apiVersion: v1 kind: Template metadata: name: "local-storage-provisioner" objects: # $SERVICE_ACCOUNT must be able to manipulate with PVs - apiVersion: v1 kind: ClusterRoleBinding metadata: name: local-storage:provisioner-pv-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:persistent-volume-provisioner subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT} namespace: ${NAMESPACE} # $SERVICE_ACCOUNT must be able to list nodes - apiVersion: v1 kind: ClusterRoleBinding metadata: name: local-storage:provisioner-node-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT} namespace: ${NAMESPACE} # DaemonSet with provisioners - apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: local-volume-provisioner spec: template: metadata: labels: app: local-volume-provisioner spec: containers: - env: - name: MY_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: MY_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: VOLUME_CONFIG_NAME value: ${CONFIGMAP} image: ${PROVISIONER_IMAGE} name: provisioner securityContext: runAsUser: 0 seLinuxOptions: # Trump SELinux contexts of all pods that could write files to local volume - the provisioner must be able to clean their files. level: "s0:c0.c1023" volumeMounts: - mountPath: /mnt/local-storage name: local-storage mountPropagation: HostToContainer - mountPath: /etc/provisioner/config name: provisioner-config readOnly: true serviceAccountName: "${SERVICE_ACCOUNT}" volumes: - hostPath: path: /mnt/local-storage name: local-storage - configMap: name: ${CONFIGMAP} name: provisioner-config parameters: - name: SERVICE_ACCOUNT description: Name of service account that is able to run pods as root and use HostPath volumes. required: true value: local-storage-admin - name: NAMESPACE description: Name of namespace where local provisioners run required: true value: local-storage - name: CONFIGMAP description: Name of ConfigMap with local provisioner configuration. required: true value: local-storage-admin - name: PROVISIONER_IMAGE description: Name of image with local provisioner. required: true value: quay.io/external_storage/local-volume-provisioner:v1.0.1