Merge branch 'kubernetes-sigs:master' into 1182-quote-extra-tags-arg

CHANGELOG-0.x.md

@@ -1,3 +1,34 @@
+# v1.6.1
+## Notable changes
+* Address CVE ALAS2-2022-1782, ALAS2-2022-1788, ALAS2-2022-1784
+
+# v1.6.0
+## Notable changes
+* Platform agnostic device removal ([#1193](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1193), [@torredil](https://github.com/torredil))
+
+### Bug fixes
+* Fix windows mounting bug ([#1189](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1189), [@torredil](https://github.com/torredil))
+
+### New features
+* Adding tagging support through StorageClass.parameters ([#1199](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1199), [@rdpsin](https://github.com/rdpsin))
+* Add volume resizing support for windows ([#1207](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1207), [@torredil](https://github.com/torredil))
+
+### Misc.
+* Update deprecated command `go get` ([#1194](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1194), [@gtxu](https://github.com/gtxu))
+* Upgrade PodDisruptionBudget api version for kubernetes 1.21+ ([#1196](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1196), [@wangshu3000](https://github.com/wangshu3000))
+* Bump prometheus/client_golang to v1.11.1 ([#1197](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1197), [@dobsonj](https://github.com/dobsonj))
+* Updated TAGGING.md to mention minimum version for tagging ([#1202](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1202), [@rdpsin](https://github.com/rdpsin))
+* Update README.md to reflect correct tag key for snapshots ([#1203](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1203), [@rdpsin](https://github.com/rdpsin))
+
+# v1.5.3
+## Notable changes
+* Ensure image OCI compliance ([#1205](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1205), [@torredil](https://github.com/torredil))
+* Update driver dependencies ([#1208](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1208), [@rdpsin](https://github.com/rdpsin))
+
+# v1.5.2
+## Notable changes
+* Address CVE ALAS-2022-1764
+
 # v1.5.1
 ## Notable changes
 * Address CVE ALAS-2021-1552, ALAS2-2022-1736, ALAS2-2022-1738, ALAS2-2022-1743

Makefile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-VERSION=v1.5.1
+VERSION=v1.6.1
 
 PKG=github.com/kubernetes-sigs/aws-ebs-csi-driver
 GIT_COMMIT?=$(shell git rev-parse HEAD)
@@ -71,7 +71,7 @@ all: all-image-docker
 all-push: all-image-registry push-manifest
 
 .PHONY: push-manifest
-push-manifest: create-manifest all-annotate-manifest
+push-manifest: create-manifest
 	docker manifest push --purge $(IMAGE):$(TAG)
 
 .PHONY: create-manifest
@@ -81,17 +81,6 @@ create-manifest:
 # RHS: replace with $(IMAGE):$(TAG)-& where & is what was matched on LHS
 	docker manifest create --amend $(IMAGE):$(TAG) $(shell echo $(ALL_OS_ARCH_OSVERSION) | sed -e "s~[^ ]*~$(IMAGE):$(TAG)\-&~g")
 
-.PHONY: all-annotate-manifest
-all-annotate-manifest: $(addprefix sub-annotate-manifest-,$(ALL_OS_ARCH_OSVERSION))
-
-sub-annotate-manifest-%:
-	$(MAKE) OS=$(call word-hyphen,$*,1) ARCH=$(call word-hyphen,$*,2) OSVERSION=$(call word-hyphen,$*,3) annotate-manifest
-
-.PHONY: annotate-manifest
-annotate-manifest: .annotate-manifest-$(OS)-$(ARCH)-$(OSVERSION)
-.annotate-manifest-$(OS)-$(ARCH)-$(OSVERSION):
-	set -x; docker manifest annotate --os $(OS) --arch $(ARCH) --os-version $(OSVERSION) $(IMAGE):$(TAG) $(IMAGE):$(TAG)-$(OS)-$(ARCH)-$(OSVERSION)
-
 # Only linux for OUTPUT_TYPE=docker because windows image cannot be exported
 # "Currently, multi-platform images cannot be exported with the docker export type. The most common usecase for multi-platform images is to directly push to a registry (see registry)."
 # https://docs.docker.com/engine/reference/commandline/buildx_build/#output
@@ -107,6 +96,7 @@ sub-image-%:
 image: .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION)
 .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION):
 	docker buildx build \
+		--no-cache-filter=linux-amazon \
 		--platform=$(OS)/$(ARCH) \
 		--progress=plain \
 		--target=$(OS)-$(OSVERSION) \

charts/aws-ebs-csi-driver/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Helm chart
 
+## v2.6.7
+
+* Bump app/driver to version `v1.6.1`
+
+## v2.6.6
+
+* Bump app/driver to version `v1.6.0`
+
+## v2.6.5
+
+* Bump app/driver to version `v1.5.3`
+
 ## v2.6.4
 
 * Remove exposure all secrets to external-snapshotter-role

charts/aws-ebs-csi-driver/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 1.5.1
+appVersion: 1.6.1
 name: aws-ebs-csi-driver
 description: A Helm chart for AWS EBS CSI Driver
-version: 2.6.4
+version: 2.6.7
 kubeVersion: ">=1.17.0-0"
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 sources:

charts/aws-ebs-csi-driver/templates/controller.yaml

@@ -3,6 +3,7 @@ kind: Deployment
 apiVersion: apps/v1
 metadata:
   name: ebs-csi-controller
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
 spec:

charts/aws-ebs-csi-driver/templates/node-windows.yaml

@@ -3,6 +3,7 @@ kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   name: ebs-csi-node-windows
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
 spec:

charts/aws-ebs-csi-driver/templates/node.yaml

@@ -3,6 +3,7 @@ kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   name: ebs-csi-node
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
 spec:

charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml

@@ -1,7 +1,12 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
+apiVersion: policy/v1
+{{- else }}
 apiVersion: policy/v1beta1
+{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: ebs-csi-controller
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
 spec:

charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.controller.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
   {{- with .Values.controller.serviceAccount.annotations }}

charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.node.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
   {{- with .Values.node.serviceAccount.annotations }}

charts/aws-ebs-csi-driver/values.yaml

@@ -3,7 +3,7 @@
 # Declare variables to be passed into your templates.
 
 image:
-  repository: k8s.gcr.io/provider-aws/aws-ebs-csi-driver
+  repository: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver
   # Overrides the image tag whose default is v{{ .Chart.AppVersion }}
   tag: ""
   pullPolicy: IfNotPresent

cmd/main.go

@@ -51,6 +51,7 @@ func main() {
 		driver.WithVolumeAttachLimit(options.NodeOptions.VolumeAttachLimit),
 		driver.WithKubernetesClusterID(options.ControllerOptions.KubernetesClusterID),
 		driver.WithAwsSdkDebugLog(options.ControllerOptions.AwsSdkDebugLog),
+		driver.WithWarnOnInvalidTag(options.ControllerOptions.WarnOnInvalidTag),
 	)
 	if err != nil {
 		klog.Fatalln(err)

cmd/options/controller_options.go

@@ -35,11 +35,14 @@ type ControllerOptions struct {
 	KubernetesClusterID string
 	// flag to enable sdk debug log
 	AwsSdkDebugLog bool
+	// flag to warn on invalid tag, instead of returning an error
+	WarnOnInvalidTag bool
 }
 
 func (s *ControllerOptions) AddFlags(fs *flag.FlagSet) {
 	fs.Var(cliflag.NewMapStringString(&s.ExtraTags), "extra-tags", "Extra tags to attach to each dynamically provisioned resource. It is a comma separated list of key value pairs like '<key1>=<value1>,<key2>=<value2>'")
 	fs.Var(cliflag.NewMapStringString(&s.ExtraVolumeTags), "extra-volume-tags", "DEPRECATED: Please use --extra-tags instead. Extra volume tags to attach to each dynamically provisioned volume. It is a comma separated list of key value pairs like '<key1>=<value1>,<key2>=<value2>'")
 	fs.StringVar(&s.KubernetesClusterID, "k8s-tag-cluster-id", "", "ID of the Kubernetes cluster used for tagging provisioned EBS volumes (optional).")
 	fs.BoolVar(&s.AwsSdkDebugLog, "aws-sdk-debug-log", false, "To enable the aws sdk debug log level (default to false).")
+	fs.BoolVar(&s.WarnOnInvalidTag, "warn-on-invalid-tag", false, "To warn on invalid tags, instead of returning an error")
 }

deploy/kubernetes/base/controller.yaml

@@ -31,7 +31,7 @@ spec:
           tolerationSeconds: 300 
       containers:
         - name: ebs-plugin
-          image: k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.5.1
+          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.1
           imagePullPolicy: IfNotPresent
           args:
             # - {all,controller,node} # specify the driver mode

deploy/kubernetes/base/node.yaml

@@ -45,7 +45,7 @@ spec:
         - name: ebs-plugin
           securityContext:
             privileged: true
-          image: k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.5.1
+          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.1
           imagePullPolicy: IfNotPresent
           args:
             - node

deploy/kubernetes/overlays/stable/gcr/kustomization.yaml

@@ -4,7 +4,7 @@ bases:
   - ../../../base
 images:
   - name: k8s.gcr.io/provider-aws/aws-ebs-csi-driver
-    newTag: v1.5.1
+    newTag: v1.6.1
   - name: k8s.gcr.io/sig-storage/csi-provisioner
     newTag: v2.1.1
   - name: k8s.gcr.io/sig-storage/csi-attacher

docs/README.md

@@ -46,11 +46,14 @@ To help manage volumes in the aws account, CSI driver will automatically add tag
 | TagKey                 | TagValue                  | sample                                                              | Description         |
 |------------------------|---------------------------|---------------------------------------------------------------------|---------------------|
 | CSIVolumeName          | pvcName                   | CSIVolumeName = pvc-a3ab0567-3a48-4608-8cb6-4e3b1485c808            | add to all volumes, for recording associated pvc id and checking if a given volume was already created so that ControllerPublish/CreateVolume is idempotent. |
-| CSISnapshotName        | volumeSnapshotContentName | CSISnapshotName = snapcontent-69477690-803b-4d3e-a61a-03c7b2592a76  | add to all snapshots, for recording associated VolumeSnapshot id and checking if a given snapshot was already created                                    |
+| CSIVolumeSnapshotName  | volumeSnapshotContentName | CSIVolumeSnapshotName = snapcontent-69477690-803b-4d3e-a61a-03c7b2592a76 | add to all snapshots, for recording associated VolumeSnapshot id and checking if a given snapshot was already created                                    |
 | ebs.csi.aws.com/cluster| true                      | ebs.csi.aws.com/cluster = true                                      | add to all volumes and snapshots, for allowing users to use a policy to limit csi driver's permission to just the resources it manages.                      |
 | kubernetes.io/cluster/X| owned                     | kubernetes.io/cluster/aws-cluster-id-1 = owned                      | add to all volumes and snapshots if k8s-tag-cluster-id argument is set to X.|
 | extra-key              | extra-value               | extra-key = extra-value                                             | add to all volumes and snapshots if extraTags argument is set|
 
+
+The CSI driver also supports passing tags through `StorageClass.parameters`. For more information, please refer to the [tagging doc](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/TAGGING.md).
+
 ## Driver Options
 There are couple driver options that can be passed as arguments when starting driver container.
 
@@ -81,6 +84,10 @@ Following sections are Kubernetes specific. If you are Kubernetes user, use foll
 ## Container Images:
 |AWS EBS CSI Driver Version | GCR Image                                        | ECR Image                                                                   |
 |---------------------------|--------------------------------------------------|-----------------------------------------------------------------------------|
+|v1.6.1                     |                                                  | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.1                     |
+|v1.6.0                     |                                                  | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.0                     |
+|v1.5.3                     |                                                  | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.5.3                     |
+|v1.5.2                     |                                                  | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.5.2                     |
 |v1.5.1                     |k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.5.1 | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.5.1                     |
 |v1.5.0                     |k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.5.0 | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.5.0                     |
 |v1.4.0                     |k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.4.0 | 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-ebs-csi-driver:v1.4.0  |

docs/RELEASE.md

@@ -62,22 +62,18 @@ The new tag should trigger a new Github release. It should be a pre-release true
 - Source code (zip)
 - Source code (tar.gz)
 
-## Promote the new image on GCR
-
-Promote the new images from the staging repo by sending a PR to the kubernetes/k8s.io repo. Here's an [example PR](https://github.com/kubernetes/k8s.io/pull/1606).
-
 ## Promote the new image on ECR
 
 Follow the AWS-internal process.
 
 ## Verify the images are available
 
-In GCR:
-  - `docker pull k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.1.1`
+In ECR Public:
+  - `docker pull public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.1`
 
 In ECR:
   - `aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 602401143452.dkr.ecr.us-west-2.amazonaws.com`
-  - `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-ebs-csi-driver:v1.1.1`
+  - `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-ebs-csi-driver:v1.6.1`
 
 ## Create the post-release commit in the release branch
 

docs/TAGGING.md

@@ -0,0 +1,103 @@
+# Tagging
+
+The AWS EBS CSI Driver supports tagging through `StorageClass.parameters` (in v1.6.0 and later). 
+
+If a key has the prefix `tagSpecification`, the CSI driver will treat the value as a key-value pair to be applied to the dynamically provisioned volume as tags.
+
+
+**Example 1**
+```
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: ebs-sc
+provisioner: ebs.csi.aws.com
+parameters:
+  tagSpecification_1: "key1=value1"
+  tagSpecification_2: "key2=hello world"
+  tagSpecification_3: "key3="
+```
+
+Provisioning a volume using this StorageClass will apply two tags:
+
+```
+key1=value1
+key2=hello world
+key3=<empty string>
+```
+
+________
+
+To allow for PV-level granularity, the CSI driver support runtime string interpolation on the tag values. You can specify placeholders for PVC namespace, PVC name and PV name, which will then be dynamically computed at runtime.
+
+**NOTE: This requires the `--extra-create-metadata` flag to be enabled on the `external-provisioner` sidecar.**
+
+**Example 2**
+```
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: ebs-sc
+provisioner: ebs.csi.aws.com
+parameters:
+  tagSpecification_1: "pvcnamespace={{ .PVCNamespace }}"
+  tagSpecification_2: "pvcname={{ .PVCName }}"
+  tagSpecification_3: "pvname={{ .PVName }}"
+```
+Provisioning a volume using this StorageClass, with a PVC named 'ebs-claim' in namespace 'default', will apply the following tags:
+
+```
+pvcnamespace=default
+pvcname=ebs-claim
+pvname=<the computed pv name>
+```
+
+
+_________
+
+The driver uses Go's `text/template` package for string interpolation. As such, cluster admins are free to use the constructs provided by the package (except for certain function, see `Failure Modes` below). To aid cluster admins to be more expressive, certain functions have been provided.
+
+They include:
+
+-   **field** delim index str: Split `str` by `delim` and extract the  word at position `index`.
+-   **substring** start end str: Get a substring of `str` given the `start` and `end` indices
+-   **toUpper** str: Convert `str` to uppercase
+-   **toLower** str: Convert `str` to lowercase
+-   **contains** str1 str2: Returns a boolean if `str2` contains `str1`
+
+
+**Example 3**
+```
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: ebs-sc
+provisioner: ebs.csi.aws.com
+parameters:
+  tagSpecification_1: 'backup={{ .PVCNamespace | contains "prod" }}'
+  tagSpecification_2: 'billingID={{ .PVCNamespace | field "-" 2 | toUpper }}'
+```
+
+Assuming the PVC namespace is `ns-prod-abcdef`, the attached tags will be
+
+```
+backup=true
+billingID=ABCDEF
+```
+
+____
+
+## Failure Modes
+
+There can be multipe failure modes:
+
+* The template cannot be parsed.
+* The key/interpolated value do not meet the [AWS Tag Requirements](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)
+* The key is not allowed (such as keys used internally by the CSI driver e.g., 'CSIVolumeName').
+* The template uses one of the disabled function calls. The driver disables the following `text/template` functions: `js`, `call`, `html`, `urlquery`. 
+
+In this case, the CSI driver will not provision a volume, but instead return an error.
+
+The driver also defines another flag, `--warn-on-invalid-tag` that will (if set), instead of returning an error, log a warning and skip the offending tag.
+
+

examples/kubernetes/resizing/manifests/pod.yaml

@@ -7,7 +7,7 @@ spec:
   - name: app
     image: centos
     command: ["/bin/sh"]
-    args: ["tail -f /dev/null"]
+    args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
     volumeMounts:
     - name: persistent-storage
       mountPath: /data

examples/kubernetes/windows/README.md

@@ -6,7 +6,7 @@ This example shows how to create a EBS volume and consume it from a Windows cont
 
 1. A 1.18+ Windows node. Windows support has only been tested on 1.18 EKS Windows nodes. https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html
 2. [csi-proxy](https://github.com/kubernetes-csi/csi-proxy) v1.0.0+ installed on the Windows node.
-3. Driver v1.5.0 from GCR: `k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.5.0`. It can be built and pushed to another image registry with the command `TAG=$MY_TAG REGISTRY=$MY_REGISTRY make all-push` where `MY_TAG` refers to the image tag to push and `MY_REGISTRY` to the destination image registry like "XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com"
+3. Driver v1.6.1 from ECR: `public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.1`. It can be built and pushed to another image registry with the command `TAG=$MY_TAG REGISTRY=$MY_REGISTRY make all-push` where `MY_TAG` refers to the image tag to push and `MY_REGISTRY` to the destination image registry like "XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com"
 4. The driver installed with the Node plugin on the Windows node and the Controller plugin on a Linux node: `helm upgrade --install aws-ebs-csi-driver --namespace kube-system ./charts/aws-ebs-csi-driver --set node.enableWindows=true --set image.repository=$MY_REGISTRY/aws-ebs-csi-driver --set image.tag=$MY_TAG`
 
 ## Usage