# This YAML file contains all API objects that are necessary to run external # CSI provisioner. # # In production, this needs to be in separate files, e.g. service account and # role and role binding needs to be created once, while stateful set may # require some tuning. # # In addition, mock CSI driver is hardcoded as the CSI driver. apiVersion: v1 kind: ServiceAccount metadata: name: csi-provisioner --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-provisioner-runner rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-provisioner-role subjects: - kind: ServiceAccount name: csi-provisioner namespace: default roleRef: kind: ClusterRole name: external-provisioner-runner apiGroup: rbac.authorization.k8s.io --- kind: Service apiVersion: v1 metadata: name: csi-provisioner labels: app: csi-provisioner spec: selector: app: csi-provisioner ports: - name: dummy port: 12345 --- kind: StatefulSet apiVersion: apps/v1beta1 metadata: name: csi-provisioner spec: serviceName: "csi-provisioner" replicas: 1 template: metadata: labels: app: csi-provisioner spec: serviceAccount: csi-provisioner containers: - name: csi-provisioner image: csi_images/csi-provisioner:latest args: - "--provisioner=rbdplugin" - "--csi-address=$(ADDRESS)" - "--v=5" env: - name: ADDRESS value: /var/lib/kubelet/plugins/rbdplugin/csi.sock imagePullPolicy: "IfNotPresent" volumeMounts: - name: socket-dir mountPath: /var/lib/kubelet/plugins/rbdplugin volumes: - name: socket-dir hostPath: path: /var/lib/kubelet/plugins/rbdplugin type: Directory