kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update local path provisioner version and remove psp (#10054) 

* update local_path_provisioner_version

* remove psp and update cm
pull/10121/head
Samuel Liu 2023-06-20 02:44:21 +08:00 committed by GitHub
parent dfec133273
commit db696785d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 40 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -192,7 +192,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0 - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
- [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0 - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
- [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2 - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
- [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.23 - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
- [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0 - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0
## Container Runtime Notes ## Container Runtime Notes

2
inventory/sample/group_vars/k8s_cluster/addons.yml
View File

@ -29,7 +29,7 @@ local_path_provisioner_enabled: false
# local_path_provisioner_claim_root: /opt/local-path-provisioner/ # local_path_provisioner_claim_root: /opt/local-path-provisioner/
# local_path_provisioner_debug: false # local_path_provisioner_debug: false
# local_path_provisioner_image_repo: "rancher/local-path-provisioner" # local_path_provisioner_image_repo: "rancher/local-path-provisioner"
# local_path_provisioner_image_tag: "v0.0.23" # local_path_provisioner_image_tag: "v0.0.24"
# local_path_provisioner_helper_image_repo: "busybox" # local_path_provisioner_helper_image_repo: "busybox"
# local_path_provisioner_helper_image_tag: "latest" # local_path_provisioner_helper_image_tag: "latest"

2
roles/download/defaults/main.yml
View File

@ -1097,7 +1097,7 @@ cephfs_provisioner_image_tag: "{{ cephfs_provisioner_version }}"
rbd_provisioner_version: "v2.1.1-k8s1.11" rbd_provisioner_version: "v2.1.1-k8s1.11"
rbd_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/rbd-provisioner" rbd_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/rbd-provisioner"
rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}" rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}"
local_path_provisioner_version: "v0.0.23" local_path_provisioner_version: "v0.0.24"
local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}" local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}"
ingress_nginx_version: "v1.8.0" ingress_nginx_version: "v1.8.0"

11
roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
View File

@ -25,17 +25,6 @@
- { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm } - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
- { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment } - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
- { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc } - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
local_path_provisioner_templates_for_psp_not_system_ns:
- { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
- { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
- { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
set_fact:
local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
when:
- podsecuritypolicy_enabled
- local_path_provisioner_namespace != "kube-system"
- name: Local Path Provisioner | Create manifests - name: Local Path Provisioner | Create manifests
template: template:

72
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
View File

@ -6,54 +6,30 @@ metadata:
namespace: {{ local_path_provisioner_namespace }} namespace: {{ local_path_provisioner_namespace }}
data: data:
config.json: |- config.json: |-
{ {
"nodePathMap":[ "nodePathMap":[
{ {
"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
"paths":["{{ local_path_provisioner_claim_root }}"] "paths":["{{ local_path_provisioner_claim_root }}"]
} }
] ]
} }
setup: |- setup: |-
#!/bin/sh #!/bin/sh
while getopts "m:s:p:" opt set -eu
do mkdir -m 0777 -p "$VOL_DIR"
case $opt in
p)
absolutePath=$OPTARG
;;
s)
sizeInBytes=$OPTARG
;;
m)
volMode=$OPTARG
;;
esac
done
mkdir -m 0777 -p ${absolutePath}
teardown: |- teardown: |-
#!/bin/sh #!/bin/sh
while getopts "m:s:p:" opt set -eu
do rm -rf "$VOL_DIR"
case $opt in
p)
absolutePath=$OPTARG
;;
s)
sizeInBytes=$OPTARG
;;
m)
volMode=$OPTARG
;;
esac
done
rm -rf ${absolutePath}
helperPod.yaml: |- helperPod.yaml: |-
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: helper-pod name: helper-pod
spec: spec:
containers: containers:
- name: helper-pod - name: helper-pod
image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %} image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %}
imagePullPolicy: IfNotPresent

24
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
View File

@ -4,15 +4,15 @@ kind: ClusterRole
metadata: metadata:
name: local-path-provisioner-role name: local-path-provisioner-role
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["nodes", "persistentvolumeclaims", "configmaps"] resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["endpoints", "persistentvolumes", "pods"] resources: [ "endpoints", "persistentvolumes", "pods" ]
verbs: ["*"] verbs: [ "*" ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: ["events"] resources: [ "events" ]
verbs: ["create", "patch"] verbs: [ "create", "patch" ]
- apiGroups: ["storage.k8s.io"] - apiGroups: [ "storage.k8s.io" ]
resources: ["storageclasses"] resources: [ "storageclasses" ]
verbs: ["get", "list", "watch"] verbs: [ "get", "list", "watch" ]

15
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
View File

@ -1,15 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
rules:
- apiGroups:
- policy
resourceNames:
- local-path-provisioner
resources:
- podsecuritypolicies
verbs:
- use

14
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
View File

@ -1,14 +0,0 @@
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}
roleRef:
kind: ClusterRole
name: psp:local-path-provisioner
apiGroup: rbac.authorization.k8s.io

43
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
View File

@ -1,43 +0,0 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: local-path-provisioner
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: true
allowPrivilegeEscalation: true
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: "{{ local_path_provisioner_claim_root }}"
readOnly: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false

1
tests/files/packet_almalinux8-calico.yml
View File

@ -9,6 +9,7 @@ metrics_server_enabled: true
dashboard_namespace: "kube-dashboard" dashboard_namespace: "kube-dashboard"
dashboard_enabled: true dashboard_enabled: true
loadbalancer_apiserver_type: haproxy loadbalancer_apiserver_type: haproxy
local_path_provisioner_enabled: true
# NTP mangement # NTP mangement
ntp_enabled: true ntp_enabled: true