github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/internal/operator/orbiter/kinds/providers/gce/kubernetes_gce.yaml (about) 1 ### Cloud Controller Manager <-- doesn't work 2 # inspired by https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ 3 #--- 4 #apiVersion: v1 5 #kind: ServiceAccount 6 #metadata: 7 # name: cloud-controller-manager 8 # namespace: kube-system 9 #--- 10 #apiVersion: rbac.authorization.k8s.io/v1 11 #kind: ClusterRoleBinding 12 #metadata: 13 # name: system:cloud-controller-manager 14 #roleRef: 15 # apiGroup: rbac.authorization.k8s.io 16 # kind: ClusterRole 17 # name: cluster-admin 18 #subjects: 19 # - kind: ServiceAccount 20 # name: cloud-controller-manager 21 # namespace: kube-system 22 #--- 23 #apiVersion: apps/v1 24 #kind: Deployment 25 #metadata: 26 # labels: 27 # k8s-app: cloud-controller-manager 28 # name: cloud-controller-manager 29 # namespace: kube-system 30 #spec: 31 # selector: 32 # matchLabels: 33 # k8s-app: cloud-controller-manager 34 # template: 35 # metadata: 36 # labels: 37 # k8s-app: cloud-controller-manager 38 # spec: 39 # serviceAccountName: cloud-controller-manager 40 # initContainers: 41 # - name: install-ca-certs 42 # image: alpine:3.11 43 # command: 44 # - sh 45 # - -c 46 # - apk update && apk add ca-certificates 47 # volumeMounts: 48 # - name: ca-certs 49 # mountPath: /etc/ssl/certs 50 # readOnly: false 51 # containers: 52 # - name: cloud-controller-manager 53 # image: k8s.gcr.io/cloud-controller-manager:v1.15.12 54 # command: 55 # - /usr/local/bin/cloud-controller-manager 56 # - --cloud-provider=gce 57 # - --leader-elect=true 58 # volumeMounts: 59 # - name: ca-certs 60 # mountPath: /etc/ssl/certs 61 # readOnly: true 62 # volumes: 63 # - name: ca-certs 64 # emptyDir: {} 65 # tolerations: 66 # # this is required so CCM can bootstrap itself 67 # - key: node.cloudprovider.kubernetes.io/uninitialized 68 # value: "true" 69 # effect: NoSchedule 70 # - key: node-role.kubernetes.io/master 71 # effect: NoSchedule 72 #--- 73 74 ### Container Storage Interface Config 75 76 apiVersion: v1 77 kind: Namespace 78 metadata: 79 name: gce-pd-csi-driver 80 --- 81 kind: StorageClass 82 apiVersion: storage.k8s.io/v1 83 metadata: 84 name: fast 85 provisioner: pd.csi.storage.gke.io 86 volumeBindingMode: WaitForFirstConsumer 87 parameters: 88 type: pd-ssd 89 --- 90 kind: StorageClass 91 apiVersion: storage.k8s.io/v1 92 metadata: 93 name: slow 94 annotations: 95 storageclass.kubernetes.io/is-default-class: "true" 96 provisioner: pd.csi.storage.gke.io 97 volumeBindingMode: WaitForFirstConsumer 98 parameters: 99 type: pd-standard 100 101 #### START KUSTOMIZE #### 102 # output from following command slightly adjusted: 103 # kustomize build github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver//deploy/kubernetes/overlays/stable/?ref=v1.2.2 104 105 --- 106 apiVersion: v1 107 kind: ServiceAccount 108 metadata: 109 name: csi-gce-pd-controller-sa 110 namespace: gce-pd-csi-driver 111 --- 112 apiVersion: v1 113 kind: ServiceAccount 114 metadata: 115 name: csi-gce-pd-node-sa 116 namespace: gce-pd-csi-driver 117 --- 118 apiVersion: v1 119 kind: ServiceAccount 120 metadata: 121 name: csi-gce-pd-node-sa-win 122 namespace: gce-pd-csi-driver 123 --- 124 apiVersion: policy/v1beta1 125 kind: PodSecurityPolicy 126 metadata: 127 name: csi-gce-pd-controller-psp 128 spec: 129 fsGroup: 130 rule: RunAsAny 131 hostNetwork: true 132 runAsUser: 133 rule: RunAsAny 134 seLinux: 135 rule: RunAsAny 136 supplementalGroups: 137 rule: RunAsAny 138 volumes: 139 - emptyDir 140 - secret 141 --- 142 apiVersion: policy/v1beta1 143 kind: PodSecurityPolicy 144 metadata: 145 name: csi-gce-pd-node-psp 146 spec: 147 allowedHostPaths: 148 - pathPrefix: /var/lib/kubelet/plugins_registry/ 149 - pathPrefix: /var/lib/kubelet 150 - pathPrefix: /var/lib/kubelet/plugins/pd.csi.storage.gke.io/ 151 - pathPrefix: /dev 152 - pathPrefix: /etc/udev 153 - pathPrefix: /lib/udev 154 - pathPrefix: /run/udev 155 - pathPrefix: /sys 156 fsGroup: 157 rule: RunAsAny 158 hostNetwork: true 159 privileged: true 160 runAsUser: 161 rule: RunAsAny 162 seLinux: 163 rule: RunAsAny 164 supplementalGroups: 165 rule: RunAsAny 166 volumes: 167 - '*' 168 --- 169 apiVersion: rbac.authorization.k8s.io/v1 170 kind: Role 171 metadata: 172 labels: 173 k8s-app: gcp-compute-persistent-disk-csi-driver 174 name: csi-gce-pd-leaderelection-role 175 namespace: gce-pd-csi-driver 176 rules: 177 - apiGroups: 178 - coordination.k8s.io 179 resources: 180 - leases 181 verbs: 182 - get 183 - watch 184 - list 185 - delete 186 - update 187 - create 188 --- 189 apiVersion: rbac.authorization.k8s.io/v1 190 kind: ClusterRole 191 metadata: 192 name: csi-gce-pd-attacher-role 193 rules: 194 - apiGroups: 195 - "" 196 resources: 197 - persistentvolumes 198 verbs: 199 - get 200 - list 201 - watch 202 - update 203 - patch 204 - apiGroups: 205 - "" 206 resources: 207 - nodes 208 verbs: 209 - get 210 - list 211 - watch 212 - apiGroups: 213 - storage.k8s.io 214 resources: 215 - csinodes 216 verbs: 217 - get 218 - list 219 - watch 220 - apiGroups: 221 - storage.k8s.io 222 resources: 223 - volumeattachments 224 verbs: 225 - get 226 - list 227 - watch 228 - update 229 - patch 230 - apiGroups: 231 - storage.k8s.io 232 resources: 233 - volumeattachments/status 234 verbs: 235 - patch 236 --- 237 apiVersion: rbac.authorization.k8s.io/v1 238 kind: ClusterRole 239 metadata: 240 name: csi-gce-pd-controller-deploy 241 rules: 242 - apiGroups: 243 - policy 244 resourceNames: 245 - csi-gce-pd-controller-psp 246 resources: 247 - podsecuritypolicies 248 verbs: 249 - use 250 --- 251 apiVersion: rbac.authorization.k8s.io/v1 252 kind: ClusterRole 253 metadata: 254 name: csi-gce-pd-node-deploy 255 rules: 256 - apiGroups: 257 - policy 258 resourceNames: 259 - csi-gce-pd-node-psp 260 resources: 261 - podsecuritypolicies 262 verbs: 263 - use 264 --- 265 apiVersion: rbac.authorization.k8s.io/v1 266 kind: ClusterRole 267 metadata: 268 name: csi-gce-pd-node-deploy-win 269 rules: 270 - apiGroups: 271 - policy 272 resourceNames: 273 - csi-gce-pd-node-psp-win 274 resources: 275 - podsecuritypolicies 276 verbs: 277 - use 278 --- 279 apiVersion: rbac.authorization.k8s.io/v1 280 kind: ClusterRole 281 metadata: 282 name: csi-gce-pd-provisioner-role 283 rules: 284 - apiGroups: 285 - "" 286 resources: 287 - persistentvolumes 288 verbs: 289 - get 290 - list 291 - watch 292 - create 293 - delete 294 - apiGroups: 295 - "" 296 resources: 297 - persistentvolumeclaims 298 verbs: 299 - get 300 - list 301 - watch 302 - update 303 - apiGroups: 304 - storage.k8s.io 305 resources: 306 - storageclasses 307 verbs: 308 - get 309 - list 310 - watch 311 - apiGroups: 312 - "" 313 resources: 314 - events 315 verbs: 316 - list 317 - watch 318 - create 319 - update 320 - patch 321 - apiGroups: 322 - storage.k8s.io 323 resources: 324 - csinodes 325 verbs: 326 - get 327 - list 328 - watch 329 - apiGroups: 330 - "" 331 resources: 332 - nodes 333 verbs: 334 - get 335 - list 336 - watch 337 - apiGroups: 338 - snapshot.storage.k8s.io 339 resources: 340 - volumesnapshots 341 verbs: 342 - get 343 - list 344 - apiGroups: 345 - snapshot.storage.k8s.io 346 resources: 347 - volumesnapshotcontents 348 verbs: 349 - get 350 - list 351 - apiGroups: 352 - storage.k8s.io 353 resources: 354 - volumeattachments 355 verbs: 356 - get 357 - list 358 - watch 359 --- 360 apiVersion: rbac.authorization.k8s.io/v1 361 kind: ClusterRole 362 metadata: 363 name: csi-gce-pd-resizer-role 364 rules: 365 - apiGroups: 366 - "" 367 resources: 368 - persistentvolumes 369 verbs: 370 - get 371 - list 372 - watch 373 - update 374 - patch 375 - apiGroups: 376 - "" 377 resources: 378 - persistentvolumeclaims 379 verbs: 380 - get 381 - list 382 - watch 383 - apiGroups: 384 - "" 385 resources: 386 - persistentvolumeclaims/status 387 verbs: 388 - update 389 - patch 390 - apiGroups: 391 - "" 392 resources: 393 - events 394 verbs: 395 - list 396 - watch 397 - create 398 - update 399 - patch 400 - apiGroups: 401 - "" 402 resources: 403 - pods 404 verbs: 405 - get 406 - list 407 - watch 408 --- 409 apiVersion: rbac.authorization.k8s.io/v1 410 kind: ClusterRole 411 metadata: 412 name: csi-gce-pd-snapshotter-role 413 rules: 414 - apiGroups: 415 - "" 416 resources: 417 - events 418 verbs: 419 - list 420 - watch 421 - create 422 - update 423 - patch 424 - apiGroups: 425 - snapshot.storage.k8s.io 426 resources: 427 - volumesnapshotclasses 428 verbs: 429 - get 430 - list 431 - watch 432 - apiGroups: 433 - snapshot.storage.k8s.io 434 resources: 435 - volumesnapshotcontents 436 verbs: 437 - create 438 - get 439 - list 440 - watch 441 - update 442 - delete 443 - apiGroups: 444 - snapshot.storage.k8s.io 445 resources: 446 - volumesnapshotcontents/status 447 verbs: 448 - update 449 --- 450 apiVersion: rbac.authorization.k8s.io/v1 451 kind: RoleBinding 452 metadata: 453 labels: 454 k8s-app: gcp-compute-persistent-disk-csi-driver 455 name: csi-gce-pd-controller-leaderelection-binding 456 namespace: gce-pd-csi-driver 457 roleRef: 458 apiGroup: rbac.authorization.k8s.io 459 kind: Role 460 name: csi-gce-pd-leaderelection-role 461 subjects: 462 - kind: ServiceAccount 463 name: csi-gce-pd-controller-sa 464 namespace: gce-pd-csi-driver 465 --- 466 apiVersion: rbac.authorization.k8s.io/v1 467 kind: ClusterRoleBinding 468 metadata: 469 name: csi-gce-pd-controller 470 roleRef: 471 apiGroup: rbac.authorization.k8s.io 472 kind: ClusterRole 473 name: csi-gce-pd-node-deploy 474 subjects: 475 - kind: ServiceAccount 476 name: csi-gce-pd-controller-sa 477 namespace: gce-pd-csi-driver 478 --- 479 apiVersion: rbac.authorization.k8s.io/v1 480 kind: ClusterRoleBinding 481 metadata: 482 name: csi-gce-pd-controller-attacher-binding 483 roleRef: 484 apiGroup: rbac.authorization.k8s.io 485 kind: ClusterRole 486 name: csi-gce-pd-attacher-role 487 subjects: 488 - kind: ServiceAccount 489 name: csi-gce-pd-controller-sa 490 namespace: gce-pd-csi-driver 491 --- 492 apiVersion: rbac.authorization.k8s.io/v1 493 kind: ClusterRoleBinding 494 metadata: 495 name: csi-gce-pd-controller-deploy 496 roleRef: 497 apiGroup: rbac.authorization.k8s.io 498 kind: ClusterRole 499 name: csi-gce-pd-controller-deploy 500 subjects: 501 - kind: ServiceAccount 502 name: csi-gce-pd-controller-sa 503 namespace: gce-pd-csi-driver 504 --- 505 apiVersion: rbac.authorization.k8s.io/v1 506 kind: ClusterRoleBinding 507 metadata: 508 name: csi-gce-pd-controller-provisioner-binding 509 roleRef: 510 apiGroup: rbac.authorization.k8s.io 511 kind: ClusterRole 512 name: csi-gce-pd-provisioner-role 513 subjects: 514 - kind: ServiceAccount 515 name: csi-gce-pd-controller-sa 516 namespace: gce-pd-csi-driver 517 --- 518 apiVersion: rbac.authorization.k8s.io/v1 519 kind: ClusterRoleBinding 520 metadata: 521 name: csi-gce-pd-controller-snapshotter-binding 522 roleRef: 523 apiGroup: rbac.authorization.k8s.io 524 kind: ClusterRole 525 name: csi-gce-pd-snapshotter-role 526 subjects: 527 - kind: ServiceAccount 528 name: csi-gce-pd-controller-sa 529 namespace: gce-pd-csi-driver 530 --- 531 apiVersion: rbac.authorization.k8s.io/v1 532 kind: ClusterRoleBinding 533 metadata: 534 name: csi-gce-pd-node 535 roleRef: 536 apiGroup: rbac.authorization.k8s.io 537 kind: ClusterRole 538 name: csi-gce-pd-node-deploy 539 subjects: 540 - kind: ServiceAccount 541 name: csi-gce-pd-node-sa 542 namespace: gce-pd-csi-driver 543 --- 544 apiVersion: rbac.authorization.k8s.io/v1 545 kind: ClusterRoleBinding 546 metadata: 547 name: csi-gce-pd-node-win 548 roleRef: 549 apiGroup: rbac.authorization.k8s.io 550 kind: ClusterRole 551 name: csi-gce-pd-node-deploy-win 552 subjects: 553 - kind: ServiceAccount 554 name: csi-gce-pd-node-sa-win 555 namespace: gce-pd-csi-driver 556 --- 557 apiVersion: rbac.authorization.k8s.io/v1 558 kind: ClusterRoleBinding 559 metadata: 560 name: csi-gce-pd-resizer-binding 561 roleRef: 562 apiGroup: rbac.authorization.k8s.io 563 kind: ClusterRole 564 name: csi-gce-pd-resizer-role 565 subjects: 566 - kind: ServiceAccount 567 name: csi-gce-pd-controller-sa 568 namespace: gce-pd-csi-driver 569 --- 570 apiVersion: scheduling.k8s.io/v1 571 description: This priority class should be used for the GCE PD CSI driver controller 572 deployment only. 573 globalDefault: false 574 kind: PriorityClass 575 metadata: 576 name: csi-gce-pd-controller 577 value: 900000000 578 --- 579 apiVersion: scheduling.k8s.io/v1 580 description: This priority class should be used for the GCE PD CSI driver node deployment 581 only. 582 globalDefault: false 583 kind: PriorityClass 584 metadata: 585 name: csi-gce-pd-node 586 value: 900001000 587 --- 588 apiVersion: apps/v1 589 kind: Deployment 590 metadata: 591 name: csi-gce-pd-controller 592 namespace: gce-pd-csi-driver 593 spec: 594 replicas: 1 595 selector: 596 matchLabels: 597 app: gcp-compute-persistent-disk-csi-driver 598 template: 599 metadata: 600 labels: 601 app: gcp-compute-persistent-disk-csi-driver 602 spec: 603 containers: 604 - args: 605 - --v=5 606 - --csi-address=/csi/csi.sock 607 - --feature-gates=Topology=true 608 - --metrics-address=:22011 609 - --leader-election-namespace=$(PDCSI_NAMESPACE) 610 - --timeout=250s 611 - --extra-create-metadata 612 - --leader-election 613 - --default-fstype=ext4 614 env: 615 - name: PDCSI_NAMESPACE 616 valueFrom: 617 fieldRef: 618 fieldPath: metadata.namespace 619 image: k8s.gcr.io/sig-storage/csi-provisioner:v2.0.4 620 name: csi-provisioner 621 volumeMounts: 622 - mountPath: /csi 623 name: socket-dir 624 - args: 625 - --v=5 626 - --csi-address=/csi/csi.sock 627 - --metrics-address=:22012 628 - --leader-election 629 - --leader-election-namespace=$(PDCSI_NAMESPACE) 630 - --timeout=250s 631 env: 632 - name: PDCSI_NAMESPACE 633 valueFrom: 634 fieldRef: 635 fieldPath: metadata.namespace 636 image: k8s.gcr.io/sig-storage/csi-attacher:v3.0.1 637 name: csi-attacher 638 volumeMounts: 639 - mountPath: /csi 640 name: socket-dir 641 - args: 642 - --v=5 643 - --csi-address=/csi/csi.sock 644 - --metrics-address=:22013 645 - --leader-election 646 - --leader-election-namespace=$(PDCSI_NAMESPACE) 647 - --handle-volume-inuse-error=false 648 env: 649 - name: PDCSI_NAMESPACE 650 valueFrom: 651 fieldRef: 652 fieldPath: metadata.namespace 653 image: k8s.gcr.io/sig-storage/csi-resizer:v1.0.1 654 name: csi-resizer 655 volumeMounts: 656 - mountPath: /csi 657 name: socket-dir 658 - args: 659 - --v=5 660 - --csi-address=/csi/csi.sock 661 - --metrics-address=:22014 662 - --leader-election 663 - --leader-election-namespace=$(PDCSI_NAMESPACE) 664 - --timeout=300s 665 env: 666 - name: PDCSI_NAMESPACE 667 valueFrom: 668 fieldRef: 669 fieldPath: metadata.namespace 670 image: k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.1 671 name: csi-snapshotter 672 volumeMounts: 673 - mountPath: /csi 674 name: socket-dir 675 - args: 676 - --v=5 677 - --endpoint=unix:/csi/csi.sock 678 # env: <-- adjusted 679 # - name: GOOGLE_APPLICATION_CREDENTIALS <-- adjusted 680 # value: /etc/cloud-sa/cloud-sa.json <-- adjusted 681 image: gke.gcr.io/gcp-compute-persistent-disk-csi-driver:v1.2.1-gke.0 682 name: gce-pd-driver 683 volumeMounts: 684 - mountPath: /csi 685 name: socket-dir 686 # - mountPath: /etc/cloud-sa <-- adjusted 687 # name: cloud-sa-volume <-- adjusted 688 # readOnly: true <-- adjusted 689 # hostNetwork: true <-- adjusted 690 # nodeSelector: <-- adjusted 691 # kubernetes.io/os: linux <-- adjusted 692 priorityClassName: csi-gce-pd-controller 693 serviceAccountName: csi-gce-pd-controller-sa 694 volumes: 695 - emptyDir: {} 696 name: socket-dir 697 # - name: cloud-sa-volume <-- adjusted 698 # secret: <-- adjusted 699 # secretName: cloud-sa <-- adjusted 700 --- 701 apiVersion: apps/v1 702 kind: DaemonSet 703 metadata: 704 name: csi-gce-pd-node 705 namespace: gce-pd-csi-driver 706 spec: 707 selector: 708 matchLabels: 709 app: gcp-compute-persistent-disk-csi-driver 710 template: 711 metadata: 712 labels: 713 app: gcp-compute-persistent-disk-csi-driver 714 spec: 715 containers: 716 - args: 717 - --v=5 718 - --csi-address=/csi/csi.sock 719 - --kubelet-registration-path=/var/lib/kubelet/plugins/pd.csi.storage.gke.io/csi.sock 720 env: 721 - name: KUBE_NODE_NAME 722 valueFrom: 723 fieldRef: 724 fieldPath: spec.nodeName 725 image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1 726 name: csi-driver-registrar 727 volumeMounts: 728 - mountPath: /csi 729 name: plugin-dir 730 - mountPath: /registration 731 name: registration-dir 732 - args: 733 - --v=5 734 - --endpoint=unix:/csi/csi.sock 735 image: gke.gcr.io/gcp-compute-persistent-disk-csi-driver:v1.2.1-gke.0 736 name: gce-pd-driver 737 securityContext: 738 privileged: true 739 volumeMounts: 740 - mountPath: /var/lib/kubelet 741 mountPropagation: Bidirectional 742 name: kubelet-dir 743 - mountPath: /csi 744 name: plugin-dir 745 - mountPath: /dev 746 name: device-dir 747 - mountPath: /etc/udev 748 name: udev-rules-etc 749 - mountPath: /lib/udev 750 name: udev-rules-lib 751 - mountPath: /run/udev 752 name: udev-socket 753 - mountPath: /sys 754 name: sys 755 # hostNetwork: true <-- adjusted 756 # nodeSelector: <-- adjusted 757 # kubernetes.io/os: linux <-- adjusted 758 priorityClassName: csi-gce-pd-node 759 serviceAccountName: csi-gce-pd-node-sa 760 tolerations: 761 - operator: Exists 762 volumes: 763 - hostPath: 764 path: /var/lib/kubelet/plugins_registry/ 765 type: Directory 766 name: registration-dir 767 - hostPath: 768 path: /var/lib/kubelet 769 type: Directory 770 name: kubelet-dir 771 - hostPath: 772 path: /var/lib/kubelet/plugins/pd.csi.storage.gke.io/ 773 type: DirectoryOrCreate 774 name: plugin-dir 775 - hostPath: 776 path: /dev 777 type: Directory 778 name: device-dir 779 - hostPath: 780 path: /etc/udev 781 type: Directory 782 name: udev-rules-etc 783 - hostPath: 784 path: /lib/udev 785 type: Directory 786 name: udev-rules-lib 787 - hostPath: 788 path: /run/udev 789 type: Directory 790 name: udev-socket 791 - hostPath: 792 path: /sys 793 type: Directory 794 name: sys 795 --- 796 apiVersion: storage.k8s.io/v1beta1 797 kind: CSIDriver 798 metadata: 799 name: pd.csi.storage.gke.io 800 spec: 801 attachRequired: true 802 podInfoOnMount: false