kind: Deployment apiVersion: apps/v1 metadata: name: aws-ebs-csi-driver-controller namespace: ${NAMESPACE} annotations: config.openshift.io/inject-proxy: csi-driver config.openshift.io/inject-proxy-cabundle: csi-driver spec: selector: matchLabels: app: aws-ebs-csi-driver-controller strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 0 template: metadata: labels: app: aws-ebs-csi-driver-controller spec: serviceAccount: aws-ebs-csi-driver-controller-sa priorityClassName: system-cluster-critical nodeSelector: node-role.kubernetes.io/master: "" tolerations: - key: CriticalAddonsOnly operator: Exists - key: node-role.kubernetes.io/master operator: Exists effect: "NoSchedule" affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: app: aws-ebs-csi-driver-controller topologyKey: kubernetes.io/hostname containers: # CSI driver container - name: csi-driver image: ${DRIVER_IMAGE} imagePullPolicy: IfNotPresent args: - controller - --endpoint=$(CSI_ENDPOINT) - --k8s-tag-cluster-id=${CLUSTER_ID} - --logtostderr - --http-endpoint=localhost:8206 - --v=${LOG_LEVEL} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: ebs-cloud-credentials key: aws_access_key_id optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: ebs-cloud-credentials key: aws_secret_access_key optional: true - name: AWS_SDK_LOAD_CONFIG value: '1' - name: AWS_CONFIG_FILE value: /var/run/secrets/aws/credentials ports: - name: healthz # Due to hostNetwork, this port is open on a node! containerPort: 10301 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 volumeMounts: - name: aws-credentials mountPath: /var/run/secrets/aws readOnly: true - name: bound-sa-token mountPath: /var/run/secrets/openshift/serviceaccount readOnly: true - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ resources: requests: memory: 50Mi cpu: 10m # kube-rbac-proxy for csi-driver container. # Provides https proxy for http-based csi-driver metrics. - name: driver-kube-rbac-proxy args: - --secure-listen-address=0.0.0.0:9206 - --upstream=http://127.0.0.1:8206/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=${TLS_CIPHER_SUITES} - --logtostderr=true image: ${KUBE_RBAC_PROXY_IMAGE} imagePullPolicy: IfNotPresent ports: - containerPort: 9206 name: driver-m protocol: TCP resources: requests: memory: 20Mi cpu: 10m volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert # external-provisioner container - name: csi-provisioner image: ${PROVISIONER_IMAGE} imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --default-fstype=ext4 - --feature-gates=Topology=true - --extra-create-metadata=true - --http-endpoint=localhost:8202 - --leader-election - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION} - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE} - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD} - --leader-election-namespace=openshift-cluster-csi-drivers - --v=${LOG_LEVEL} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ resources: requests: memory: 50Mi cpu: 10m # kube-rbac-proxy for external-provisioner container. # Provides https proxy for http-based external-provisioner metrics. - name: provisioner-kube-rbac-proxy args: - --secure-listen-address=0.0.0.0:9202 - --upstream=http://127.0.0.1:8202/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=${TLS_CIPHER_SUITES} - --logtostderr=true image: ${KUBE_RBAC_PROXY_IMAGE} imagePullPolicy: IfNotPresent ports: - containerPort: 9202 name: provisioner-m protocol: TCP resources: requests: memory: 20Mi cpu: 10m volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert # external-attacher container - name: csi-attacher image: ${ATTACHER_IMAGE} imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --http-endpoint=localhost:8203 - --leader-election - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION} - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE} - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD} - --leader-election-namespace=openshift-cluster-csi-drivers - --v=${LOG_LEVEL} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ resources: requests: memory: 50Mi cpu: 10m - name: attacher-kube-rbac-proxy args: - --secure-listen-address=0.0.0.0:9203 - --upstream=http://127.0.0.1:8203/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=${TLS_CIPHER_SUITES} - --logtostderr=true image: ${KUBE_RBAC_PROXY_IMAGE} imagePullPolicy: IfNotPresent ports: - containerPort: 9203 name: attacher-m protocol: TCP resources: requests: memory: 20Mi cpu: 10m volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert # external-resizer container - name: csi-resizer image: ${RESIZER_IMAGE} imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --timeout=300s - --http-endpoint=localhost:8204 - --leader-election - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION} - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE} - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD} - --leader-election-namespace=openshift-cluster-csi-drivers - --v=${LOG_LEVEL} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ resources: requests: memory: 50Mi cpu: 10m - name: resizer-kube-rbac-proxy args: - --secure-listen-address=0.0.0.0:9204 - --upstream=http://127.0.0.1:8204/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=${TLS_CIPHER_SUITES} - --logtostderr=true image: ${KUBE_RBAC_PROXY_IMAGE} imagePullPolicy: IfNotPresent ports: - containerPort: 9204 name: resizer-m protocol: TCP resources: requests: memory: 20Mi cpu: 10m volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert # external-snapshotter container - name: csi-snapshotter image: ${SNAPSHOTTER_IMAGE} imagePullPolicy: IfNotPresent args: - --csi-address=$(ADDRESS) - --metrics-address=localhost:8205 - --leader-election - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION} - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE} - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD} - --leader-election-namespace=openshift-cluster-csi-drivers - --v=${LOG_LEVEL} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir resources: requests: memory: 50Mi cpu: 10m - name: snapshotter-kube-rbac-proxy args: - --secure-listen-address=0.0.0.0:9205 - --upstream=http://127.0.0.1:8205/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=${TLS_CIPHER_SUITES} - --logtostderr=true image: ${KUBE_RBAC_PROXY_IMAGE} imagePullPolicy: IfNotPresent ports: - containerPort: 9205 name: snapshotter-m protocol: TCP resources: requests: memory: 20Mi cpu: 10m volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert - name: csi-liveness-probe image: ${LIVENESS_PROBE_IMAGE} imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock - --probe-timeout=3s - --health-port=10301 - --v=${LOG_LEVEL} volumeMounts: - name: socket-dir mountPath: /csi resources: requests: memory: 50Mi cpu: 10m volumes: - name: aws-credentials secret: secretName: ebs-cloud-credentials # This service account token can be used to provide identity outside the cluster. # For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS. - name: bound-sa-token projected: sources: - serviceAccountToken: path: token audience: openshift - name: socket-dir emptyDir: {} - name: metrics-serving-cert secret: secretName: aws-ebs-csi-driver-controller-metrics-serving-cert