New kustomization for pd driver

jingxu97 · jingxu97 · commit eb31712ea48c · 2020-06-04T16:49:04.000-07:00
This can work for both linux and windows

Also update to the latest version of kustomize
bases is deprecated, use resources instead.
diff --git a/deploy/kubernetes/base/controller_setup/cluster_setup.yaml b/deploy/kubernetes/base/controller_setup/cluster_setup.yaml
@@ -187,6 +187,18 @@ rules:
     - csi-gce-pd-node-psp
 ---
 
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-gce-pd-node-deploy-win
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - csi-gce-pd-node-psp-win
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -198,6 +210,32 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: csi-gce-pd-node-sa
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-gce-pd-node-win
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-gce-pd-node-deploy-win
+subjects:
+- kind: ServiceAccount
+  name: csi-gce-pd-node-sa
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-gce-pd-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-gce-pd-node-deploy
+subjects:
+- kind: ServiceAccount
+  name: csi-gce-pd-controller-sa
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/kubernetes/base/controller_setup/controller.yaml b/deploy/kubernetes/base/controller_setup/controller.yaml
@@ -17,6 +17,8 @@ spec:
       # since it replaces GCE Metadata Server with GKE Metadata Server. Remove
       # this requirement when issue is resolved and before any exposure of
       # metrics ports
+      nodeSelector:
+        kubernetes.io/os: linux
       hostNetwork: true
       serviceAccountName: csi-gce-pd-controller-sa
       priorityClassName: csi-gce-pd-controller
@@ -82,5 +84,10 @@ spec:
         - name: cloud-sa-volume
           secret:
             secretName: cloud-sa
+      # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+      # See "special case". This will tolerate everything. Node component should
+      # be scheduled on all nodes.
+      tolerations:
+      - operator: Exists
   # This is needed due to https://github.com/kubernetes-sigs/kustomize/issues/504
   volumeClaimTemplates: []
diff --git a/deploy/kubernetes/base/controller_setup/kustomization.yaml b/deploy/kubernetes/base/controller_setup/kustomization.yaml
@@ -0,0 +1,7 @@
+commonLabels:
+  k8s-app: gcp-compute-persistent-disk-csi-driver
+namespace:
+  gce-pd-csi-driver
+resources:
+- controller.yaml
+- cluster_setup.yaml
diff --git a/deploy/kubernetes/base/kustomization.yaml b/deploy/kubernetes/base/kustomization.yaml
@@ -1,8 +1,7 @@
-commonLabels:
-  k8s-app: gcp-compute-persistent-disk-csi-driver
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 namespace:
   gce-pd-csi-driver
 resources:
-- node.yaml
-- controller.yaml
-- setup-cluster.yaml
+- controller_setup
+- node_setup
diff --git a/deploy/kubernetes/base/node_setup/kustomization.yaml b/deploy/kubernetes/base/node_setup/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace:
+  gce-pd-csi-driver
+resources:
+- linux/node.yaml
+- windows/node.yaml
+- windows/psp.yaml
diff --git a/deploy/kubernetes/base/node_setup/linux/node.yaml b/deploy/kubernetes/base/node_setup/linux/node.yaml
@@ -15,21 +15,20 @@ spec:
       # Host network must be used for interaction with Workload Identity in GKE
       # since it replaces GCE Metadata Server with GKE Metadata Server. Remove
       # this requirement when issue is resolved and before any exposure of
-      # metrics ports.
+      # metrics ports. But hostNetwork is not working for Windows, might be an issue
+      # when deploying on GKE Windows node.
       hostNetwork: true
       priorityClassName: csi-gce-pd-node
       serviceAccountName: csi-gce-pd-node-sa
+      nodeSelector:
+        kubernetes.io/os: linux
       containers:
         - name: csi-driver-registrar
           image: gke.gcr.io/csi-node-driver-registrar
           args:
             - "--v=5"
             - "--csi-address=/csi/csi.sock"
             - "--kubelet-registration-path=/var/lib/kubelet/plugins/pd.csi.storage.gke.io/csi.sock"
-          lifecycle:
-            preStop:
-              exec:
-                command: ["/bin/sh", "-c", "rm -rf /registration/pd.csi.storage.gke.io /registration/pd.csi.storage.gke.io-reg.sock"]
           env:
             - name: KUBE_NODE_NAME
               valueFrom:
@@ -41,14 +40,14 @@ spec:
             - name: registration-dir
               mountPath: /registration
         - name: gce-pd-driver
-          securityContext:
-            privileged: true
           # Don't change base image without changing pdImagePlaceholder in
           # test/k8s-integration/main.go
           image: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
           args:
             - "--v=5"
             - "--endpoint=unix:/csi/csi.sock"
+          securityContext:
+            privileged: true
           volumeMounts:
             - name: kubelet-dir
               mountPath: /var/lib/kubelet
@@ -67,8 +66,6 @@ spec:
               mountPath: /run/udev
             - name: sys
               mountPath: /sys
-      nodeSelector:
-        kubernetes.io/os: linux
       volumes:
         - name: registration-dir
           hostPath:
diff --git a/deploy/kubernetes/base/node_setup/windows/node.yaml b/deploy/kubernetes/base/node_setup/windows/node.yaml
@@ -0,0 +1,82 @@
+#TODO(#40): Force DaemonSet to not run on master.
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: csi-gce-pd-node-win
+spec:
+  selector:
+    matchLabels:
+      app: gcp-compute-persistent-disk-csi-driver
+  template:
+    metadata:
+      labels:
+        app: gcp-compute-persistent-disk-csi-driver
+    spec:
+      # Host network must be used for interaction with Workload Identity in GKE
+      # since it replaces GCE Metadata Server with GKE Metadata Server. Remove
+      # this requirement when issue is resolved and before any exposure of
+      # metrics ports. But hostNetwork is not working for Windows, might be an issue
+      # when deploying on GKE Windows node.
+      # hostNetwork: true
+      priorityClassName: csi-gce-pd-node
+      serviceAccountName: csi-gce-pd-node-sa
+      nodeSelector:
+        kubernetes.io/os: windows
+      containers:
+        - name: csi-driver-registrar
+          image: gcr.io/k8s-staging-csi/csi-node-driver-registrar:amd64-windows-v20200428-v1.3.0-26-g510710d5
+          args:
+            - --v=5
+            - --csi-address=unix://C:\\csi\\csi.sock
+            - --kubelet-registration-path=C:\\var\\lib\\kubelet\\plugins\\pd.csi.storage.gke.io\\csi.sock
+          env:
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /csi
+            - name: registration-dir
+              mountPath: /registration
+        - name: gce-pd-driver
+          # Don't change base image without changing pdImagePlaceholder in
+          # test/k8s-integration/main.go
+          image: gcr.io/jing-k8s-dev/gce-pd-windows-2019:0.2.0
+          args:
+            - "--v=5"
+            - "--endpoint=unix:/csi/csi.sock"
+          volumeMounts:
+            - name: kubelet-dir
+              mountPath: C:\var\lib\kubelet
+              mountPropagation: "None"
+            - name: plugin-dir
+              mountPath: C:\csi
+            - name: csi-proxy-disk-pipe
+              mountPath: \\.\pipe\csi-proxy-disk-v1alpha1
+            - name: csi-proxy-volume-pipe
+              mountPath: \\.\pipe\csi-proxy-volume-v1alpha1
+            - name: csi-proxy-filesystem-pipe
+              mountPath: \\.\pipe\csi-proxy-filesystem-v1alpha1
+      volumes:
+      - name: csi-proxy-disk-pipe
+        hostPath:
+          path: \\.\pipe\csi-proxy-disk-v1alpha1
+          type: ""
+      - name: csi-proxy-volume-pipe
+        hostPath:
+          path: \\.\pipe\csi-proxy-volume-v1alpha1
+          type: ""
+      - name: csi-proxy-filesystem-pipe
+        hostPath:
+          path: \\.\pipe\csi-proxy-filesystem-v1alpha1
+          type: ""
+      - name: registration-dir
+        hostPath:
+          path: \var\lib\kubelet\plugins_registry
+      - name: kubelet-dir
+        hostPath:
+          path: \var\lib\kubelet
+      - name: plugin-dir
+        hostPath:
+          path: \var\lib\kubelet\plugins\pd.csi.storage.gke.io
diff --git a/deploy/kubernetes/base/node_setup/windows/psp.yaml b/deploy/kubernetes/base/node_setup/windows/psp.yaml
@@ -0,0 +1,23 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: csi-gce-pd-node-psp-win
+spec:
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  hostNetwork: true
+  allowedHostPaths:
+  - pathPrefix: \var\lib\kubelet
+  - pathPrefix: \var\lib\kubelet\plugins_registry
+  - pathPrefix: \var\lib\kubelet\plugins\pd.csi.storage.gke.io
+  - pathPrefix: \\.\pipe\csi-proxy-disk-v1alpha1
+  - pathPrefix: \\.\pipe\csi-proxy-volume-v1alpha1
+  - pathPrefix: \\.\pipe\csi-proxy-filesystem-v1alpha1
diff --git a/deploy/kubernetes/deploy-driver.sh b/deploy/kubernetes/deploy-driver.sh
@@ -97,4 +97,3 @@ ${KUBECTL} version
 readonly tmp_spec=/tmp/gcp-compute-persistent-disk-csi-driver-specs-generated.yaml
 ${KUSTOMIZE_PATH} build ${PKGDIR}/deploy/kubernetes/overlays/${DEPLOY_VERSION} | tee $tmp_spec
 ${KUBECTL} apply -v="${VERBOSITY}" -f $tmp_spec
-
diff --git a/deploy/kubernetes/install-kustomize.sh b/deploy/kubernetes/install-kustomize.sh
@@ -9,7 +9,7 @@ set -o errexit
 
 readonly INSTALL_DIR="${GOPATH}/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/bin"
 readonly KUSTOMIZE_PATH="${INSTALL_DIR}/kustomize"
-readonly KUSTOMIZE_VERSION="2.0.3"
+readonly KUSTOMIZE_VERSION="3.6.1"
 readonly VERSION_REGEX="KustomizeVersion:([0-9]\.[0-9]\.[0-9])"
 
 if [ -f "${KUSTOMIZE_PATH}" ]; then
@@ -25,14 +25,9 @@ if [ ! -f "${KUSTOMIZE_PATH}" ]; then
   if [ ! -f "${INSTALL_DIR}" ]; then
     mkdir -p ${INSTALL_DIR}
   fi
-
-  echo "Installing Kustomize v${KUSTOMIZE_VERSION} in ${KUSTOMIZE_PATH}"
-  opsys=linux  # or darwin, or windows
-  curl -s https://api.github.com/repos/kubernetes-sigs/kustomize/releases/tags/v${KUSTOMIZE_VERSION} |\
-    grep browser_download |\
-    grep $opsys |\
-    cut -d '"' -f 4 |\
-    xargs curl -O -L
-  mv kustomize_*_${opsys}_amd64 ${KUSTOMIZE_PATH}
-  chmod u+x ${KUSTOMIZE_PATH}
+  if [ -f "kustomize" ]; then
+    rm kustomize
+  fi
+  curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+  mv kustomize ${INSTALL_DIR}
 fi
diff --git a/deploy/kubernetes/overlays/alpha/kustomization.yaml b/deploy/kubernetes/overlays/alpha/kustomization.yaml
@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
+namespace:
+  gce-pd-csi-driver
+resources:
 - ../stable
-
diff --git a/deploy/kubernetes/overlays/dev/kustomization.yaml b/deploy/kubernetes/overlays/dev/kustomization.yaml
@@ -1,13 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-- ../alpha
+resources:
+- ../stable
 patches:
 - controller_always_pull.yaml
 - node_always_pull.yaml
+namespace:
+  gce-pd-csi-driver
 images:
 # Replace this with your private image names and tags
 - name: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
   newName: gcr.io/dyzz-csi-staging/csi/gce-pd-driver
   newTag: "latest"
-  
diff --git a/deploy/kubernetes/overlays/prow-gke-release-staging-head/kustomization.yaml b/deploy/kubernetes/overlays/prow-gke-release-staging-head/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-- ../../base
+resources:
+- ../stable
 images:
 - name: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
   newName: gcr.io/gke-release-staging/gcp-compute-persistent-disk-csi-driver
diff --git a/deploy/kubernetes/overlays/prow-gke-release-staging-rc/kustomization.yaml b/deploy/kubernetes/overlays/prow-gke-release-staging-rc/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-- ../../base
+resources:
+- ../stable
 images:
 - name: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
   newName: gcr.io/gke-release-staging/gcp-compute-persistent-disk-csi-driver
diff --git a/deploy/kubernetes/overlays/stable/kustomization.yaml b/deploy/kubernetes/overlays/stable/kustomization.yaml
@@ -1,25 +1,27 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-- ../../base
+namespace:
+  gce-pd-csi-driver
 images:
-- name: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
   # Don't change stable image without changing pdImagePlaceholder in
   # test/k8s-integration/main.go
-  newName: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
-  newTag: "v0.7.0-gke.0"
 - name: gke.gcr.io/csi-provisioner
   newName: gke.gcr.io/csi-provisioner
   newTag: "v1.6.0-gke.0"
 - name: gke.gcr.io/csi-attacher
   newName: gke.gcr.io/csi-attacher
   newTag: "v2.2.0-gke.0"
-- name: gke.gcr.io/csi-node-driver-registrar
-  newName: gke.gcr.io/csi-node-driver-registrar
-  newTag: "v1.3.0-gke.0"
 - name: gke.gcr.io/csi-resizer
   newName: gke.gcr.io/csi-resizer
   newTag: "v0.5.0-gke.0"
 - name: gke.gcr.io/csi-snapshotter
   newName: gke.gcr.io/csi-snapshotter
   newTag: "v2.1.1-gke.0"
+- name: gke.gcr.io/csi-node-driver-registrar
+  newName: gke.gcr.io/csi-node-driver-registrar
+  newTag: "v1.3.0-gke.0"
+- name: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
+  newName: gke.gcr.io/gcp-compute-persistent-disk-csi-driver
+  newTag: "v0.7.0-gke.0"
+resources:
+- ../../base/
