_CSTOR_VOLUME_MGMT_IMAGE value: "registry.local:5000/openebs/cstor-volume-mgmt:1.7.0" - name: OPENEBS_IO_VOLUME_MONITOR_IMAGE value: "registry.local:5000/openebs/m-exporter:1.7.0" - name: OPENEBS_IO_CSTOR_POOL_EXPORTER_IMAGE value: "registry.local:5000/openebs/m-exporter:1.7.0" - name: OPENEBS_IO_HELPER_IMAGE value: "registry.local:5000/openebs/linux-utils:1.7.0" # OPENEBS_IO_ENABLE_ANALYTICS if set to true sends anonymous usage # events to Google Analytics - name: OPENEBS_IO_ENABLE_ANALYTICS value: "false" - name: OPENEBS_IO_INSTALLER_TYPE value: "openebs-operator" # OPENEBS_IO_ANALYTICS_PING_INTERVAL can be used to specify the duration (in hours) # for periodic ping events sent to Google Analytics. # Default is 24h. # Minimum is 1h. You can convert this to weekly by setting 168h #- name: OPENEBS_IO_ANALYTICS_PING_INTERVAL # value: "24h" livenessProbe: exec: command: - /usr/local/bin/mayactl - version initialDelaySeconds: 30 periodSeconds: 60 readinessProbe: exec: command: - /usr/local/bin/mayactl - version initialDelaySeconds: 30 periodSeconds: 60 --- apiVersion: v1 kind: Service metadata: name: maya-apiserver-service namespace: openebs labels: openebs.io/component-name: maya-apiserver-svc spec: ports: - name: api port: 5656 protocol: TCP targetPort: 5656 selector: name: maya-apiserver sessionAffinity: None --- apiVersion: apps/v1 kind: Deployment metadata: name: openebs-provisioner namespace: openebs labels: name: openebs-provisioner openebs.io/component-name: openebs-provisioner openebs.io/version: 1.7.0 spec: selector: matchLabels: name: openebs-provisioner openebs.io/component-name: openebs-provisioner replicas: 1 strategy: type: Recreate rollingUpdate: null template: metadata: labels: name: openebs-provisioner openebs.io/component-name: openebs-provisioner openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: openebs-provisioner imagePullPolicy: Always image: quay.io/openebs/openebs-k8s-provisioner:0.0.0 env: # OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s # based on this address. This is ignored if empty. # This is supported for openebs provisioner version 0.5.2 onwards #- name: OPENEBS_IO_K8S_MASTER # value: "http://10.128.0.12:8080" # OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s # based on this config. This is ignored if empty. # This is supported for openebs provisioner version 0.5.2 onwards #- name: OPENEBS_IO_KUBE_CONFIG # value: "/home/ubuntu/.kube/config" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name, # that provisioner should forward the volume create/delete requests. # If not present, "maya-apiserver-service" will be used for lookup. # This is supported for openebs provisioner version 0.5.3-RC1 onwards #- name: OPENEBS_MAYA_SERVICE_NAME # value: "maya-apiserver-apiservice" livenessProbe: exec: command: - pgrep - ".*openebs" initialDelaySeconds: 30 periodSeconds: 60 --- apiVersion: apps/v1 kind: Deployment metadata: name: openebs-snapshot-operator namespace: openebs labels: name: openebs-snapshot-operator openebs.io/component-name: openebs-snapshot-operator openebs.io/version: 1.7.0 spec: selector: matchLabels: name: openebs-snapshot-operator openebs.io/component-name: openebs-snapshot-operator replicas: 1 strategy: type: Recreate template: metadata: labels: name: openebs-snapshot-operator openebs.io/component-name: openebs-snapshot-operator openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: snapshot-controller image: quay.io/openebs/snapshot-controller:0.0.0 imagePullPolicy: Always env: - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace livenessProbe: exec: command: - pgrep - ".*controller" initialDelaySeconds: 30 periodSeconds: 60 # OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name, # that snapshot controller should forward the snapshot create/delete requests. # If not present, "maya-apiserver-service" will be used for lookup. # This is supported for openebs provisioner version 0.5.3-RC1 onwards #- name: OPENEBS_MAYA_SERVICE_NAME # value: "maya-apiserver-apiservice" - name: snapshot-provisioner image: quay.io/openebs/snapshot-provisioner:0.0.0 imagePullPolicy: Always env: - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name, # that snapshot provisioner should forward the clone create/delete requests. # If not present, "maya-apiserver-service" will be used for lookup. # This is supported for openebs provisioner version 0.5.3-RC1 onwards #- name: OPENEBS_MAYA_SERVICE_NAME # value: "maya-apiserver-apiservice" livenessProbe: exec: command: - pgrep - ".*provisioner" initialDelaySeconds: 30 periodSeconds: 60 --- apiVersion: apps/v1 kind: DaemonSet metadata: name: openebs-ndm namespace: openebs labels: name: openebs-ndm openebs.io/component-name: ndm openebs.io/version: 1.7.0 spec: selector: matchLabels: name: openebs-ndm openebs.io/component-name: ndm updateStrategy: type: RollingUpdate template: metadata: labels: name: openebs-ndm openebs.io/component-name: ndm openebs.io/version: 1.7.0 spec: # By default the node-disk-manager will be run on all kubernetes nodes # If you would like to limit this to only some nodes, say the nodes # that have storage attached, you could label those node and use # nodeSelector. # # e.g. label the storage nodes with - "openebs.io/nodegroup"="storage-node" # kubectl label node "openebs.io/nodegroup"="storage-node" #nodeSelector: # "openebs.io/nodegroup": "storage-node" # Specify a node anti-affinity rule so users can mark nodes where they don't # want NDM to run with "gravitational.io/no-storage" label. affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/no-storage operator: DoesNotExist serviceAccountName: openebs-maya-operator hostNetwork: true containers: - name: node-disk-manager image: quay.io/openebs/node-disk-manager-amd64:0.0.0 imagePullPolicy: Always securityContext: privileged: true volumeMounts: - name: config mountPath: /host/node-disk-manager.config subPath: node-disk-manager.config readOnly: true - name: udev mountPath: /run/udev - name: procmount mountPath: /host/proc readOnly: true - name: basepath mountPath: /var/lib/gravity/openebs/ndm - name: sparsepath mountPath: /var/lib/gravity/openebs/sparse env: # namespace in which NDM is installed will be passed to NDM Daemonset # as environment variable - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # pass hostname as env variable using downward API to the NDM container - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # specify the directory where the sparse files need to be created. # if not specified, then sparse files will not be created. - name: SPARSE_FILE_DIR value: "/var/lib/gravity/openebs/sparse" # Size(bytes) of the sparse file to be created. - name: SPARSE_FILE_SIZE value: "10737418240" # Specify the number of sparse files to be created - name: SPARSE_FILE_COUNT value: "0" livenessProbe: exec: command: - pgrep - ".*ndm" initialDelaySeconds: 30 periodSeconds: 60 volumes: - name: config configMap: name: openebs-ndm-config - name: udev hostPath: path: /run/udev type: Directory # mount /proc (to access mount file of process 1 of host) inside container # to read mount-point of disks and partitions - name: procmount hostPath: path: /proc type: Directory - name: basepath hostPath: path: /var/lib/gravity/openebs/ndm type: DirectoryOrCreate - name: sparsepath hostPath: path: /var/lib/gravity/openebs/sparse --- apiVersion: apps/v1 kind: Deployment metadata: name: openebs-ndm-operator namespace: openebs labels: name: openebs-ndm-operator openebs.io/component-name: ndm-operator openebs.io/version: 1.7.0 spec: selector: matchLabels: name: openebs-ndm-operator openebs.io/component-name: ndm-operator replicas: 1 strategy: type: Recreate template: metadata: labels: name: openebs-ndm-operator openebs.io/component-name: ndm-operator openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: node-disk-operator image: quay.io/openebs/node-disk-operator-amd64:0.0.0 imagePullPolicy: Always readinessProbe: exec: command: - stat - /tmp/operator-sdk-ready initialDelaySeconds: 4 periodSeconds: 10 failureThreshold: 1 env: - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name # the service account of the ndm-operator pod - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: OPERATOR_NAME value: "node-disk-operator" - name: CLEANUP_JOB_IMAGE value: "registry.local:5000/openebs/linux-utils:1.7.0" --- apiVersion: apps/v1 kind: Deployment metadata: name: openebs-admission-server namespace: openebs labels: app: admission-webhook openebs.io/component-name: admission-webhook openebs.io/version: 1.7.0 spec: replicas: 1 strategy: type: Recreate rollingUpdate: null selector: matchLabels: app: admission-webhook template: metadata: labels: app: admission-webhook openebs.io/component-name: admission-webhook openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: admission-webhook image: quay.io/openebs/admission-server:0.0.0 imagePullPolicy: Always args: - -alsologtostderr - -v=2 - 2>&1 env: - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ADMISSION_WEBHOOK_NAME value: "openebs-admission-server" --- apiVersion: apps/v1 kind: Deployment metadata: name: openebs-localpv-provisioner namespace: openebs labels: name: openebs-localpv-provisioner openebs.io/component-name: openebs-localpv-provisioner openebs.io/version: 1.7.0 spec: selector: matchLabels: name: openebs-localpv-provisioner openebs.io/component-name: openebs-localpv-provisioner replicas: 1 strategy: type: Recreate template: metadata: labels: name: openebs-localpv-provisioner openebs.io/component-name: openebs-localpv-provisioner openebs.io/version: 1.7.0 spec: serviceAccountName: openebs-maya-operator containers: - name: openebs-provisioner-hostpath imagePullPolicy: Always image: quay.io/openebs/provisioner-localpv:0.0.0 env: # OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s # based on this address. This is ignored if empty. # This is supported for openebs provisioner version 0.5.2 onwards #- name: OPENEBS_IO_K8S_MASTER # value: "http://10.128.0.12:8080" # OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s # based on this config. This is ignored if empty. # This is supported for openebs provisioner version 0.5.2 onwards #- name: OPENEBS_IO_KUBE_CONFIG # value: "/home/ubuntu/.kube/config" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: OPENEBS_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as # environment variable - name: OPENEBS_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: OPENEBS_IO_ENABLE_ANALYTICS value: "true" - name: OPENEBS_IO_INSTALLER_TYPE value: "openebs-operator" - name: OPENEBS_IO_HELPER_IMAGE value: "registry.local:5000/openebs/linux-utils:1.7.0" livenessProbe: exec: command: - pgrep - ".*localpv" initialDelaySeconds: 30 periodSeconds: 60