From db696785d590678d609d46e41cc4be46ef969d0e Mon Sep 17 00:00:00 2001 From: Samuel Liu Date: Tue, 20 Jun 2023 02:44:21 +0800 Subject: [PATCH] update local path provisioner version and remove psp (#10054) * update local_path_provisioner_version * remove psp and update cm --- README.md | 2 +- .../sample/group_vars/k8s_cluster/addons.yml | 2 +- roles/download/defaults/main.yml | 2 +- .../local_path_provisioner/tasks/main.yml | 11 --- .../templates/local-path-storage-cm.yml.j2 | 72 +++++++------------ .../templates/local-path-storage-cr.yml.j2 | 24 +++---- .../local-path-storage-psp-cr.yml.j2 | 15 ---- .../local-path-storage-psp-rb.yml.j2 | 14 ---- .../templates/local-path-storage-psp.yml.j2 | 43 ----------- tests/files/packet_almalinux8-calico.yml | 1 + 10 files changed, 40 insertions(+), 146 deletions(-) delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 diff --git a/README.md b/README.md index 694a7681c..c39f3b25e 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ Note: Upstart/SysV init based OS types are not supported. - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0 - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0 - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2 - - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.23 + - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24 - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0 ## Container Runtime Notes diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 7f27ab2f8..cb7868846 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -29,7 +29,7 @@ local_path_provisioner_enabled: false # local_path_provisioner_claim_root: /opt/local-path-provisioner/ # local_path_provisioner_debug: false # local_path_provisioner_image_repo: "rancher/local-path-provisioner" -# local_path_provisioner_image_tag: "v0.0.23" +# local_path_provisioner_image_tag: "v0.0.24" # local_path_provisioner_helper_image_repo: "busybox" # local_path_provisioner_helper_image_tag: "latest" diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 8aa992506..063a98ddf 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -1097,7 +1097,7 @@ cephfs_provisioner_image_tag: "{{ cephfs_provisioner_version }}" rbd_provisioner_version: "v2.1.1-k8s1.11" rbd_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/rbd-provisioner" rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}" -local_path_provisioner_version: "v0.0.23" +local_path_provisioner_version: "v0.0.24" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}" ingress_nginx_version: "v1.8.0" diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml index 4cf26d81d..71036ca9d 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml @@ -25,17 +25,6 @@ - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm } - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment } - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc } - local_path_provisioner_templates_for_psp_not_system_ns: - - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp } - - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole } - - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding } - -- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy - set_fact: - local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}" - when: - - podsecuritypolicy_enabled - - local_path_provisioner_namespace != "kube-system" - name: Local Path Provisioner | Create manifests template: diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 index 857431212..df4512441 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 @@ -6,54 +6,30 @@ metadata: namespace: {{ local_path_provisioner_namespace }} data: config.json: |- - { - "nodePathMap":[ - { - "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", - "paths":["{{ local_path_provisioner_claim_root }}"] - } - ] - } + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["{{ local_path_provisioner_claim_root }}"] + } + ] + } setup: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - mkdir -m 0777 -p ${absolutePath} + #!/bin/sh + set -eu + mkdir -m 0777 -p "$VOL_DIR" teardown: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - rm -rf ${absolutePath} + #!/bin/sh + set -eu + rm -rf "$VOL_DIR" helperPod.yaml: |- - apiVersion: v1 - kind: Pod - metadata: - name: helper-pod - spec: - containers: - - name: helper-pod - image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %} + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %} + imagePullPolicy: IfNotPresent + diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 index c97511ab1..299db6eba 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 @@ -4,15 +4,15 @@ kind: ClusterRole metadata: name: local-path-provisioner-role rules: - - apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims", "configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] + - apiGroups: [ "" ] + resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes", "pods" ] + verbs: [ "*" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] \ No newline at end of file diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 deleted file mode 100644 index 65a71f574..000000000 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:local-path-provisioner - namespace: {{ local_path_provisioner_namespace }} -rules: - - apiGroups: - - policy - resourceNames: - - local-path-provisioner - resources: - - podsecuritypolicies - verbs: - - use diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 deleted file mode 100644 index c7e6d2167..000000000 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:local-path-provisioner - namespace: {{ local_path_provisioner_namespace }} -subjects: - - kind: ServiceAccount - name: local-path-provisioner-service-account - namespace: {{ local_path_provisioner_namespace }} -roleRef: - kind: ClusterRole - name: psp:local-path-provisioner - apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 deleted file mode 100644 index 55d5adb17..000000000 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: local-path-provisioner - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: true - allowPrivilegeEscalation: true - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'secret' - - 'downwardAPI' - - 'hostPath' - allowedHostPaths: - - pathPrefix: "{{ local_path_provisioner_claim_root }}" - readOnly: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/tests/files/packet_almalinux8-calico.yml b/tests/files/packet_almalinux8-calico.yml index 1df4a64e5..63cf8bf64 100644 --- a/tests/files/packet_almalinux8-calico.yml +++ b/tests/files/packet_almalinux8-calico.yml @@ -9,6 +9,7 @@ metrics_server_enabled: true dashboard_namespace: "kube-dashboard" dashboard_enabled: true loadbalancer_apiserver_type: haproxy +local_path_provisioner_enabled: true # NTP mangement ntp_enabled: true