Skip to content

Commit

Permalink
deploy: support deploying sidecars in same pod as driver
Browse files Browse the repository at this point in the history
The kubernetes-x.yy deployments now use the same pod for driver and
sidecars, which is the usual way of deploying them.

The alternative "-prow" deployments use separate pods for them to test
that the individual RBAC rules are correct.
  • Loading branch information
pohly committed May 5, 2021
1 parent 4c8a512 commit 194132f
Show file tree
Hide file tree
Showing 30 changed files with 1,238 additions and 98 deletions.
6 changes: 6 additions & 0 deletions deploy/kubernetes-1.18-test/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
The deployment for Kubernetes 1.18 uses CSIDriver v1 and
thus is incompatible with Kubernetes < 1.18.

It uses separate pods and service accounts for each sidecar. This is
not how they would normally be deployed. It gets done this way to test
that the individual RBAC rules are correct.
1 change: 1 addition & 0 deletions deploy/kubernetes-1.18-test/deploy.sh
1 change: 1 addition & 0 deletions deploy/kubernetes-1.18-test/destroy.sh
17 changes: 17 additions & 0 deletions deploy/kubernetes-1.18-test/hostpath/csi-hostpath-driverinfo.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: hostpath.csi.k8s.io
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: hostpath.csi.k8s.io
app.kubernetes.io/component: csi-driver
spec:
# Supports persistent and ephemeral inline volumes.
volumeLifecycleModes:
- Persistent
- Ephemeral
# To determine at runtime which mode a volume uses, pod info and its
# "csi.storage.k8s.io/ephemeral" entry are needed.
podInfoOnMount: true
167 changes: 167 additions & 0 deletions deploy/kubernetes-1.18-test/hostpath/csi-hostpath-plugin.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: csi-hostpathplugin
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpathplugin
app.kubernetes.io/component: plugin
spec:
serviceName: "csi-hostpathplugin"
# One replica only:
# Host path driver only works when everything runs
# on a single node. We achieve that by starting it once and then
# co-locate all other pods via inter-pod affinity
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpathplugin
app.kubernetes.io/component: plugin
template:
metadata:
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpathplugin
app.kubernetes.io/component: plugin
spec:
serviceAccountName: csi-external-health-monitor-controller
containers:
- name: hostpath
image: k8s.gcr.io/sig-storage/hostpathplugin:v1.6.2
args:
- "--drivername=hostpath.csi.k8s.io"
- "--v=5"
- "--endpoint=$(CSI_ENDPOINT)"
- "--nodeid=$(KUBE_NODE_NAME)"
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
securityContext:
privileged: true
ports:
- containerPort: 9898
name: healthz
protocol: TCP
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 2
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
- mountPath: /var/lib/kubelet/plugins
mountPropagation: Bidirectional
name: plugins-dir
- mountPath: /csi-data-dir
name: csi-data-dir
- mountPath: /dev
name: dev-dir

- name: liveness-probe
volumeMounts:
- mountPath: /csi
name: socket-dir
image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0
args:
- --csi-address=/csi/csi.sock
- --health-port=9898

- name: csi-external-health-monitor-agent
image: k8s.gcr.io/sig-storage/csi-external-health-monitor-agent:v0.2.0
args:
- "--v=5"
- "--csi-address=$(ADDRESS)"
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: ADDRESS
value: /csi/csi.sock
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: socket-dir
mountPath: /csi

- name: csi-external-health-monitor-controller
image: k8s.gcr.io/sig-storage/csi-external-health-monitor-controller:v0.2.0
args:
- "--v=5"
- "--csi-address=$(ADDRESS)"
- "--leader-election"
env:
- name: ADDRESS
value: /csi/csi.sock
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: socket-dir
mountPath: /csi

- name: node-driver-registrar
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1
args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock
securityContext:
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
privileged: true
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /registration
name: registration-dir
- mountPath: /csi-data-dir
name: csi-data-dir

volumes:
- hostPath:
path: /var/lib/kubelet/plugins/csi-hostpath
type: DirectoryOrCreate
name: socket-dir
- hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
name: mountpoint-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet/plugins
type: Directory
name: plugins-dir
- hostPath:
# 'path' is where PV data is persisted on host.
# using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot
path: /var/lib/csi-hostpath-data/
type: DirectoryOrCreate
name: csi-data-dir
- hostPath:
path: /dev
type: Directory
name: dev-dir
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: snapshot.storage.k8s.io/v1beta1
kind: VolumeSnapshotClass
metadata:
name: csi-hostpath-snapclass
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-snapclass
app.kubernetes.io/component: volumesnapshotclass
driver: hostpath.csi.k8s.io #csi-hostpath
deletionPolicy: Delete
83 changes: 83 additions & 0 deletions deploy/kubernetes-1.18-test/hostpath/csi-hostpath-testing.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# WARNING: this is only for testing purposes. Do not install in a production
# cluster.
#
# This exposes the hostpath's Unix domain csi.sock as a TCP port to the
# outside world. The mapping from Unix domain socket to TCP is done
# by socat.
#
# This is useful for testing with csi-sanity or csc.

apiVersion: v1
kind: Service
metadata:
name: hostpath-service
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-socat
app.kubernetes.io/component: socat
spec:
type: NodePort
selector:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-socat
app.kubernetes.io/component: socat
ports:
- port: 10000 # fixed port inside the pod, dynamically allocated port outside
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: csi-hostpath-socat
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-socat
app.kubernetes.io/component: socat
spec:
serviceName: "csi-hostpath-socat"
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-socat
app.kubernetes.io/component: socat
template:
metadata:
labels:
app.kubernetes.io/instance: hostpath.csi.k8s.io
app.kubernetes.io/part-of: csi-driver-host-path
app.kubernetes.io/name: csi-hostpath-socat
app.kubernetes.io/component: socat
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- hostpath.csi.k8s.io
topologyKey: kubernetes.io/hostname
containers:
- name: socat
image: alpine/socat:1.0.3
args:
- tcp-listen:10000,fork,reuseaddr
- unix-connect:/csi/csi.sock
securityContext:
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
privileged: true
volumeMounts:
- mountPath: /csi
name: socket-dir
volumes:
- hostPath:
path: /var/lib/kubelet/plugins/csi-hostpath
type: DirectoryOrCreate
name: socket-dir
24 changes: 24 additions & 0 deletions deploy/kubernetes-1.18-test/test-driver.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# This file describes how to test this deployment of the CSI hostpath driver
# using the Kubernetes 1.17 E2E test suite. For details see:
# https://github.com/kubernetes/kubernetes/tree/v1.17.0/test/e2e/storage/external

StorageClass:
FromName: true
SnapshotClass:
FromName: true
DriverInfo:
Name: hostpath.csi.k8s.io
SupportedSizeRange:
Min: 1Mi
Capabilities:
block: true
controllerExpansion: true
exec: true
multipods: true
nodeExpansion: true
persistence: true
singleNodeVolume: true
snapshotDataSource: true
topology: true
InlineVolumes:
- shared: true
Loading

0 comments on commit 194132f

Please sign in to comment.