# Configuration to deploy the HPE CSI driver compatible with # Kubernetes = v1.18 # # example usage: kubectl create -f --- ############################################# ############ HPE Node Info CRD ############ ############################################# apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: hpenodeinfos.storage.hpe.com spec: group: storage.hpe.com names: kind: HPENodeInfo plural: hpenodeinfos scope: Cluster validation: openAPIV3Schema: properties: hpeNodes: description: List of HPE nodes configured for storage access. items: properties: uuid: description: The UUID of the node. type: string iqns: description: List of IQNs configured on the node. items: type: string type: array chapUser: description: The CHAP User Name type: string chapPassword: description: The CHAP Password type: string networks: description: List of networks configured on the node. items: type: string type: array wwpns: description: List of WWPNs configured on the node. items: type: string type: array type: array version: v1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- ################# CSI Driver CRD ########### apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: csi.hpe.com spec: podInfoOnMount: true volumeLifecycleModes: - Persistent - Ephemeral --- ############################################# ############ Controller driver ############ ############################################# kind: Deployment apiVersion: apps/v1 metadata: name: hpe-csi-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: app: hpe-csi-controller template: metadata: labels: app: hpe-csi-controller role: hpe-csi spec: priorityClassName: system-cluster-critical serviceAccount: hpe-csi-controller-sa hostNetwork: true dnsPolicy: ClusterFirstWithHostNet dnsConfig: options: - name: ndots value: "1" containers: - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:v1.5.0 args: - "--csi-address=$(ADDRESS)" - "--v=5" - "--timeout=30s" - "--worker-threads=16" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v2.1.1 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-snapshotter image: quay.io/k8scsi/csi-snapshotter:v2.0.1 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-resizer image: quay.io/k8scsi/csi-resizer:v0.4.0 args: - "--csi-address=$(ADDRESS)" - "--v=5" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: hpe-csi-driver image: hpestorage/csi-driver:v1.3.0 args : - "--endpoint=$(CSI_ENDPOINT)" - "--flavor=kubernetes" - "--pod-monitor" - "--pod-monitor-interval=30" env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: LOG_LEVEL value: trace imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: log-dir mountPath: /var/log - name: k8s mountPath: /etc/kubernetes - name: hpeconfig mountPath: /etc/hpe-storage - name: root-dir mountPath: /host - name: csi-volume-mutator image: quay.io/hpestorage/volume-mutator:v1.0.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-extensions image: quay.io/hpestorage/csi-extensions:v1.0.0 args: - "--v=5" - "--endpoint=$(CSI_ENDPOINT)" env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi-extensions.sock - name: LOG_LEVEL value: trace imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ volumes: - name: socket-dir emptyDir: {} - name: log-dir hostPath: path: /var/log - name: k8s hostPath: path: /etc/kubernetes/ - name: hpeconfig hostPath: path: /etc/hpe-storage/ - name: root-dir hostPath: path: / --- kind: ServiceAccount apiVersion: v1 metadata: name: hpe-csi-controller-sa namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-provisioner-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: [""] resources: ["services"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-provisioner-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: hpe-csi-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["get", "list", "watch", "update", "create", "delete"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-attacher-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: hpe-csi-attacher-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotter-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotter-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: hpe-csi-snapshotter-role apiGroup: rbac.authorization.k8s.io --- # Resizer must be able to work with PVCs, PVs, SCs. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-resizer-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-resizer-role subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: external-resizer-role apiGroup: rbac.authorization.k8s.io --- # Resizer must be able to work with end point in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: kube-system name: external-resizer-cfg rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-resizer-role-cfg namespace: kube-system subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: Role name: external-resizer-cfg apiGroup: rbac.authorization.k8s.io --- # mutator must be able to work with PVCs, PVs, SCs. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa # replace with non-default namespace name namespace: kube-system roleRef: kind: ClusterRole name: csi-mutator-role apiGroup: rbac.authorization.k8s.io --- # mutator must be able to work with end point in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: kube-system name: csi-mutator-cfg rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-role-cfg namespace: kube-system subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system roleRef: kind: Role name: csi-mutator-cfg apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-driver-role namespace: kube-system rules: - apiGroups: ["storage.hpe.com"] resources: ["hpenodeinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["services"] verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list"] - apiGroups: ["storage.hpe.com"] resources: ["hpevolumeinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["hpereplicationdeviceinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] --- ####################################### ############ Node driver ############ ####################################### kind: DaemonSet apiVersion: apps/v1 metadata: name: hpe-csi-node namespace: kube-system spec: selector: matchLabels: app: hpe-csi-node template: metadata: labels: app: hpe-csi-node role: hpe-csi spec: priorityClassName: system-node-critical serviceAccount: hpe-csi-node-sa hostNetwork: true dnsPolicy: ClusterFirstWithHostNet dnsConfig: options: - name: ndots value: "1" containers: - name: csi-node-driver-registrar image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--csi-address=$(ADDRESS)" - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - "--v=5" lifecycle: preStop: exec: command: ["/bin/sh", "-c", "rm -rf /registration/csi.hpe.com /registration/csi.hpe.com-reg.sock"] env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/csi.hpe.com/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi/ - name: registration-dir mountPath: /registration - name: hpe-csi-driver image: hpestorage/csi-driver:v1.3.0 args : - "--endpoint=$(CSI_ENDPOINT)" - "--node-service" - "--flavor=kubernetes" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: LOG_LEVEL value: trace - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: CHAP_USER value: "" - name: CHAP_PASSWORD value: "" - name: DISABLE_NODE_CONFORMANCE value: "false" imagePullPolicy: "Always" securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true volumeMounts: - name: plugin-dir mountPath: /csi - name: pods-mount-dir mountPath: /var/lib/kubelet # needed so that any mounts setup inside this container are # propagated back to the host machine. mountPropagation: "Bidirectional" - name: root-dir mountPath: /host mountPropagation: "Bidirectional" - name: device-dir mountPath: /dev - name: log-dir mountPath: /var/log - name: etc-hpe-storage-dir mountPath: /etc/hpe-storage - name: etc-kubernetes mountPath: /etc/kubernetes - name: sys mountPath: /sys - name: runsystemd mountPath: /run/systemd - name: etcsystemd mountPath: /etc/systemd/system - name: linux-config-file mountPath: /opt/hpe-storage/nimbletune/config.json subPath: config.json volumes: - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/csi.hpe.com - name: pods-mount-dir hostPath: path: /var/lib/kubelet - name: root-dir hostPath: path: / - name: device-dir hostPath: path: /dev - name: log-dir hostPath: path: /var/log - name: etc-hpe-storage-dir hostPath: path: /etc/hpe-storage - name: etc-kubernetes hostPath: path: /etc/kubernetes - name: runsystemd hostPath: path: /run/systemd - name: etcsystemd hostPath: path: /etc/systemd/system - name: sys hostPath: path: /sys - name: linux-config-file configMap: name: hpe-linux-config --- apiVersion: v1 kind: ServiceAccount metadata: name: hpe-csi-node-sa namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-driver-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: kube-system - kind: ServiceAccount name: hpe-csi-node-sa namespace: kube-system roleRef: kind: ClusterRole name: hpe-csi-driver-role apiGroup: rbac.authorization.k8s.io