Skip to content

Commit ba26d27

Browse files
hrakhrak
committed
feat: Use SA for node daemonset in deploy manifest and other improvements
1 parent 507a337 commit ba26d27

3 files changed

Lines changed: 171 additions & 43 deletions

File tree

deploy/k8s/controller-deployment.yaml

Lines changed: 61 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,39 @@ spec:
2323
spec:
2424
priorityClassName: system-cluster-critical
2525
serviceAccountName: cloudstack-csi-controller
26+
affinity:
27+
podAntiAffinity:
28+
requiredDuringSchedulingIgnoredDuringExecution:
29+
- labelSelector:
30+
matchExpressions:
31+
- key: "app.kubernetes.io/name"
32+
operator: In
33+
values:
34+
- cloudstack-csi-controller
35+
topologyKey: "kubernetes.io/hostname"
36+
nodeAffinity:
37+
requiredDuringSchedulingIgnoredDuringExecution:
38+
nodeSelectorTerms:
39+
- matchExpressions:
40+
- key: node-role.kubernetes.io/control-plane
41+
operator: Exists
2642
nodeSelector:
2743
kubernetes.io/os: linux
28-
node-role.kubernetes.io/control-plane: ""
2944
tolerations:
30-
- effect: NoExecute
45+
- key: node-role.kubernetes.io/control-plane
46+
operator: Exists
47+
effect: NoSchedule
48+
- key: CriticalAddonsOnly
3149
operator: Exists
32-
- effect: NoSchedule
50+
- effect: NoExecute
3351
operator: Exists
52+
tolerationSeconds: 300
53+
securityContext:
54+
runAsNonRoot: true
55+
runAsUser: 65532
56+
runAsGroup: 65532
57+
fsGroup: 65532
58+
fsGroupChangePolicy: OnRootMismatch
3459

3560
containers:
3661
- name: cloudstack-csi-controller
@@ -45,10 +70,6 @@ spec:
4570
env:
4671
- name: CSI_ENDPOINT
4772
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
48-
securityContext:
49-
runAsNonRoot: true
50-
runAsUser: 65532
51-
runAsGroup: 65532
5273
volumeMounts:
5374
- name: socket-dir
5475
mountPath: /var/lib/csi/sockets/pluginproxy/
@@ -62,10 +83,21 @@ spec:
6283
httpGet:
6384
path: /healthz
6485
port: healthz
65-
initialDelaySeconds: 30
66-
timeoutSeconds: 10
67-
periodSeconds: 180
68-
failureThreshold: 3
86+
initialDelaySeconds: 10
87+
timeoutSeconds: 3
88+
periodSeconds: 10
89+
failureThreshold: 5
90+
resources:
91+
requests:
92+
cpu: 10m
93+
memory: 40Mi
94+
limits:
95+
memory: 256Mi
96+
securityContext:
97+
seccompProfile:
98+
type: RuntimeDefault
99+
readOnlyRootFilesystem: true
100+
allowPrivilegeEscalation: false
69101

70102
- name: external-provisioner
71103
image: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
@@ -89,6 +121,11 @@ spec:
89121
volumeMounts:
90122
- name: socket-dir
91123
mountPath: /var/lib/csi/sockets/pluginproxy/
124+
securityContext:
125+
seccompProfile:
126+
type: RuntimeDefault
127+
readOnlyRootFilesystem: true
128+
allowPrivilegeEscalation: false
92129

93130
- name: external-attacher
94131
image: registry.k8s.io/sig-storage/csi-attacher:v4.6.1
@@ -109,6 +146,11 @@ spec:
109146
volumeMounts:
110147
- name: socket-dir
111148
mountPath: /var/lib/csi/sockets/pluginproxy/
149+
securityContext:
150+
seccompProfile:
151+
type: RuntimeDefault
152+
readOnlyRootFilesystem: true
153+
allowPrivilegeEscalation: false
112154

113155
- name: external-resizer
114156
image: registry.k8s.io/sig-storage/csi-resizer:v1.11.1
@@ -129,6 +171,11 @@ spec:
129171
volumeMounts:
130172
- name: socket-dir
131173
mountPath: /var/lib/csi/sockets/pluginproxy/
174+
securityContext:
175+
seccompProfile:
176+
type: RuntimeDefault
177+
readOnlyRootFilesystem: true
178+
allowPrivilegeEscalation: false
132179

133180
- name: liveness-probe
134181
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
@@ -141,6 +188,9 @@ spec:
141188
volumeMounts:
142189
- name: socket-dir
143190
mountPath: /var/lib/csi/sockets/pluginproxy/
191+
securityContext:
192+
readOnlyRootFilesystem: true
193+
allowPrivilegeEscalation: false
144194

145195
volumes:
146196
- name: socket-dir

deploy/k8s/node-daemonset.yaml

Lines changed: 76 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -9,25 +9,35 @@ spec:
99
app.kubernetes.io/name: cloudstack-csi-node
1010
updateStrategy:
1111
type: RollingUpdate
12+
rollingUpdate:
13+
maxUnavailable: "10%"
1214
template:
1315
metadata:
1416
labels:
1517
app.kubernetes.io/name: cloudstack-csi-node
1618
app.kubernetes.io/part-of: cloudstack-csi-driver
1719
spec:
1820
priorityClassName: system-node-critical
21+
serviceAccountName: cloudstack-csi-node
1922
nodeSelector:
2023
kubernetes.io/os: linux
24+
terminationGracePeriodSeconds: 30
2125
tolerations:
22-
- effect: NoExecute
23-
operator: Exists
2426
- effect: NoSchedule
2527
operator: Exists
28+
- effect: NoExecute
29+
operator: Exists
30+
tolerationSeconds: 300
31+
securityContext:
32+
runAsNonRoot: false
33+
runAsUser: 0
34+
runAsGroup: 0
35+
fsGroup: 0
2636

2737
containers:
2838
- name: cloudstack-csi-node
2939
image: cloudstack-csi-driver
30-
imagePullPolicy: Always
40+
imagePullPolicy: IfNotPresent
3141
args:
3242
- "node"
3343
- "--endpoint=$(CSI_ENDPOINT)"
@@ -42,11 +52,6 @@ spec:
4252
valueFrom:
4353
fieldRef:
4454
fieldPath: spec.nodeName
45-
securityContext:
46-
privileged: true
47-
capabilities:
48-
add: ["SYS_ADMIN"]
49-
allowPrivilegeEscalation: true
5055
volumeMounts:
5156
- name: plugin-dir
5257
mountPath: /csi
@@ -59,6 +64,9 @@ spec:
5964
mountPath: /dev
6065
- name: cloud-init-dir
6166
mountPath: /run/cloud-init/
67+
# Comment the above 2 lines and uncomment the next 2 lines for Ignition support
68+
# - name: ignition-dir
69+
# mountPath: /run/metadata
6270
- name: cloudstack-conf
6371
mountPath: /etc/cloudstack-csi-driver
6472
ports:
@@ -70,21 +78,19 @@ spec:
7078
path: /healthz
7179
port: healthz
7280
initialDelaySeconds: 10
73-
timeoutSeconds: 5
74-
periodSeconds: 5
75-
failureThreshold: 3
76-
77-
- name: liveness-probe
78-
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
79-
args:
80-
- "--v=4"
81-
- "--csi-address=$(ADDRESS)"
82-
env:
83-
- name: ADDRESS
84-
value: /csi/csi.sock
85-
volumeMounts:
86-
- name: plugin-dir
87-
mountPath: /csi
81+
timeoutSeconds: 3
82+
periodSeconds: 10
83+
failureThreshold: 5
84+
resources:
85+
limits:
86+
cpu: "200m"
87+
memory: 200Mi
88+
requests:
89+
cpu: "50m"
90+
memory: 50Mi
91+
securityContext:
92+
# readOnlyRootFilesystem: true
93+
privileged: true
8894

8995
- name: node-driver-registrar
9096
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
@@ -94,15 +100,6 @@ spec:
94100
- "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)"
95101
- "--v=5"
96102
- "--health-port=9809"
97-
livenessProbe:
98-
httpGet:
99-
path: /healthz
100-
port: healthz
101-
failureThreshold: 5
102-
initialDelaySeconds: 60
103-
periodSeconds: 10
104-
successThreshold: 1
105-
timeoutSeconds: 15
106103
env:
107104
- name: ADDRESS
108105
value: /csi/csi.sock
@@ -116,6 +113,48 @@ spec:
116113
ports:
117114
- containerPort: 9809
118115
name: healthz
116+
livenessProbe:
117+
exec:
118+
command:
119+
- /csi-node-driver-registrar
120+
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
121+
- --mode=kubelet-registration-probe
122+
initialDelaySeconds: 30
123+
periodSeconds: 90
124+
timeoutSeconds: 15
125+
resources:
126+
limits:
127+
cpu: "200m"
128+
memory: 200Mi
129+
requests:
130+
cpu: "50m"
131+
memory: 50Mi
132+
securityContext:
133+
readOnlyRootFilesystem: true
134+
allowPrivilegeEscalation: false
135+
136+
- name: liveness-probe
137+
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
138+
imagePullPolicy: IfNotPresent
139+
args:
140+
- "--v=4"
141+
- "--csi-address=$(ADDRESS)"
142+
env:
143+
- name: ADDRESS
144+
value: /csi/csi.sock
145+
volumeMounts:
146+
- name: plugin-dir
147+
mountPath: /csi
148+
resources:
149+
limits:
150+
cpu: "200m"
151+
memory: 250Mi
152+
requests:
153+
cpu: "50m"
154+
memory: 50Mi
155+
securityContext:
156+
readOnlyRootFilesystem: true
157+
allowPrivilegeEscalation: false
119158

120159
volumes:
121160
- name: plugin-dir
@@ -138,6 +177,11 @@ spec:
138177
hostPath:
139178
path: /run/cloud-init/
140179
type: Directory
180+
# Comment the above 4 lines and uncomment the next 4 lines for Ignition support
181+
# - name: ignition-dir
182+
# hostPath:
183+
# path: /run/metadata
184+
# type: Directory
141185
- name: cloudstack-conf
142186
secret:
143187
secretName: cloudstack-secret

deploy/k8s/rbac.yaml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,3 +49,37 @@ roleRef:
4949
kind: ClusterRole
5050
name: cloudstack-csi-controller-role
5151
apiGroup: rbac.authorization.k8s.io
52+
---
53+
kind: ServiceAccount
54+
apiVersion: v1
55+
metadata:
56+
name: cloudstack-csi-node
57+
namespace: kube-system
58+
---
59+
kind: ClusterRole
60+
apiVersion: rbac.authorization.k8s.io/v1
61+
metadata:
62+
name: cloudstack-csi-node-role
63+
rules:
64+
- apiGroups: [""]
65+
resources: ["nodes"]
66+
verbs: ["get", "patch"]
67+
- apiGroups: [ "storage.k8s.io" ]
68+
resources: [ "volumeattachments" ]
69+
verbs: [ "get", "list", "watch" ]
70+
- apiGroups: [ "storage.k8s.io" ]
71+
resources: [ "csinodes" ]
72+
verbs: [ "get" ]
73+
---
74+
kind: ClusterRoleBinding
75+
apiVersion: rbac.authorization.k8s.io/v1
76+
metadata:
77+
name: cloudstack-csi-node-binding
78+
subjects:
79+
- kind: ServiceAccount
80+
name: cloudstack-csi-node
81+
namespace: kube-system
82+
roleRef:
83+
kind: ClusterRole
84+
name: cloudstack-csi-node-role
85+
apiGroup: rbac.authorization.k8s.io

0 commit comments

Comments
 (0)