Merge pull request #60 from phillc/master

Update CSI components

README.md

@@ -9,11 +9,8 @@ More information about the Kubernetes CSI can be found in the GitHub [Kubernetes
 
 ### Requirements
 
-* Kubernetes v1.13+
+* Kubernetes v1.15+
 * The node `hostname` must match the Linode Instance `label`
-* `--allow-privileged` must be enabled for the API server and kubelet
-* Should have the following [feature gates enabled](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview): `CSINodeInfo`, `CSIDriverRegistry`
-* The following feature gates may be used in future versions: `BlockVolume`, `CSIBlockVolume`
 
 ### Secure a Linode API Access Token:
 
@@ -131,7 +128,6 @@ persistence
 ## Disclaimers
 
 * Until this driver has reached v1.0.0 it may not maintain compatibility between driver versions
-* This driver does not work with versions of Kubernetes earlier than 1.13
 * Requests for Persistent Volumes with a `require_size` less than the Linode minimum Block Storage size will be fulfilled with a Linode Block Storage volume of the minimum size (currently 10GiB), this is [in accordance with the CSI specification](https://github.com/container-storage-interface/spec/blob/v1.0.0/spec.md#createvolume).  The upper-limit size constraint (`limit_bytes`) will also be honored so the size of Linode Block Storage volumes provisioned will not exceed this parameter.
 
 ## Contribution Guidelines

app/linode/Dockerfile

@@ -2,7 +2,7 @@ FROM alpine
 LABEL maintainers="Linode"
 LABEL description="Linode CSI Driver"
 
-RUN apk add --no-cache ca-certificates e2fsprogs findmnt
+RUN apk add --no-cache ca-certificates e2fsprogs findmnt blkid
 
 COPY ./_output/linode /linode
 

deploy/kubernetes/base/accounts-roles-bindings.yaml

@@ -0,0 +1,40 @@
+##### Node Service Account, Roles, RoleBindings
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-node-sa
+  namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linode-csi-role
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linode-csi-binding
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: csi-node-sa
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: linode-csi-role
+  apiGroup: rbac.authorization.k8s.io
+---
+##### Controller Service Account, Roles, Rolebindings
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-controller-sa
+  namespace: kube-system

pkg/linode-bs/deploy/kubernetes/04-csi-driver-instance.yaml → deploy/kubernetes/base/csi-driver-instance.yaml

@@ -1,7 +1,7 @@
-apiVersion: csi.storage.k8s.io/v1alpha1
+apiVersion: storage.k8s.io/v1beta1
 kind: CSIDriver
 metadata:
   name: linodebs.csi.linode.com
 spec:
   attachRequired: true
-  podInfoOnMountVersion: "v1"
+  podInfoOnMount: true

pkg/linode-bs/deploy/kubernetes/07-ds-csi-linode-node.yaml → deploy/kubernetes/base/ds-csi-linode-node.yaml

@@ -33,14 +33,11 @@ spec:
             mountPath: /scripts
       hostNetwork: true
       containers:
-        - name: driver-registrar
-          image: quay.io/k8scsi/driver-registrar:v1.0-canary
+        - name: csi-node-driver-registrar
+          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v1.3.0
           args:
             - "--v=2"
             - "--csi-address=$(ADDRESS)"
-            - "--mode=node-register"
-            - "--driver-requires-attachment=true"
-            - "--pod-info-mount-version=\"v1\""
             - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)"
           env:
             - name: ADDRESS
@@ -53,11 +50,11 @@ spec:
                   fieldPath: spec.nodeName
           volumeMounts:
             - name: plugin-dir
-              mountPath: /csi/
+              mountPath: /csi
             - name: registration-dir
-              mountPath: /registration/
+              mountPath: /registration
         - name: csi-linode-plugin
-          image: linode/linode-blockstorage-csi-driver:{{ .Values.image.tag }}
+          image: linode/linode-blockstorage-csi-driver:latest
           args :
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--token=$(LINODE_TOKEN)"

deploy/kubernetes/base/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../sidecars/external-provisioner
+  - ../sidecars/external-attacher
+  - ../sidecars/external-resizer
+  - accounts-roles-bindings.yaml
+  - csi-driver-instance.yaml
+  - csi-storageclass.yaml
+  - ss-csi-linode-controller.yaml
+  - ds-csi-linode-node.yaml
+  - cm-get-linode-id.yaml

pkg/linode-bs/deploy/kubernetes/06-ss-csi-linode-controller.yaml → deploy/kubernetes/base/ss-csi-linode-controller.yaml

@@ -35,7 +35,7 @@ spec:
             mountPath: /scripts
       containers:
         - name: csi-provisioner
-          image: quay.io/k8scsi/csi-provisioner:v1.1.0
+          image: quay.io/k8scsi/csi-provisioner:v1.6.0
           args:
             - "--volume-name-prefix=pvc"
             - "--volume-name-uuid-length=16"
@@ -49,7 +49,7 @@ spec:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
         - name: csi-attacher
-          image: quay.io/k8scsi/csi-attacher:v1.1.0
+          image: quay.io/k8scsi/csi-attacher:v2.2.0
           args:
             - "--v=2"
             - "--csi-address=$(ADDRESS)"
@@ -61,7 +61,7 @@ spec:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
         - name: linode-csi-resizer
-          image: quay.io/k8scsi/csi-resizer:v0.1.0
+          image: quay.io/k8scsi/csi-resizer:v0.5.0
           args:
           - "--v=2"
           - "--csi-address=$(ADDRESS)"
@@ -72,7 +72,7 @@ spec:
           - name: socket-dir
             mountPath: /var/lib/csi/sockets/pluginproxy/
         - name: linode-csi-plugin
-          image: linode/linode-blockstorage-csi-driver:{{ .Values.image.tag }}
+          image: linode/linode-blockstorage-csi-driver:latest
           args :
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--token=$(LINODE_TOKEN)"

deploy/kubernetes/overlays/dev/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../base
+images:
+  - name: linode/linode-blockstorage-csi-driver
+    newTag: canary

deploy/kubernetes/overlays/release/.gitignore

@@ -0,0 +1 @@
+kustomization.yaml

deploy/kubernetes/overlays/release/kustomization.yaml.template

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../base
+images:
+  - name: linode/linode-blockstorage-csi-driver
+    newTag: ${CSI_VERSION}

deploy/kubernetes/sidecars/external-attacher/kustomization.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - rbac.yaml
+namespace: kube-system
+patchesStrategicMerge:
+  - |-
+    kind: RoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: csi-attacher-role-cfg
+    $patch: delete
+  - |-
+    kind: Role
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: external-attacher-cfg
+    $patch: delete
+  - |-
+    kind: ServiceAccount
+    apiVersion: v1
+    metadata:
+      name: csi-attacher
+    $patch: delete
+patchesJson6902:
+  - target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: external-attacher-runner
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: external-attacher-role
+  - target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRoleBinding
+      name: csi-attacher-role
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: csi-controller-attacher-binding
+      - op: replace
+        path: /subjects/0/name
+        value: csi-controller-sa
+      - op: replace
+        path: /subjects/0/namespace
+        value: kube-system
+

deploy/kubernetes/sidecars/external-attacher/rbac.yaml

@@ -0,0 +1,88 @@
+# xref: https://raw.githubusercontent.com/kubernetes-csi/external-attacher/release-2.2/deploy/kubernetes/rbac.yaml
+
+# This YAML file contains all RBAC objects that are necessary to run external
+# CSI attacher.
+#
+# In production, each CSI driver deployment has to be customized:
+# - to avoid conflicts, use non-default namespace and different names
+#   for non-namespaced entities like the ClusterRole
+# - decide whether the deployment replicates the external CSI
+#   attacher, in which case leadership election must be enabled;
+#   this influences the RBAC setup, see below
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-attacher
+  # replace with non-default namespace name
+  namespace: default
+
+---
+# Attacher must be able to work with PVs, CSINodes and VolumeAttachments
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: external-attacher-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+#Secret permission is optional.
+#Enable it if you need value from secret.
+#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters
+#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html
+#  - apiGroups: [""]
+#    resources: ["secrets"]
+#    verbs: ["get", "list"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-attacher-role
+subjects:
+  - kind: ServiceAccount
+    name: csi-attacher
+    # replace with non-default namespace name
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: external-attacher-runner
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Attacher must be able to work with configmaps or leases in the current namespace
+# if (and only if) leadership election is enabled
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  # replace with non-default namespace name
+  namespace: default
+  name: external-attacher-cfg
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-attacher-role-cfg
+  # replace with non-default namespace name
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: csi-attacher
+    # replace with non-default namespace name
+    namespace: default
+roleRef:
+  kind: Role
+  name: external-attacher-cfg
+  apiGroup: rbac.authorization.k8s.io

deploy/kubernetes/sidecars/external-provisioner/kustomization.yaml

@@ -0,0 +1,49 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - rbac.yaml
+namespace: kube-system
+patchesStrategicMerge:
+  - |-
+    kind: RoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: csi-provisioner-role-cfg
+    $patch: delete
+  - |-
+    kind: Role
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: external-provisioner-cfg
+    $patch: delete
+  - |-
+    kind: ServiceAccount
+    apiVersion: v1
+    metadata:
+      name: csi-provisioner
+    $patch: delete
+patchesJson6902:
+  - target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: external-provisioner-runner
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: external-provisioner-role
+  - target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRoleBinding
+      name: csi-provisioner-role
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: csi-controller-provisioner-binding
+      - op: replace
+        path: /subjects/0/name
+        value: csi-controller-sa
+      - op: replace
+        path: /subjects/0/namespace
+        value: kube-system