diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml index 84a3d70146fe..252013f995c5 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml @@ -42,31 +42,6 @@ spec: {{ toYaml .Values.nodeplugin.imagePullSecrets | indent 8 -}} {{- end }} containers: - - name: driver-registrar - # This is necessary only for systems with SELinux, where - # non-privileged sidecar containers cannot access unix domain socket - # created by privileged CSI driver container. - securityContext: - privileged: true - allowPrivilegeEscalation: true - image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" - imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} - args: - - "--v={{ .Values.logLevel }}" - - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" - - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - resources: -{{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} - name: csi-cephfsplugin image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} @@ -141,6 +116,31 @@ spec: mountPath: /csi/mountinfo resources: {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} + - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" + imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} + args: + - "--v={{ .Values.logLevel }}" + - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" + - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: +{{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} {{- if .Values.nodeplugin.httpMetrics.enabled }} - name: liveness-prometheus securityContext: diff --git a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml index dcc15eef14a1..14b5be0da6d3 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml @@ -67,6 +67,55 @@ spec: {{ toYaml .Values.provisioner.imagePullSecrets | indent 8 -}} {{- end }} containers: + - name: csi-cephfsplugin + image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" + imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} + args: + - "--nodeid=$(NODE_ID)" + - "--type=cephfs" + - "--controllerserver=true" + - "--pidlimit=-1" + - "--endpoint=$(CSI_ENDPOINT)" + - "--v={{ .Values.logLevel }}" + - "--drivername=$(DRIVER_NAME)" +{{- if .Values.provisioner.profiling.enabled }} + - "--enableprofiling={{ .Values.provisioner.profiling.enabled }}" +{{- end }} +{{- if .Values.provisioner.clustername }} + - "--clustername={{ .Values.provisioner.clustername }}" +{{- end }} + - "--setmetadata={{ .Values.provisioner.setmetadata }}" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DRIVER_NAME + value: {{ .Values.driverName }} + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: "unix:///csi/{{ .Values.provisionerSocketFile }}" + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: host-sys + mountPath: /sys + - name: lib-modules + mountPath: /lib/modules + readOnly: true + - name: host-dev + mountPath: /dev + - name: ceph-config + mountPath: /etc/ceph/ + - name: ceph-csi-config + mountPath: /etc/ceph-csi-config/ + - name: keys-tmp-dir + mountPath: /tmp/csi/keys + resources: +{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} - name: csi-provisioner image: "{{ .Values.provisioner.provisioner.image.repository }}:{{ .Values.provisioner.provisioner.image.tag }}" imagePullPolicy: {{ .Values.provisioner.provisioner.image.pullPolicy }} @@ -134,55 +183,6 @@ spec: resources: {{ toYaml .Values.provisioner.resizer.resources | indent 12 }} {{- end }} - - name: csi-cephfsplugin - image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" - imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} - args: - - "--nodeid=$(NODE_ID)" - - "--type=cephfs" - - "--controllerserver=true" - - "--pidlimit=-1" - - "--endpoint=$(CSI_ENDPOINT)" - - "--v={{ .Values.logLevel }}" - - "--drivername=$(DRIVER_NAME)" -{{- if .Values.provisioner.profiling.enabled }} - - "--enableprofiling={{ .Values.provisioner.profiling.enabled }}" -{{- end }} -{{- if .Values.provisioner.clustername }} - - "--clustername={{ .Values.provisioner.clustername }}" -{{- end }} - - "--setmetadata={{ .Values.provisioner.setmetadata }}" - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: DRIVER_NAME - value: {{ .Values.driverName }} - - name: NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CSI_ENDPOINT - value: "unix:///csi/{{ .Values.provisionerSocketFile }}" - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: host-sys - mountPath: /sys - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: host-dev - mountPath: /dev - - name: ceph-config - mountPath: /etc/ceph/ - - name: ceph-csi-config - mountPath: /etc/ceph-csi-config/ - - name: keys-tmp-dir - mountPath: /tmp/csi/keys - resources: -{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{- if .Values.provisioner.httpMetrics.enabled }} - name: liveness-prometheus image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml index 8de3093e47df..925ea6908a61 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml @@ -42,31 +42,6 @@ spec: {{ toYaml .Values.nodeplugin.imagePullSecrets | indent 8 -}} {{- end }} containers: - - name: driver-registrar - # This is necessary only for systems with SELinux, where - # non-privileged sidecar containers cannot access unix domain socket - # created by privileged CSI driver container. - securityContext: - privileged: true - allowPrivilegeEscalation: true - image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" - imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} - args: - - "--v={{ .Values.logLevel }}" - - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" - - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - resources: -{{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} - name: csi-rbdplugin image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} @@ -149,6 +124,31 @@ spec: readOnly: true resources: {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} + - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" + imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} + args: + - "--v={{ .Values.logLevel }}" + - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" + - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: +{{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} {{- if .Values.nodeplugin.httpMetrics.enabled }} - name: liveness-prometheus securityContext: diff --git a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml index 824377afbb5b..cc72b409862a 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml @@ -67,6 +67,70 @@ spec: {{ toYaml .Values.provisioner.imagePullSecrets | indent 8 -}} {{- end }} containers: + - name: csi-rbdplugin + image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" + imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} + args: + - "--nodeid=$(NODE_ID)" + - "--type=rbd" + - "--controllerserver=true" + - "--pidlimit=-1" + - "--endpoint=$(CSI_ENDPOINT)" + - "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)" + - "--v={{ .Values.logLevel }}" + - "--drivername=$(DRIVER_NAME)" + - "--rbdhardmaxclonedepth={{ .Values.provisioner.hardMaxCloneDepth }}" + - "--rbdsoftmaxclonedepth={{ .Values.provisioner.softMaxCloneDepth }}" + - "--maxsnapshotsonimage={{ .Values.provisioner.maxSnapshotsOnImage }}" + - "--minsnapshotsonimage={{ .Values.provisioner.minSnapshotsOnImage }}" + {{- if .Values.provisioner.skipForceFlatten }} + - "--skipforceflatten={{ .Values.provisioner.skipForceFlatten }}" + {{- end }} + {{- if .Values.provisioner.profiling.enabled }} + - "--enableprofiling={{ .Values.provisioner.profiling.enabled }}" + {{- end }} + {{- if .Values.provisioner.clustername }} + - "--clustername={{ .Values.provisioner.clustername }}" + {{- end }} + - "--setmetadata={{ .Values.provisioner.setmetadata }}" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DRIVER_NAME + value: {{ .Values.driverName }} + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: "unix:///csi/{{ .Values.provisionerSocketFile }}" + - name: CSI_ADDONS_ENDPOINT + value: "unix:///csi/csi-addons.sock" + volumeMounts: + - name: socket-dir + mountPath: /csi + - mountPath: /dev + name: host-dev + - mountPath: /sys + name: host-sys + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - name: ceph-csi-config + mountPath: /etc/ceph-csi-config/ + - name: ceph-config + mountPath: /etc/ceph/ + - name: ceph-csi-encryption-kms-config + mountPath: /etc/ceph-csi-encryption-kms-config/ + - name: keys-tmp-dir + mountPath: /tmp/csi/keys + - name: oidc-token + mountPath: /run/secrets/tokens + readOnly: true + resources: +{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} - name: csi-provisioner image: "{{ .Values.provisioner.provisioner.image.repository }}:{{ .Values.provisioner.provisioner.image.tag }}" imagePullPolicy: {{ .Values.provisioner.provisioner.image.pullPolicy }} @@ -160,70 +224,6 @@ spec: resources: {{ toYaml .Values.provisioner.attacher.resources | indent 12 }} {{- end }} - - name: csi-rbdplugin - image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" - imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} - args: - - "--nodeid=$(NODE_ID)" - - "--type=rbd" - - "--controllerserver=true" - - "--pidlimit=-1" - - "--endpoint=$(CSI_ENDPOINT)" - - "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)" - - "--v={{ .Values.logLevel }}" - - "--drivername=$(DRIVER_NAME)" - - "--rbdhardmaxclonedepth={{ .Values.provisioner.hardMaxCloneDepth }}" - - "--rbdsoftmaxclonedepth={{ .Values.provisioner.softMaxCloneDepth }}" - - "--maxsnapshotsonimage={{ .Values.provisioner.maxSnapshotsOnImage }}" - - "--minsnapshotsonimage={{ .Values.provisioner.minSnapshotsOnImage }}" - {{- if .Values.provisioner.skipForceFlatten }} - - "--skipforceflatten={{ .Values.provisioner.skipForceFlatten }}" - {{- end }} - {{- if .Values.provisioner.profiling.enabled }} - - "--enableprofiling={{ .Values.provisioner.profiling.enabled }}" - {{- end }} - {{- if .Values.provisioner.clustername }} - - "--clustername={{ .Values.provisioner.clustername }}" - {{- end }} - - "--setmetadata={{ .Values.provisioner.setmetadata }}" - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: DRIVER_NAME - value: {{ .Values.driverName }} - - name: NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CSI_ENDPOINT - value: "unix:///csi/{{ .Values.provisionerSocketFile }}" - - name: CSI_ADDONS_ENDPOINT - value: "unix:///csi/csi-addons.sock" - volumeMounts: - - name: socket-dir - mountPath: /csi - - mountPath: /dev - name: host-dev - - mountPath: /sys - name: host-sys - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - name: ceph-csi-config - mountPath: /etc/ceph-csi-config/ - - name: ceph-config - mountPath: /etc/ceph/ - - name: ceph-csi-encryption-kms-config - mountPath: /etc/ceph-csi-encryption-kms-config/ - - name: keys-tmp-dir - mountPath: /tmp/csi/keys - - name: oidc-token - mountPath: /run/secrets/tokens - readOnly: true - resources: -{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{- if .Values.provisioner.deployController }} - name: csi-rbdplugin-controller image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml index 1ae7f21d0fc8..ee4c10883883 100644 --- a/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml +++ b/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml @@ -42,6 +42,55 @@ spec: serviceAccountName: cephfs-csi-provisioner priorityClassName: system-cluster-critical containers: + - name: csi-cephfsplugin + # for stable functionality replace canary with latest release version + image: quay.io/cephcsi/cephcsi:canary + args: + - "--nodeid=$(NODE_ID)" + - "--type=cephfs" + - "--controllerserver=true" + - "--endpoint=$(CSI_ENDPOINT)" + - "--v=5" + - "--drivername=cephfs.csi.ceph.com" + - "--pidlimit=-1" + - "--enableprofiling=false" + - "--setmetadata=true" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix:///csi/csi-provisioner.sock + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # - name: KMS_CONFIGMAP_NAME + # value: encryptionConfig + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: host-sys + mountPath: /sys + - name: lib-modules + mountPath: /lib/modules + readOnly: true + - name: host-dev + mountPath: /dev + - name: ceph-config + mountPath: /etc/ceph/ + - name: ceph-csi-config + mountPath: /etc/ceph-csi-config/ + - name: keys-tmp-dir + mountPath: /tmp/csi/keys + - name: ceph-csi-encryption-kms-config + mountPath: /etc/ceph-csi-encryption-kms-config/ - name: csi-provisioner image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 args: @@ -93,55 +142,6 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi - - name: csi-cephfsplugin - # for stable functionality replace canary with latest release version - image: quay.io/cephcsi/cephcsi:canary - args: - - "--nodeid=$(NODE_ID)" - - "--type=cephfs" - - "--controllerserver=true" - - "--endpoint=$(CSI_ENDPOINT)" - - "--v=5" - - "--drivername=cephfs.csi.ceph.com" - - "--pidlimit=-1" - - "--enableprofiling=false" - - "--setmetadata=true" - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CSI_ENDPOINT - value: unix:///csi/csi-provisioner.sock - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # - name: KMS_CONFIGMAP_NAME - # value: encryptionConfig - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: host-sys - mountPath: /sys - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: host-dev - mountPath: /dev - - name: ceph-config - mountPath: /etc/ceph/ - - name: ceph-csi-config - mountPath: /etc/ceph-csi-config/ - - name: keys-tmp-dir - mountPath: /tmp/csi/keys - - name: ceph-csi-encryption-kms-config - mountPath: /etc/ceph-csi-encryption-kms-config/ - name: liveness-prometheus image: quay.io/cephcsi/cephcsi:canary args: diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml index c021917c7119..16ea3dcb7ace 100644 --- a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml @@ -20,28 +20,6 @@ spec: # resolved through k8s service, set dns policy to cluster first dnsPolicy: ClusterFirstWithHostNet containers: - - name: driver-registrar - # This is necessary only for systems with SELinux, where - # non-privileged sidecar containers cannot access unix domain socket - # created by privileged CSI driver container. - securityContext: - privileged: true - allowPrivilegeEscalation: true - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - args: - - "--v=1" - - "--csi-address=/csi/csi.sock" - - "--kubelet-registration-path=/var/lib/kubelet/plugins/cephfs.csi.ceph.com/csi.sock" - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - name: csi-cephfsplugin securityContext: privileged: true @@ -121,6 +99,28 @@ spec: mountPath: /csi/mountinfo - name: ceph-csi-encryption-kms-config mountPath: /etc/ceph-csi-encryption-kms-config/ + - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + args: + - "--v=1" + - "--csi-address=/csi/csi.sock" + - "--kubelet-registration-path=/var/lib/kubelet/plugins/cephfs.csi.ceph.com/csi.sock" + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration - name: liveness-prometheus securityContext: privileged: true diff --git a/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml b/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml index 17ece12ae353..b8344c22f69a 100644 --- a/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml +++ b/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml @@ -46,6 +46,63 @@ spec: serviceAccountName: rbd-csi-provisioner priorityClassName: system-cluster-critical containers: + - name: csi-rbdplugin + # for stable functionality replace canary with latest release version + image: quay.io/cephcsi/cephcsi:canary + args: + - "--nodeid=$(NODE_ID)" + - "--type=rbd" + - "--controllerserver=true" + - "--endpoint=$(CSI_ENDPOINT)" + - "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)" + - "--v=5" + - "--drivername=rbd.csi.ceph.com" + - "--pidlimit=-1" + - "--rbdhardmaxclonedepth=8" + - "--rbdsoftmaxclonedepth=4" + - "--enableprofiling=false" + - "--setmetadata=true" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # - name: KMS_CONFIGMAP_NAME + # value: encryptionConfig + - name: CSI_ENDPOINT + value: unix:///csi/csi-provisioner.sock + - name: CSI_ADDONS_ENDPOINT + value: unix:///csi/csi-addons.sock + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: socket-dir + mountPath: /csi + - mountPath: /dev + name: host-dev + - mountPath: /sys + name: host-sys + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - name: ceph-csi-config + mountPath: /etc/ceph-csi-config/ + - name: ceph-csi-encryption-kms-config + mountPath: /etc/ceph-csi-encryption-kms-config/ + - name: keys-tmp-dir + mountPath: /tmp/csi/keys + - name: ceph-config + mountPath: /etc/ceph/ + - name: oidc-token + mountPath: /run/secrets/tokens + readOnly: true - name: csi-provisioner image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 args: @@ -115,63 +172,6 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi - - name: csi-rbdplugin - # for stable functionality replace canary with latest release version - image: quay.io/cephcsi/cephcsi:canary - args: - - "--nodeid=$(NODE_ID)" - - "--type=rbd" - - "--controllerserver=true" - - "--endpoint=$(CSI_ENDPOINT)" - - "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)" - - "--v=5" - - "--drivername=rbd.csi.ceph.com" - - "--pidlimit=-1" - - "--rbdhardmaxclonedepth=8" - - "--rbdsoftmaxclonedepth=4" - - "--enableprofiling=false" - - "--setmetadata=true" - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # - name: KMS_CONFIGMAP_NAME - # value: encryptionConfig - - name: CSI_ENDPOINT - value: unix:///csi/csi-provisioner.sock - - name: CSI_ADDONS_ENDPOINT - value: unix:///csi/csi-addons.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /csi - - mountPath: /dev - name: host-dev - - mountPath: /sys - name: host-sys - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - name: ceph-csi-config - mountPath: /etc/ceph-csi-config/ - - name: ceph-csi-encryption-kms-config - mountPath: /etc/ceph-csi-encryption-kms-config/ - - name: keys-tmp-dir - mountPath: /tmp/csi/keys - - name: ceph-config - mountPath: /etc/ceph/ - - name: oidc-token - mountPath: /run/secrets/tokens - readOnly: true - name: csi-rbdplugin-controller # for stable functionality replace canary with latest release version image: quay.io/cephcsi/cephcsi:canary diff --git a/deploy/rbd/kubernetes/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/csi-rbdplugin.yaml index 403ababd487c..0d0165f063b0 100644 --- a/deploy/rbd/kubernetes/csi-rbdplugin.yaml +++ b/deploy/rbd/kubernetes/csi-rbdplugin.yaml @@ -22,28 +22,6 @@ spec: # resolved through k8s service, set dns policy to cluster first dnsPolicy: ClusterFirstWithHostNet containers: - - name: driver-registrar - # This is necessary only for systems with SELinux, where - # non-privileged sidecar containers cannot access unix domain socket - # created by privileged CSI driver container. - securityContext: - privileged: true - allowPrivilegeEscalation: true - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 - args: - - "--v=1" - - "--csi-address=/csi/csi.sock" - - "--kubelet-registration-path=/var/lib/kubelet/plugins/rbd.csi.ceph.com/csi.sock" - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - name: csi-rbdplugin securityContext: privileged: true @@ -131,6 +109,28 @@ spec: - name: oidc-token mountPath: /run/secrets/tokens readOnly: true + - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + args: + - "--v=1" + - "--csi-address=/csi/csi.sock" + - "--kubelet-registration-path=/var/lib/kubelet/plugins/rbd.csi.ceph.com/csi.sock" + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration - name: liveness-prometheus securityContext: privileged: true