apiVersion: v1 kind: ServiceAccount metadata: name: csi-s3 namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3 rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-s3 subjects: - kind: ServiceAccount name: csi-s3 namespace: kube-system roleRef: kind: ClusterRole name: csi-s3 apiGroup: rbac.authorization.k8s.io --- kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-s3 namespace: kube-system spec: selector: matchLabels: app: csi-s3 template: metadata: labels: app: csi-s3 spec: tolerations: - key: CriticalAddonsOnly operator: Exists - operator: Exists effect: NoExecute tolerationSeconds: 300 serviceAccount: csi-s3 containers: - name: driver-registrar image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - "--v=4" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ru.yandex.s3.csi/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration/ - name: csi-s3 securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: cr.yandex/crp9ftr22d26age3hulg/csi-s3:0.38.3 imagePullPolicy: IfNotPresent args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(NODE_ID)" - "--v=4" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_CONTAINER_IMAGE value: cr.yandex/crp9ftr22d26age3hulg/csi-s3:0.35.3 volumeMounts: - name: plugin-dir mountPath: /csi - name: stage-dir mountPath: /var/lib/kubelet/plugins/kubernetes.io/csi mountPropagation: "Bidirectional" - name: pods-mount-dir mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" - name: fuse-device mountPath: /dev/fuse - name: systemd-control mountPath: /run/systemd volumes: - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: DirectoryOrCreate - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/ru.yandex.s3.csi type: DirectoryOrCreate - name: stage-dir hostPath: path: /var/lib/kubelet/plugins/kubernetes.io/csi type: DirectoryOrCreate - name: pods-mount-dir hostPath: path: /var/lib/kubelet/pods type: Directory - name: fuse-device hostPath: path: /dev/fuse - name: systemd-control hostPath: path: /run/systemd type: DirectoryOrCreate