Merge pull request #1003 from huww98/sa-name

update serviceAccountName in Pod

deploy/ecs/csi-plugin.yaml

@@ -25,7 +25,7 @@ spec:
                 - virtual-kubelet
       nodeSelector:
         kubernetes.io/os: linux
-      serviceAccount: csi-admin
+      serviceAccountName: alicloud-csi-plugin
       priorityClassName: system-node-critical
       hostNetwork: true
       hostIPC: true

deploy/ecs/csi-provisioner.yaml

@@ -59,7 +59,7 @@ spec:
       - effect: NoSchedule
         operator: Exists
         key: node.cloudprovider.kubernetes.io/uninitialized
-      serviceAccount: csi-admin
+      serviceAccountName: alicloud-csi-provisioner
       hostPID: true
       priorityClassName: system-node-critical
       containers:

deploy/nonecs/csi-plugin.yaml

@@ -25,7 +25,7 @@ spec:
                 - virtual-kubelet
       nodeSelector:
         kubernetes.io/os: linux
-      serviceAccount: csi-admin
+      serviceAccountName: alicloud-csi-plugin
       priorityClassName: system-node-critical
       hostNetwork: true
       hostIPC: true

deploy/nonecs/csi-provisioner.yaml

@@ -59,7 +59,7 @@ spec:
       - effect: NoSchedule
         operator: Exists
         key: node.cloudprovider.kubernetes.io/uninitialized
-      serviceAccount: csi-admin
+      serviceAccountName: alicloud-csi-provisioner
       hostPID: true
       priorityClassName: system-node-critical
       containers:

deploy/nonecs/rbac.yaml

@@ -1,14 +1,134 @@
+# csi-provisioner
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-admin
+  name: alicloud-csi-provisioner
   namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: alicloud-csi-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "create", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+# disable in use error , should be deleted
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "list", "update", "patch"]
+  - apiGroups: ["storage.alibabacloud.com"]
+    resources: ["rules"]
+    verbs: ["get"]
+  - apiGroups: ["storage.alibabacloud.com"]
+    resources: ["containernetworkfilesystems"]
+    verbs: ["get","list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes/stats"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-provisioner
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: kube-system
+  name: alicloud-csi-provisioner
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["csi-plugin", "ack-cluster-profile"]
+  verbs: ["get"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role-cfg
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-provisioner
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: csi-fuse-ossfs
   namespace: kube-system
+
+# csi-plugin
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: alicloud-csi-plugin
+  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -19,21 +139,10 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   resourceNames: ["csi-ossfs-credentials"]
-  verbs: ["get", "create", "patch"]
+  verbs: ["get", "patch"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list", "watch", "create", "delete" ]
-- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames: ["csi-local-plugin-cert"]
-  verbs: ["get"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  resourceNames: ["csi-fuse-ossfs"]
-  verbs: ["get"]
 - apiGroups: [""]
   resources: ["endpoints"]
   resourceNames: ["cnfs-cache-ds-service"]
@@ -46,6 +155,10 @@ rules:
   resources: ["services"]
   resourceNames: ["storage-monitor-service"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  resourceNames: ["csi-fuse-ossfs"]
+  verbs: ["get"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -130,7 +243,7 @@ roleRef:
   name: alicloud-csi-plugin
 subjects:
 - kind: ServiceAccount
-  name: csi-admin
+  name: alicloud-csi-plugin
   namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -143,6 +256,5 @@ roleRef:
   name: alicloud-csi-plugin
 subjects:
 - kind: ServiceAccount
-  name: csi-admin
+  name: alicloud-csi-plugin
   namespace: kube-system
----

test/csi-sanity/csi-sanity-disk.yaml

@@ -8,6 +8,66 @@ data:
     type: cloud_essd
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-testing
+  namespace: kube-system
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role-testing
+subjects:
+  - kind: ServiceAccount
+    name: csi-testing
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role-cfg-testing
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: csi-testing
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: alicloud-csi-plugin-testing
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: alicloud-csi-plugin
+subjects:
+- kind: ServiceAccount
+  name: csi-testing
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: alicloud-csi-plugin-testing
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: alicloud-csi-plugin
+subjects:
+- kind: ServiceAccount
+  name: csi-testing
+  namespace: kube-system
+---
+apiVersion: v1
 kind: Pod
 metadata:
   name: csi-testing
@@ -26,8 +86,7 @@ spec:
             - available
   hostIPC: true
   hostPID: true
-  serviceAccount: csi-admin
-  serviceAccountName: csi-admin
+  serviceAccountName: csi-testing
   restartPolicy: Never
   volumes:
   - name: run-csi