--- # Source: csi-s3/templates/csi-s3.yaml apiVersion: v1 kind: ServiceAccount metadata: name: csi-s3 namespace: kube-system --- # Source: csi-s3/templates/provisioner.yaml apiVersion: v1 kind: ServiceAccount metadata: name: csi-s3-provisioner-sa namespace: kube-system --- # Source: csi-s3/templates/secret.yaml apiVersion: v1 kind: Secret metadata: namespace: kube-system name: csi-s3-secret stringData: accessKeyID: __S3_ACCESS_KEY__ secretAccessKey: __S3_SECRET_KEY__ endpoint: __S3_ENDPOINT__ --- # Source: csi-s3/templates/csi-s3.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3 --- # Source: csi-s3/templates/provisioner.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3-external-provisioner-runner rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- # Source: csi-s3/templates/csi-s3.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3 subjects: - kind: ServiceAccount name: csi-s3 namespace: kube-system roleRef: kind: ClusterRole name: csi-s3 apiGroup: rbac.authorization.k8s.io --- # Source: csi-s3/templates/provisioner.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3-provisioner-role subjects: - kind: ServiceAccount name: csi-s3-provisioner-sa namespace: kube-system roleRef: kind: ClusterRole name: csi-s3-external-provisioner-runner apiGroup: rbac.authorization.k8s.io --- # Source: csi-s3/templates/provisioner.yaml kind: Service apiVersion: v1 metadata: name: csi-s3-provisioner namespace: kube-system labels: app: csi-s3-provisioner spec: selector: app: csi-s3-provisioner ports: - name: csi-s3-dummy port: 65535 --- # Source: csi-s3/templates/csi-s3.yaml kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-s3 namespace: kube-system spec: selector: matchLabels: app: csi-s3 template: metadata: labels: app: csi-s3 spec: tolerations: - key: CriticalAddonsOnly operator: Exists - operator: Exists effect: NoExecute tolerationSeconds: 300 serviceAccount: csi-s3 containers: - name: driver-registrar image: docker.io/dyrnq/csi-node-driver-registrar:v2.10.1 args: - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - "--v=4" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ru.yandex.s3.csi/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration/ - name: csi-s3 securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: docker.io/dyrnq/csi-s3-driver:0.40.8 imagePullPolicy: IfNotPresent args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(NODE_ID)" - "--v=4" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: stage-dir mountPath: /var/lib/kubelet/plugins/kubernetes.io/csi mountPropagation: "Bidirectional" - name: pods-mount-dir mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" - name: fuse-device mountPath: /dev/fuse - name: systemd-control mountPath: /run/systemd volumes: - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: DirectoryOrCreate - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/ru.yandex.s3.csi type: DirectoryOrCreate - name: stage-dir hostPath: path: /var/lib/kubelet/plugins/kubernetes.io/csi type: DirectoryOrCreate - name: pods-mount-dir hostPath: path: /var/lib/kubelet/pods type: Directory - name: fuse-device hostPath: path: /dev/fuse - name: systemd-control hostPath: path: /run/systemd type: DirectoryOrCreate --- # Source: csi-s3/templates/provisioner.yaml kind: StatefulSet apiVersion: apps/v1 metadata: name: csi-s3-provisioner namespace: kube-system spec: serviceName: "csi-provisioner-s3" replicas: 1 selector: matchLabels: app: csi-s3-provisioner template: metadata: labels: app: csi-s3-provisioner spec: serviceAccount: csi-s3-provisioner-sa tolerations: - key: node-role.kubernetes.io/master operator: Exists - key: CriticalAddonsOnly operator: Exists containers: - name: csi-provisioner image: docker.io/dyrnq/csi-provisioner:v5.0.1 args: - "--csi-address=$(ADDRESS)" - "--v=4" env: - name: ADDRESS value: /var/lib/kubelet/plugins/ru.yandex.s3.csi/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/kubelet/plugins/ru.yandex.s3.csi - name: csi-s3 image: docker.io/dyrnq/csi-s3-driver:0.40.8 imagePullPolicy: IfNotPresent args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(NODE_ID)" - "--v=4" env: - name: CSI_ENDPOINT value: unix:///var/lib/kubelet/plugins/ru.yandex.s3.csi/csi.sock - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: socket-dir mountPath: /var/lib/kubelet/plugins/ru.yandex.s3.csi volumes: - name: socket-dir emptyDir: {} --- # Source: csi-s3/templates/driver.yaml apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: ru.yandex.s3.csi spec: attachRequired: false podInfoOnMount: true fsGroupPolicy: File # added in Kubernetes 1.19, this field is GA as of Kubernetes 1.23 volumeLifecycleModes: # added in Kubernetes 1.16, this field is beta - Persistent