--- apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: csi.hetzner.cloud spec: attachRequired: true podInfoOnMount: true volumeLifecycleModes: - Persistent --- kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: namespace: kube-system name: hcloud-volumes annotations: storageclass.kubernetes.io/is-default-class: "true" provisioner: csi.hetzner.cloud volumeBindingMode: WaitForFirstConsumer allowVolumeExpansion: true --- apiVersion: v1 kind: ServiceAccount metadata: name: hcloud-csi namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hcloud-csi rules: # attacher - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] # provisioner - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] # node - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hcloud-csi subjects: - kind: ServiceAccount name: hcloud-csi namespace: kube-system roleRef: kind: ClusterRole name: hcloud-csi apiGroup: rbac.authorization.k8s.io --- kind: StatefulSet apiVersion: apps/v1 metadata: name: hcloud-csi-controller namespace: kube-system spec: selector: matchLabels: app: hcloud-csi-controller serviceName: hcloud-csi-controller replicas: 1 template: metadata: labels: app: hcloud-csi-controller spec: serviceAccount: hcloud-csi containers: - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v1.2.1 args: - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock - --v=5 volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - name: csi-resizer image: quay.io/k8scsi/csi-resizer:v0.3.0 args: - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock - --v=5 volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:v1.3.1 args: - --provisioner=csi.hetzner.cloud - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock - --feature-gates=Topology=true - --v=5 volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - name: hcloud-csi-driver image: hetznercloud/hcloud-csi-driver:1.2.3 imagePullPolicy: Always env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: METRICS_ENDPOINT value: 0.0.0.0:9189 - name: HCLOUD_TOKEN valueFrom: secretKeyRef: name: hcloud-csi key: token volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - containerPort: 9189 name: metrics securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true volumes: - name: socket-dir emptyDir: {} --- kind: DaemonSet apiVersion: apps/v1 metadata: name: hcloud-csi-node namespace: kube-system labels: app: hcloud-csi spec: selector: matchLabels: app: hcloud-csi template: metadata: labels: app: hcloud-csi spec: serviceAccount: hcloud-csi containers: - name: csi-node-driver-registrar image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - --v=5 - --csi-address=/csi/csi.sock - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration securityContext: privileged: true - name: hcloud-csi-driver image: hetznercloud/hcloud-csi-driver:1.2.3 imagePullPolicy: Always env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: METRICS_ENDPOINT value: 0.0.0.0:9189 - name: HCLOUD_TOKEN valueFrom: secretKeyRef: name: hcloud-csi key: token volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: device-dir mountPath: /dev securityContext: privileged: true ports: - containerPort: 9189 name: metrics volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/csi.hetzner.cloud/ type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: device-dir hostPath: path: /dev type: Directory --- apiVersion: v1 kind: Service metadata: name: hcloud-csi-controller-metrics namespace: kube-system spec: selector: app: hcloud-csi-controller ports: - port: 9189 name: metrics targetPort: metrics --- apiVersion: v1 kind: Service metadata: name: hcloud-csi-node-metrics namespace: kube-system spec: selector: app: hcloud-csi ports: - port: 9189 name: metrics targetPort: metrics