Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update EBS driver #754

Merged
merged 3 commits into from
May 31, 2023
Merged

Update EBS driver #754

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41b2a04
update ebs driver
kon-angelo May 22, 2023
a6d5a84
add volume modifier
kon-angelo May 24, 2023
4ddaabe
add serviceAccount for volume-modifier
kon-angelo May 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion charts/images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ images:
- name: csi-driver
sourceRepository: github.com/kubernetes-sigs/aws-ebs-csi-driver
repository: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver
tag: "v1.17.0"
tag: "v1.19.0"
labels:
- name: 'gardener.cloud/cve-categorisation'
value:
Expand All @@ -178,6 +178,19 @@ images:
confidentiality_requirement: 'high'
integrity_requirement: 'high'
availability_requirement: 'low'
- name: csi-volume-modifier
sourceRepository: github.com/awslabs/volume-modifier-for-k8s
repository: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s
tag: "v0.1.0"
labels:
- name: 'gardener.cloud/cve-categorisation'
value:
network_exposure: 'private'
authentication_enforced: false
user_interaction: 'gardener-operator'
confidentiality_requirement: 'high'
integrity_requirement: 'high'
availability_requirement: 'low'
- name: csi-provisioner
sourceRepository: github.com/kubernetes-csi/external-provisioner
repository: registry.k8s.io/sig-storage/csi-provisioner
Expand Down
41 changes: 40 additions & 1 deletion ...controlplane/charts/csi-driver-controller/templates/csi-driver-controller-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,30 @@ spec:
- name: cloudprovider
mountPath: /srv/cloudprovider

- name: aws-csi-volume-modifier
image: {{ index .Values.images "csi-volume-modifier" }}
imagePullPolicy: IfNotPresent
args:
- --v={{ .Values.volumeModifier.log }}
- --csi-address=$(ADDRESS)
- --kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
- --leader-election
- --leader-election-namespace=kube-system
env:
- name: ADDRESS
value: {{ .Values.socketPath }}/csi.sock
resources:
{{ toYaml .Values.resources.volumeModifier| indent 10 }}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- name: socket-dir
mountPath: {{ .Values.socketPath }}
- mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig
name: kubeconfig-csi-volume-modifier
readOnly: true

- name: aws-csi-provisioner
image: {{ index .Values.images "csi-provisioner" }}
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -201,7 +225,6 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi

volumes:
- name: socket-dir
emptyDir: {}
Expand Down Expand Up @@ -272,3 +295,19 @@ spec:
path: token
name: shoot-access-csi-resizer
optional: false
- name: kubeconfig-csi-volume-modifier
projected:
defaultMode: 420
sources:
- secret:
items:
- key: kubeconfig
path: kubeconfig
name: {{ .Values.global.genericTokenKubeconfigSecretName }}
optional: false
- secret:
items:
- key: token
path: token
name: shoot-access-csi-volume-modifier
optional: false
7 changes: 7 additions & 0 deletions ...l/seed-controlplane/charts/csi-driver-controller/templates/csi-driver-controller-vpa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ spec:
cpu: {{ .Values.vpa.resourcePolicy.livenessProbe.maxAllowed.cpu }}
memory: {{ .Values.vpa.resourcePolicy.livenessProbe.maxAllowed.memory }}
controlledValues: RequestsOnly
- containerName: aws-volume-modifier
minAllowed:
memory: {{ .Values.resources.volumeModifier.requests.memory }}
maxAllowed:
cpu: {{ .Values.vpa.resourcePolicy.volumemodifier.maxAllowed.cpu }}
memory: {{ .Values.vpa.resourcePolicy.volumemodifier.maxAllowed.memory }}
controlledValues: RequestsOnly
targetRef:
apiVersion: apps/v1
kind: Deployment
Expand Down
14 changes: 14 additions & 0 deletions charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ images:
csi-liveness-probe: image-repository:image-tag
csi-snapshot-controller: image-repository:image-tag
csi-snapshot-validation-webhook: image-repository:image-tag
csi-volume-modifier: image-repository:image-tag

socketPath: /var/lib/csi/sockets/pluginproxy
region: region
Expand Down Expand Up @@ -51,6 +52,12 @@ resources:
memory: 32Mi
limits:
memory: 300Mi
volumeModifier:
requests:
cpu: 20m
memory: 50Mi
limits:
memory: 400Mi

vpa:
resourcePolicy:
Expand Down Expand Up @@ -78,6 +85,10 @@ vpa:
maxAllowed:
cpu: 500m
memory: 2G
volumemodifier:
maxAllowed:
cpu: 500m
memory: 2G

csiSnapshotController:
replicas: 1
Expand All @@ -101,3 +112,6 @@ csiSnapshotValidationWebhook:
secrets:
server: csi-snapshot-validation-server
topologyAwareRoutingEnabled: false

volumeModifier:
log: 2
15 changes: 15 additions & 0 deletions ...t-system-components/charts/csi-driver-node/templates/clusterrole-csi-volume-modifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch", "update"]
13 changes: 13 additions & 0 deletions ...m-components/charts/csi-driver-node/templates/clusterrolebinding-csi-volume-modifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier
subjects:
- kind: ServiceAccount
name: csi-volume-modifier
namespace: {{ .Release.Namespace }}
10 changes: 10 additions & 0 deletions ...al/shoot-system-components/charts/csi-driver-node/templates/role-csi-volume-modifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
15 changes: 15 additions & 0 deletions ...t-system-components/charts/csi-driver-node/templates/rolebinding-csi-volume-modifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: csi-volume-modifier
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-volume-modifier

7 changes: 7 additions & 0 deletions charts/internal/shoot-system-components/charts/csi-driver-node/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,10 @@ metadata:
name: csi-driver-node
namespace: {{ .Release.Namespace }}
automountServiceAccountToken: false
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-volume-modifier
namespace: {{ .Release.Namespace }}
automountServiceAccountToken: false
4 changes: 4 additions & 0 deletions pkg/aws/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ const (
CSILivenessProbeImageName = "csi-liveness-probe"
// CSISnapshotValidationWebhookImageName is the name of the csi-snapshot-validation-webhook image.
CSISnapshotValidationWebhookImageName = "csi-snapshot-validation-webhook"
// CSIVolumeModifierImageName is the name of the csi-volume-modifier image.
CSIVolumeModifierImageName = "csi-volume-modifier"

// MachineControllerManagerImageName is the name of the MachineControllerManager image.
MachineControllerManagerImageName = "machine-controller-manager"
Expand Down Expand Up @@ -133,6 +135,8 @@ const (
LBReadvertiserDeploymentName = "aws-lb-readvertiser"
// CSISnapshotValidationName is the constant for the name of the csi-snapshot-validation-webhook component.
CSISnapshotValidationName = "csi-snapshot-validation"
// CSIVolumeModifierName is the constant for the name of the csi-volume-modifier.
CSIVolumeModifierName = "csi-volume-modifier"
)

var (
Expand Down
8 changes: 8 additions & 0 deletions pkg/controller/controlplane/valuesprovider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ func shootAccessSecretsFunc(namespace string) []*gutil.ShootAccessSecret {
gutil.NewShootAccessSecret(aws.CSIResizerName, namespace),
gutil.NewShootAccessSecret(aws.CSISnapshotControllerName, namespace),
gutil.NewShootAccessSecret(aws.CSISnapshotValidationName, namespace),
gutil.NewShootAccessSecret(aws.CSIVolumeModifierName, namespace),
}
}

Expand Down Expand Up @@ -158,6 +159,7 @@ var (
aws.CSILivenessProbeImageName,
aws.CSISnapshotControllerImageName,
aws.CSISnapshotValidationWebhookImageName,
aws.CSIVolumeModifierImageName,
},
Objects: []*chart.Object{
// csi-driver-controller
Expand Down Expand Up @@ -232,6 +234,12 @@ var (
{Type: &admissionregistrationv1.ValidatingWebhookConfiguration{}, Name: aws.CSISnapshotValidationName},
{Type: &rbacv1.ClusterRole{}, Name: aws.UsernamePrefix + aws.CSISnapshotValidationName},
{Type: &rbacv1.ClusterRoleBinding{}, Name: aws.UsernamePrefix + aws.CSISnapshotValidationName},
// csi-volume-modifier
{Type: &corev1.ServiceAccount{}, Name: aws.CSIVolumeModifierName},
{Type: &rbacv1.ClusterRole{}, Name: aws.UsernamePrefix + aws.CSIVolumeModifierName},
{Type: &rbacv1.ClusterRoleBinding{}, Name: aws.UsernamePrefix + aws.CSIVolumeModifierName},
{Type: &rbacv1.Role{}, Name: aws.UsernamePrefix + aws.CSIVolumeModifierName},
{Type: &rbacv1.RoleBinding{}, Name: aws.UsernamePrefix + aws.CSIVolumeModifierName},
},
},
},
Expand Down