# This YAML defines all API objects to create RBAC roles for csi node plugin. apiVersion: v1 kind: ServiceAccount metadata: name: csi-nodeplugin --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-nodeplugin rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-nodeplugin subjects: - kind: ServiceAccount name: csi-nodeplugin namespace: default roleRef: kind: ClusterRole name: csi-nodeplugin apiGroup: rbac.authorization.k8s.io --- # This YAML file contains driver-registrar & csi driver nodeplugin API objects, # which are necessary to run csi nodeplugin for rbd. kind: DaemonSet apiVersion: apps/v1beta2 metadata: name: csi-nodeplugin-rbdplugin spec: selector: matchLabels: app: csi-nodeplugin-rbdplugin template: metadata: labels: app: csi-nodeplugin-rbdplugin spec: serviceAccount: csi-nodeplugin hostNetwork: true containers: - name: driver-registrar image: quay.io/k8scsi/driver-registrar:v0.1.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/kubelet/plugins/rbdplugin/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: socket-dir mountPath: /var/lib/kubelet/plugins/rbdplugin - name: rbdplugin securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: quay.io/k8scsi/rbdplugin:v0.1.0 args : - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" - "--v=5" - "--drivername=rbdplugin" env: - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName - name: CSI_ENDPOINT value: unix://var/lib/kubelet/plugins/rbdplugin/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: plugin-dir mountPath: /var/lib/kubelet/plugins/rbdplugin - name: pods-mount-dir mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" - mountPath: /dev name: host-dev - mountPath: /sys name: host-sys - mountPath: /lib/modules name: lib-modules readOnly: true volumes: - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/rbdplugin type: DirectoryOrCreate - name: pods-mount-dir hostPath: path: /var/lib/kubelet/pods type: Directory - name: socket-dir hostPath: path: /var/lib/kubelet/plugins/rbdplugin type: DirectoryOrCreate - name: host-dev hostPath: path: /dev - name: host-sys hostPath: path: /sys - name: lib-modules hostPath: path: /lib/modules