mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
262 lines
7.9 KiB
Plaintext
262 lines
7.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * storage/persistent-storage/persistent-storage-csi.adoc
|
|
|
|
[id="csi-example-deployment_{context}"]
|
|
= Example CSI deployment
|
|
|
|
Since {product-title} does not ship with any CSI driver installed, this
|
|
example shows how to deploy a community driver for OpenStack Cinder in
|
|
{product-title}.
|
|
|
|
.Procedure
|
|
|
|
. Create a new project where the CSI components will run, and then create
|
|
a new service account to run the components. An explicit node selector is
|
|
used to run the Daemonset with the CSI driver also on master nodes.
|
|
+
|
|
----
|
|
# oc adm new-project csi --node-selector=""
|
|
Now using project "csi" on server "https://example.com:8443".
|
|
|
|
# oc create serviceaccount cinder-csi
|
|
serviceaccount "cinder-csi" created
|
|
|
|
# oc adm policy add-scc-to-user privileged system:serviceaccount:csi:cinder-csi
|
|
scc "privileged" added to: ["system:serviceaccount:csi:cinder-csi"]
|
|
----
|
|
|
|
. Apply this YAML file to create the deployment with the external CSI
|
|
attacher and provisioner and DaemonSet with the CSI driver.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
# This YAML file contains all API objects that are necessary to run Cinder CSI
|
|
# driver.
|
|
#
|
|
# In production, this needs to be in separate files, e.g. service account and
|
|
# role and role binding needs to be created once.
|
|
#
|
|
# It server as an example how to use external attacher and external provisioner
|
|
# images shipped with {product-title} with a community CSI driver.
|
|
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: cinder-csi-role
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["persistentvolumes"]
|
|
verbs: ["create", "delete", "get", "list", "watch", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "get", "list", "watch", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["persistentvolumeclaims"]
|
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["storageclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["volumeattachments"]
|
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch"]
|
|
|
|
---
|
|
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: cinder-csi-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cinder-csi
|
|
namespace: csi
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: cinder-csi-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
cloud.conf: W0dsb2JhbF0KYXV0aC11cmwgPSBodHRwczovL2V4YW1wbGUuY29tOjEzMDAwL3YyLjAvCnVzZXJuYW1lID0gYWxhZGRpbgpwYXNzd29yZCA9IG9wZW5zZXNhbWUKdGVuYW50LWlkID0gZTBmYTg1YjZhMDY0NDM5NTlkMmQzYjQ5NzE3NGJlZDYKcmVnaW9uID0gcmVnaW9uT25lCg== <1>
|
|
kind: Secret
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: cloudconfig
|
|
---
|
|
kind: Deployment
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: cinder-csi-controller
|
|
spec:
|
|
replicas: 2
|
|
selector:
|
|
matchLabels:
|
|
app: cinder-csi-controllers
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: cinder-csi-controllers
|
|
spec:
|
|
serviceAccount: cinder-csi
|
|
containers:
|
|
- name: csi-attacher
|
|
image: registry.redhat.io/openshift/csi-attacher:v4.0
|
|
args:
|
|
- "--v=5"
|
|
- "--csi-address=$(ADDRESS)"
|
|
- "--leader-election"
|
|
- "--leader-election-namespace=$(MY_NAMESPACE)"
|
|
- "--leader-election-identity=$(MY_NAME)"
|
|
env:
|
|
- name: MY_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: MY_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: ADDRESS
|
|
value: /csi/csi.sock
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: csi-provisioner
|
|
image: registry.redhat.io/openshift/csi-provisioner:v4.0
|
|
args:
|
|
- "--v=5"
|
|
- "--provisioner=csi-cinderplugin"
|
|
- "--csi-address=$(ADDRESS)"
|
|
env:
|
|
- name: ADDRESS
|
|
value: /csi/csi.sock
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: cinder-driver
|
|
image: k8scloudprovider/cinder-csi-plugin:v0.3.0
|
|
command: [ "/bin/cinder-csi-plugin" ]
|
|
args:
|
|
- "--nodeid=$(NODEID)"
|
|
- "--endpoint=unix://$(ADDRESS)"
|
|
- "--cloud-config=/etc/cloudconfig/cloud.conf"
|
|
env:
|
|
- name: NODEID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: ADDRESS
|
|
value: /csi/csi.sock
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: cloudconfig
|
|
mountPath: /etc/cloudconfig
|
|
volumes:
|
|
- name: socket-dir
|
|
emptyDir:
|
|
- name: cloudconfig
|
|
secret:
|
|
secretName: cloudconfig
|
|
|
|
---
|
|
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: cinder-csi-ds
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: cinder-csi-driver
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: cinder-csi-driver
|
|
spec:
|
|
<2>
|
|
serviceAccount: cinder-csi
|
|
containers:
|
|
- name: csi-driver-registrar
|
|
image: registry.redhat.io/openshift/csi-driver-registrar:v4.0
|
|
securityContext:
|
|
privileged: true
|
|
args:
|
|
- "--v=5"
|
|
- "--csi-address=$(ADDRESS)"
|
|
env:
|
|
- name: ADDRESS
|
|
value: /csi/csi.sock
|
|
- name: KUBE_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: cinder-driver
|
|
securityContext:
|
|
privileged: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
allowPrivilegeEscalation: true
|
|
image: k8scloudprovider/cinder-csi-plugin:v0.3.0
|
|
command: [ "/bin/cinder-csi-plugin" ]
|
|
args:
|
|
- "--nodeid=$(NODEID)"
|
|
- "--endpoint=unix://$(ADDRESS)"
|
|
- "--cloud-config=/etc/cloudconfig/cloud.conf"
|
|
env:
|
|
- name: NODEID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: ADDRESS
|
|
value: /csi/csi.sock
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: cloudconfig
|
|
mountPath: /etc/cloudconfig
|
|
- name: mountpoint-dir
|
|
mountPath: /var/lib/origin/openshift.local.volumes/pods/
|
|
mountPropagation: "Bidirectional"
|
|
- name: cloud-metadata
|
|
mountPath: /var/lib/cloud/data/
|
|
- name: dev
|
|
mountPath: /dev
|
|
volumes:
|
|
- name: cloud-metadata
|
|
hostPath:
|
|
path: /var/lib/cloud/data/
|
|
- name: socket-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins/csi-cinderplugin
|
|
type: DirectoryOrCreate
|
|
- name: mountpoint-dir
|
|
hostPath:
|
|
path: /var/lib/origin/openshift.local.volumes/pods/
|
|
type: Directory
|
|
- name: cloudconfig
|
|
secret:
|
|
secretName: cloudconfig
|
|
- name: dev
|
|
hostPath:
|
|
path: /dev
|
|
----
|
|
<1> Replace with `cloud.conf` for your OpenStack deployment.
|
|
For example, the Secret can be generated using the `oc create secret
|
|
generic cloudconfig --from-file cloud.conf --dry-run -o yaml`.
|
|
<2> Optionally, add `nodeSelector` to the CSI driver pod template to
|
|
configure the nodes on which the CSI driver starts. Only nodes matching
|
|
the selector run pods that use volumes that are served by the CSI driver.
|
|
Without `nodeSelector`, the driver runs on all nodes in the cluster.
|