--- # Source: aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml apiVersion: v1 kind: ServiceAccount metadata: name: ebs-csi-node-sa namespace: kube-system labels: app.kubernetes.io/name: aws-ebs-csi-driver --- # Source: aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml apiVersion: v1 kind: ServiceAccount metadata: name: ebs-csi-controller-sa namespace: kube-system labels: app.kubernetes.io/name: aws-ebs-csi-driver #Enable if EKS IAM for SA is used #annotations: # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role --- # Source: aws-ebs-csi-driver/templates/clusterrole-attacher.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-attacher-role labels: app.kubernetes.io/name: aws-ebs-csi-driver rules: - apiGroups: [ "" ] resources: [ "persistentvolumes" ] verbs: [ "get", "list", "watch", "update", "patch" ] - apiGroups: [ "" ] resources: [ "nodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "csi.storage.k8s.io" ] resources: [ "csinodeinfos" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "volumeattachments" ] verbs: [ "get", "list", "watch", "update", "patch" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "volumeattachments/status" ] verbs: [ "patch" ] --- # Source: aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-node-role labels: app.kubernetes.io/name: aws-ebs-csi-driver rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] --- # Source: aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-provisioner-role labels: app.kubernetes.io/name: aws-ebs-csi-driver rules: - apiGroups: [ "" ] resources: [ "persistentvolumes" ] verbs: [ "get", "list", "watch", "create", "delete" ] - apiGroups: [ "" ] resources: [ "persistentvolumeclaims" ] verbs: [ "get", "list", "watch", "update" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "events" ] verbs: [ "list", "watch", "create", "update", "patch" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "volumesnapshots" ] verbs: [ "get", "list" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "volumesnapshotcontents" ] verbs: [ "get", "list" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "csinodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "nodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases" ] verbs: [ "get", "watch", "list", "delete", "update", "create" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "volumeattachments" ] verbs: [ "get", "list", "watch" ] --- # Source: aws-ebs-csi-driver/templates/clusterrole-resizer.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-resizer-role labels: app.kubernetes.io/name: aws-ebs-csi-driver rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - apiGroups: [ "" ] resources: [ "persistentvolumes" ] verbs: [ "get", "list", "watch", "update", "patch" ] - apiGroups: [ "" ] resources: [ "persistentvolumeclaims" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "persistentvolumeclaims/status" ] verbs: [ "update", "patch" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "events" ] verbs: [ "list", "watch", "create", "update", "patch" ] - apiGroups: [ "" ] resources: [ "pods" ] verbs: [ "get", "list", "watch" ] --- # Source: aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-snapshotter-role labels: app.kubernetes.io/name: aws-ebs-csi-driver rules: - apiGroups: [ "" ] resources: [ "events" ] verbs: [ "list", "watch", "create", "update", "patch" ] - apiGroups: [ "" ] resources: [ "secrets" ] verbs: [ "get", "list" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "volumesnapshotclasses" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "volumesnapshotcontents" ] verbs: [ "create", "get", "list", "watch", "update", "delete" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "volumesnapshotcontents/status" ] verbs: [ "update" ] --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-attacher-binding labels: app.kubernetes.io/name: aws-ebs-csi-driver subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-attacher-role apiGroup: rbac.authorization.k8s.io --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-node-getter-binding labels: app.kubernetes.io/name: aws-ebs-csi-driver subjects: - kind: ServiceAccount name: ebs-csi-node-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-csi-node-role apiGroup: rbac.authorization.k8s.io --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-resizer-binding labels: app.kubernetes.io/name: aws-ebs-csi-driver subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-resizer-role apiGroup: rbac.authorization.k8s.io --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-snapshotter-binding labels: app.kubernetes.io/name: aws-ebs-csi-driver subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-snapshotter-role apiGroup: rbac.authorization.k8s.io --- # Source: aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-provisioner-binding labels: app.kubernetes.io/name: aws-ebs-csi-driver subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-provisioner-role apiGroup: rbac.authorization.k8s.io --- # Source: aws-ebs-csi-driver/templates/csidriver.yaml apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: ebs.csi.aws.com labels: app.kubernetes.io/name: aws-ebs-csi-driver spec: attachRequired: true podInfoOnMount: false --- # Source: aws-ebs-csi-driver/templates/controller.yaml # Controller Service kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system labels: app.kubernetes.io/name: aws-ebs-csi-driver spec: replicas: 1 selector: matchLabels: app: ebs-csi-controller app.kubernetes.io/name: aws-ebs-csi-driver template: metadata: labels: app: ebs-csi-controller app.kubernetes.io/name: aws-ebs-csi-driver spec: nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - key: "node-role.kubernetes.io/master" effect: NoSchedule serviceAccountName: ebs-csi-controller-sa priorityClassName: system-cluster-critical containers: - name: ebs-plugin image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.2 imagePullPolicy: IfNotPresent args: # - {all,controller,node} # specify the driver mode - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=2 env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: CSI_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # - name: AWS_ACCESS_KEY_ID # valueFrom: # secretKeyRef: # name: aws-secret # key: key_id # optional: true # - name: AWS_SECRET_ACCESS_KEY # valueFrom: # secretKeyRef: # name: aws-secret # key: access_key # optional: true volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - name: csi-provisioner image: k8s.gcr.io/sig-storage/csi-provisioner:v2.1.1 imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --v=2 - --feature-gates=Topology=true - --extra-create-metadata - --leader-election=true - --default-fstype=ext4 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: k8s.gcr.io/sig-storage/csi-attacher:v3.1.0 imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --v=2 - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-snapshotter image: k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3 imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-resizer image: k8s.gcr.io/sig-storage/csi-resizer:v1.1.0 imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --v=2 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: liveness-probe image: k8s.gcr.io/sig-storage/livenessprobe:v2.4.0 imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /csi volumes: - name: socket-dir emptyDir: {} --- # Source: aws-ebs-csi-driver/templates/node.yaml # Node Service kind: DaemonSet apiVersion: apps/v1 metadata: name: ebs-csi-node namespace: kube-system labels: app.kubernetes.io/name: aws-ebs-csi-driver spec: selector: matchLabels: app: ebs-csi-node app.kubernetes.io/name: aws-ebs-csi-driver updateStrategy: rollingUpdate: maxUnavailable: 10% type: RollingUpdate template: metadata: labels: app: ebs-csi-node app.kubernetes.io/name: aws-ebs-csi-driver spec: serviceAccountName: ebs-csi-node-sa priorityClassName: system-node-critical containers: - name: ebs-plugin securityContext: privileged: true image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.2 imagePullPolicy: IfNotPresent args: - node - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=2 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock - name: CSI_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: device-dir mountPath: /dev ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - name: node-driver-registrar image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0 imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=2 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - name: liveness-probe image: k8s.gcr.io/sig-storage/livenessprobe:v2.4.0 imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: device-dir hostPath: path: /dev type: Directory --- # Source: aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: ebs-csi-controller namespace: kube-system labels: app.kubernetes.io/name: aws-ebs-csi-driver spec: selector: matchLabels: app: ebs-csi-controller app.kubernetes.io/name: aws-ebs-csi-driver maxUnavailable: 1