Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Pod Disruption Budget and configurable deployment name #1404

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Pod Disruption Budget and configurable deployment name #1404

wants to merge 1 commit into from

Conversation

omerap12
Copy link
Contributor

@omerap12 omerap12 commented Jul 7, 2024

Is this a bug fix or adding new feature?
Re-raising this PR #901. set configurable deployment and pdb name.
What is this PR about? / Why do we need it?
Fixes #1397
What testing is done?
Helm testing: the following values file:

nameOverride: ""
fullnameOverride: ""

replicaCount: 2

useFIPS: false

image:
  repository: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
  tag: "v2.0.5"
  pullPolicy: IfNotPresent

sidecars:
  livenessProbe:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
      tag: v2.13.0-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
  nodeDriverRegistrar:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
      tag: v2.11.0-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
  csiProvisioner:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
      tag: v5.0.1-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

imagePullSecrets: []

## Controller deployment variables

controller:
  # Specifies whether a deployment should be created
  create: true
  # name of the controller deployment
  name: efs-csi-controller
  # Number for the log level verbosity
  logLevel: 2
  # If set, add pv/pvc metadata to plugin create requests as parameters.
  extraCreateMetadata: true
  # Add additional tags to access points
  tags:
    {}
    # environment: prod
    # region: us-east-1
  # Enable if you want the controller to also delete the
  # path on efs when deleteing an access point
  deleteAccessPointRootDir: false
  podAnnotations: {}
  podLabel: {}
  hostNetwork: false
  priorityClassName: system-cluster-critical
  dnsPolicy: ClusterFirst
  dnsConfig: {}
  additionalLabels: {}
  resources:
    {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  nodeSelector: {}
  updateStrategy: {}
  tolerations:
    - key: CriticalAddonsOnly
      operator: Exists
    - key: efs.csi.aws.com/agent-not-ready
      operator: Exists
  affinity: {}
  env: []
  volumes: []
  volumeMounts: []
  # Specifies whether a service account should be created
  serviceAccount:
    create: true
    name: efs-csi-controller-sa
    annotations: {}
    ## Enable if EKS IAM for SA is used
    #  eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
  healthPort: 9909
  regionalStsEndpoints: false
  # Pod Disruption Budget
  pdb:
    minAvailable: 1
  # securityContext on the controller pod
  securityContext:
    runAsNonRoot: false
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 0
  # securityContext on the controller container
  # Setting privileged=false will cause the "delete-access-point-root-dir" controller option to fail
  containerSecurityContext:
    privileged: true
  leaderElectionRenewDeadline: 10s
  leaderElectionLeaseDuration: 15s


## Node daemonset variables

node:
  # Number for the log level verbosity
  logLevel: 2
  volMetricsOptIn: false
  volMetricsRefreshPeriod: 240
  volMetricsFsRateLimit: 5
  hostAliases:
    {}
    # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per
    # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3
    # implementing the suggested solution found here:
    # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346
    # EFS Vol ID, IP, Region
    # "fs-01234567":
    #   ip: 10.10.2.2
    #   region: us-east-2
  priorityClassName: system-node-critical
  dnsPolicy: ClusterFirst
  dnsConfig:
    {}
    # Example config which uses the AWS nameservers
    # dnsPolicy: "None"
    # dnsConfig:
    #   nameservers:
    #     - 169.254.169.253
  podLabels: {}
  podAnnotations: {}
  additionalLabels: {}
  resources:
    {}
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  nodeSelector: {}
  updateStrategy: {}
    # Override default strategy (RollingUpdate) to speed up deployment.
    # This can be useful if helm timeouts are observed.
    # type: OnDelete
  tolerations:
    - operator: Exists
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                  - fargate
  # Specifies whether a service account should be created
  serviceAccount:
    create: true
    name: efs-csi-node-sa
    annotations: {}
    ## Enable if EKS IAM for SA is used
    #  eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
  healthPort: 9809
  # securityContext on the node pod
  securityContext:
    # The node pod must be run as root to bind to the registration/driver sockets
    runAsNonRoot: false
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 0
  env: []
  volumes: []
  volumeMounts: []

storageClasses: []
# Add StorageClass resources like:
# - name: efs-sc
#   annotations:
#     # Use that annotation if you want this to your default storageclass
#     storageclass.kubernetes.io/is-default-class: "true"
#   mountOptions:
#   - tls
#   parameters:
#     provisioningMode: efs-ap
#     fileSystemId: fs-1122aabb
#     directoryPerms: "700"
#     gidRangeStart: "1000"
#     gidRangeEnd: "2000"
#     basePath: "/dynamic_provisioning"
#     subPathPattern: "/subPath"
#     ensureUniqueDirectory: true
#   reclaimPolicy: Delete
#   volumeBindingMode: Immediate

provides this output:

---
# Source: aws-efs-csi-driver/templates/controller-pdb.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: efs-csi-controller
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  selector:
    matchLabels:
      app: efs-csi-controller
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  minAvailable: 1
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: efs-csi-controller-sa
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: efs-csi-node-sa
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-external-provisioner-role
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "patch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csinodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-external-provisioner-role-describe-secrets
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [ "" ]
    resources: [ "secrets" ]
    resourceNames: ["x-account"]
    verbs: [ "get", "watch", "list" ]
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-node-role
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch", "patch"]
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-provisioner-binding
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-external-provisioner-role
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-node-binding
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-node-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-node-role
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
# We use a RoleBinding to restrict Secret access to the namespace that the 
# RoleBinding is created in (typically kube-system)
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-provisioner-binding-describe-secrets
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-external-provisioner-role-describe-secrets
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/node-daemonset.yaml
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: efs-csi-node
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  selector:
    matchLabels:
      app: efs-csi-node
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  template:
    metadata:
      labels:
        app: efs-csi-node
        app.kubernetes.io/name: aws-efs-csi-driver
        app.kubernetes.io/instance: release-name
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
      hostNetwork: true
      dnsPolicy: ClusterFirst
      serviceAccountName: efs-csi-node-sa
      priorityClassName: system-node-critical
      tolerations:
        - operator: Exists
      securityContext:
        fsGroup: 0
        runAsGroup: 0
        runAsNonRoot: false
        runAsUser: 0
      containers:
        - name: efs-plugin
          securityContext:
            privileged: true
          image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.5
          imagePullPolicy: IfNotPresent
          args:
            - --endpoint=$(CSI_ENDPOINT)
            - --logtostderr
            - --v=2
            - --vol-metrics-opt-in=false
            - --vol-metrics-refresh-period=240
            - --vol-metrics-fs-rate-limit=5
          env:
            - name: CSI_ENDPOINT
              value: unix:/csi/csi.sock
            - name: CSI_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: kubelet-dir
              mountPath: /var/lib/kubelet
              mountPropagation: "Bidirectional"
            - name: plugin-dir
              mountPath: /csi
            - name: efs-state-dir
              mountPath: /var/run/efs
            - name: efs-utils-config
              mountPath: /var/amazon/efs
            - name: efs-utils-config-legacy
              mountPath: /etc/amazon/efs-legacy
          ports:
            - name: healthz
              containerPort: 9809
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 2
            failureThreshold: 5
        - name: csi-driver-registrar
          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.11.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
            - --v=2
          env:
            - name: ADDRESS
              value: /csi/csi.sock
            - name: DRIVER_REG_SOCK_PATH
              value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
            - name: registration-dir
              mountPath: /registration
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
        - name: liveness-probe
          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
            - --health-port=9809
            - --v=2
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
      volumes:
        - name: kubelet-dir
          hostPath:
            path: /var/lib/kubelet
            type: Directory
        - name: plugin-dir
          hostPath:
            path: /var/lib/kubelet/plugins/efs.csi.aws.com/
            type: DirectoryOrCreate
        - name: registration-dir
          hostPath:
            path: /var/lib/kubelet/plugins_registry/
            type: Directory
        - name: efs-state-dir
          hostPath:
            path: /var/run/efs
            type: DirectoryOrCreate
        - name: efs-utils-config
          hostPath:
            path: /var/amazon/efs
            type: DirectoryOrCreate
        - name: efs-utils-config-legacy
          hostPath:
            path: /etc/amazon/efs
            type: DirectoryOrCreate
---
# Source: aws-efs-csi-driver/templates/controller-deployment.yaml
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
  name: efs-csi-controller
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  replicas: 2
  selector:
    matchLabels:
      app: efs-csi-controller
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  template:
    metadata:
      labels:
        app: efs-csi-controller
        app.kubernetes.io/name: aws-efs-csi-driver
        app.kubernetes.io/instance: release-name
    spec:
      hostNetwork: false
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: efs-csi-controller-sa
      priorityClassName: system-cluster-critical
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - key: efs.csi.aws.com/agent-not-ready
          operator: Exists
      securityContext:
        fsGroup: 0
        runAsGroup: 0
        runAsNonRoot: false
        runAsUser: 0
      dnsPolicy: ClusterFirst
      containers:
        - name: efs-plugin
          securityContext:
            privileged: true
          image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.5
          imagePullPolicy: IfNotPresent
          args:
            - --endpoint=$(CSI_ENDPOINT)
            - --logtostderr
            - --v=2
            - --delete-access-point-root-dir=false
          env:
            - name: CSI_ENDPOINT
              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
            - name: CSI_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
          ports:
            - name: healthz
              containerPort: 9909
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 10
            failureThreshold: 5
        - name: csi-provisioner
          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.0.1-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --v=2
            - --feature-gates=Topology=true
            - --extra-create-metadata
            - --leader-election
            - --leader-election-renew-deadline=10s
            - --leader-election-lease-duration=15s
          env:
            - name: ADDRESS
              value: /var/lib/csi/sockets/pluginproxy/csi.sock
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
        - name: liveness-probe
          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
            - --health-port=9909
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
      volumes:
        - name: socket-dir
          emptyDir: {}
---
# Source: aws-efs-csi-driver/templates/csidriver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  name: efs.csi.aws.com
  annotations:
    "helm.sh/hook": pre-install, pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation
    "helm.sh/resource-policy": keep
spec:
  attachRequired: false

@omerap12
Add Pod Disruption Budget and configurable deployment name
a943df0 
Signed-off-by: Omer Aplatony <omerap12@gmail.com>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 7, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: omerap12
Once this PR has been reviewed and has the lgtm label, please assign mskanth972 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d-nishi d-nishi Awaiting requested review from d-nishi

@mskanth972 mskanth972 Awaiting requested review from mskanth972

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pod disruption budget
2 participants
@omerap12 @k8s-ci-robot