kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-rbdplugin namespace: {{ .Namespace }} spec: selector: matchLabels: app: csi-rbdplugin updateStrategy: type: {{ .RBDPluginUpdateStrategy }} {{ if eq .RBDPluginUpdateStrategy "RollingUpdate" }} rollingUpdate: maxUnavailable: {{ .RBDPluginUpdateStrategyMaxUnavailable }} {{ end }} template: metadata: labels: app: csi-rbdplugin contains: csi-rbdplugin-metrics {{ range $key, $value := .CSIRBDPodLabels }} {{ $key }}: "{{ $value }}" {{ end }} spec: serviceAccountName: rook-csi-rbd-plugin-sa {{ if .PluginPriorityClassName }} priorityClassName: {{ .PluginPriorityClassName }} {{ end }} hostNetwork: {{ .EnableCSIHostNetwork }} hostPID: true # to use e.g. Rook orchestrated cluster, and mons' FQDN is # resolved through k8s service, set dns policy to cluster first dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar # This is necessary only for systems with SELinux, where # non-privileged sidecar containers cannot access unix domain socket # created by privileged CSI driver container. securityContext: privileged: true capabilities: drop: ["ALL"] image: {{ .RegistrarImage }} imagePullPolicy: {{ .ImagePullPolicy }} args: - "--v={{ .LogLevel }}" - "--csi-address=/csi/csi.sock" - "--kubelet-registration-path={{ .KubeletDirPath }}/plugins/{{ .DriverNamePrefix }}rbd.csi.ceph.com/csi.sock" env: - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - name: csi-rbdplugin securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] drop: ["ALL"] allowPrivilegeEscalation: true image: {{ .CSIPluginImage }} args : - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" - "--v={{ .LogLevel }}" - "--type=rbd" - "--nodeserver=true" - "--drivername={{ .DriverNamePrefix }}rbd.csi.ceph.com" - "--pidlimit=-1" - "--stagingpath={{ .KubeletDirPath }}/plugins/kubernetes.io/csi/" {{ if .EnableCSIAddonsSideCar }} - "--csi-addons-endpoint=$(CSIADDONS_ENDPOINT)" {{ end }} {{- if .EnableCSITopology }} - "--domainlabels={{ .CSIDomainLabels }}" {{- end }} {{- if .EnableReadAffinity }} - "--enable-read-affinity=true" - "--crush-location-labels={{ .CrushLocationLabels }}" {{- end }} env: - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CSI_ENDPOINT value: unix:///csi/csi.sock {{ if .EnableCSIAddonsSideCar }} - name: CSIADDONS_ENDPOINT value: unix:///csi/csi-addons.sock {{ end }} imagePullPolicy: {{ .ImagePullPolicy }} volumeMounts: - name: plugin-dir mountPath: /csi - name: pods-mount-dir mountPath: "{{ .KubeletDirPath }}/pods" mountPropagation: "Bidirectional" - name: plugin-mount-dir mountPath: "{{ .KubeletDirPath }}/plugins" mountPropagation: "Bidirectional" - mountPath: /dev name: host-dev - mountPath: /sys name: host-sys - mountPath: /lib/modules name: lib-modules readOnly: true - name: ceph-csi-configs mountPath: /etc/ceph-csi-config/ - name: keys-tmp-dir mountPath: /tmp/csi/keys - name: host-run-mount mountPath: /run/mount {{ if .EnablePluginSelinuxHostMount }} - name: etc-selinux mountPath: /etc/selinux readOnly: true {{ end }} {{ if .MountCustomCephConf }} - name: ceph-config mountPath: /etc/ceph/ceph.conf subPath: ceph.conf {{ end }} - name: oidc-token mountPath: /run/secrets/tokens readOnly: true {{ if .EnableCSIEncryption }} - name: rook-ceph-csi-kms-config mountPath: /etc/ceph-csi-encryption-kms-config/ {{ end }} {{ if .EnableCSIAddonsSideCar }} - name: csi-addons securityContext: privileged: true capabilities: drop: ["ALL"] image: {{ .CSIAddonsImage }} args : - "--node-id=$(NODE_ID)" - "--v={{ .LogLevel }}" - "--csi-addons-address=$(CSIADDONS_ENDPOINT)" - "--controller-port={{ .CSIAddonsPort }}" - "--pod=$(POD_NAME)" - "--namespace=$(POD_NAMESPACE)" - "--pod-uid=$(POD_UID)" - "--stagingpath={{ .KubeletDirPath }}/plugins/kubernetes.io/csi/" ports: - containerPort: {{ .CSIAddonsPort }} env: - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_UID valueFrom: fieldRef: fieldPath: metadata.uid - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CSIADDONS_ENDPOINT value: unix:///csi/csi-addons.sock imagePullPolicy: {{ .ImagePullPolicy }} volumeMounts: - name: plugin-dir mountPath: /csi {{ end }} {{ if .EnableLiveness }} - name: liveness-prometheus securityContext: privileged: true capabilities: drop: ["ALL"] image: {{ .CSIPluginImage }} args: - "--type=liveness" - "--endpoint=$(CSI_ENDPOINT)" - "--metricsport={{ .RBDLivenessMetricsPort }}" - "--metricspath=/metrics" - "--polltime=60s" - "--timeout=3s" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP volumeMounts: - name: plugin-dir mountPath: /csi imagePullPolicy: {{ .ImagePullPolicy }} {{ end }} volumes: - name: plugin-dir hostPath: path: "{{ .KubeletDirPath }}/plugins/{{ .DriverNamePrefix }}rbd.csi.ceph.com" type: DirectoryOrCreate - name: plugin-mount-dir hostPath: path: "{{ .KubeletDirPath }}/plugins" type: Directory - name: registration-dir hostPath: path: "{{ .KubeletDirPath }}/plugins_registry/" type: Directory - name: pods-mount-dir hostPath: path: "{{ .KubeletDirPath }}/pods" type: Directory - name: host-dev hostPath: path: /dev - name: host-sys hostPath: path: /sys - name: lib-modules hostPath: path: /lib/modules - name: ceph-csi-configs projected: sources: - name: ceph-csi-config configMap: name: rook-ceph-csi-config items: - key: csi-cluster-config-json path: config.json - name: ceph-csi-mapping-config configMap: name: rook-ceph-csi-mapping-config items: - key: csi-mapping-config-json path: cluster-mapping.json - name: keys-tmp-dir emptyDir: { medium: "Memory" } - name: host-run-mount hostPath: path: /run/mount {{ if .EnablePluginSelinuxHostMount }} - name: etc-selinux hostPath: path: /etc/selinux {{ end }} {{ if .MountCustomCephConf }} - name: ceph-config configMap: name: csi-ceph-conf-override items: - key: ceph.conf path: ceph.conf {{ end }} - name: oidc-token projected: sources: - serviceAccountToken: path: oidc-token expirationSeconds: 3600 audience: ceph-csi-kms {{ if .EnableCSIEncryption }} - name: rook-ceph-csi-kms-config configMap: name: rook-ceph-csi-kms-config items: - key: config.json path: config.json {{ end }}