Add mock CSI driver deploy example #277
Conversation
|
@Jiawei0227: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
release-note-none
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @Jiawei0227! |
|
Hi @Jiawei0227. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
I signed it |
k8s-ci-robot
added
cncf-cla: yes
example/README.md
Outdated
| installed in the default namespace. Correspondingly, you can find a pod with prefix `csi-mockplugin`. In the meantime, | ||
| a `StorageClass` called `test-csi-mock` will be generated along with a `VolumeSnapshotClass` called `csi-mock-snapclass`. | ||
|
|
||
| Note that if you are using version prior to 1.17, [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter#usage) will require to be manual installed. |
There was a problem hiding this comment.
prior to 1.17, there was no snapshot controller. I think maybe a more accurate note is to say that the k8s distribution is supposed to install the snapshot-controller, but if it doesn't, then you'll have to manually install it separately.
| serviceAccount: csi-mock | ||
| containers: | ||
| - name: csi-provisioner | ||
| image: gcr.io/k8s-staging-csi/csi-provisioner:canary |
There was a problem hiding this comment.
We're switching to k8s.gcr.io as our image repo. Can you use the images available there? Here's this list of image tags currently available:
| image: gcr.io/k8s-staging-csi/csi-provisioner:canary | ||
| args: | ||
| - "--csi-address=$(ADDRESS)" | ||
| - "--leader-election" |
There was a problem hiding this comment.
We can probably disable leader election for all the sidecars since the mock driver is not resilient to restarts anyway.
| type: Directory | ||
|
|
||
| --- | ||
| apiVersion: storage.k8s.io/v1 |
There was a problem hiding this comment.
v1 was made available in 1.18. So we should document that this example requires 1.18+
example/pvc-test.yaml
Outdated
| name: example-pvc | ||
| spec: | ||
| accessModes: | ||
| - ReadWriteMany |
There was a problem hiding this comment.
mock driver is closer to readwriteonce. I'm not even sure it can handle data persisting across a pod restart, but it definitely doesn't support sharing data across multiple nodes.
example/README.md
Outdated
| @@ -0,0 +1,28 @@ | |||
| # CSI Mock Driver Example | |||
There was a problem hiding this comment.
This may be better under the mock/ directory. We can point to it from the top level readme.
In the mock/readme.md, it would be also good to describe the high level limitations of the mock driver, such as:
- requires all the components to run on the same node
- only supports single node
- does not persist data across restarts
example/README.md
Outdated
| # CSI Mock Driver Example | ||
|
|
||
| This folder contains an example manifest of deploying CSIDriver including `csi-driver-node-registrar`, `csi-provisioner`, | ||
| `csi-resizer` and `csi-snapshotter` onto a cluster. For testing purpose, `csi-attcher` is not included. Thus, |
example/pvc-test.yaml
Outdated
| spec: | ||
| accessModes: | ||
| - ReadWriteMany | ||
| storageClassName: test-csi-mock |
There was a problem hiding this comment.
missing a storageclass yaml?
There was a problem hiding this comment.
The storageclass is included in deploy/csi-mock-driver-deployment.yaml
Jiawei0227
force-pushed
the
csi-mock-deploy
branch
from
ce129d3
to
ce4c3ce
Compare
There was a problem hiding this comment.
@msau42 Thanks for the quick review! Have addressed the comments.
example/pvc-test.yaml
Outdated
| spec: | ||
| accessModes: | ||
| - ReadWriteMany | ||
| storageClassName: test-csi-mock |
There was a problem hiding this comment.
The storageclass is included in deploy/csi-mock-driver-deployment.yaml
example/pvc-test.yaml
Outdated
| name: example-pvc | ||
| spec: | ||
| accessModes: | ||
| - ReadWriteMany |
| type: Directory | ||
|
|
||
| --- | ||
| apiVersion: storage.k8s.io/v1 |
| image: gcr.io/k8s-staging-csi/csi-provisioner:canary | ||
| args: | ||
| - "--csi-address=$(ADDRESS)" | ||
| - "--leader-election" |
example/README.md
Outdated
| @@ -0,0 +1,28 @@ | |||
| # CSI Mock Driver Example | |||
example/README.md
Outdated
| # CSI Mock Driver Example | ||
|
|
||
| This folder contains an example manifest of deploying CSIDriver including `csi-driver-node-registrar`, `csi-provisioner`, | ||
| `csi-resizer` and `csi-snapshotter` onto a cluster. For testing purpose, `csi-attcher` is not included. Thus, |
example/README.md
Outdated
| installed in the default namespace. Correspondingly, you can find a pod with prefix `csi-mockplugin`. In the meantime, | ||
| a `StorageClass` called `test-csi-mock` will be generated along with a `VolumeSnapshotClass` called `csi-mock-snapclass`. | ||
|
|
||
| Note that if you are using version prior to 1.17, [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter#usage) will require to be manual installed. |
| serviceAccount: csi-mock | ||
| containers: | ||
| - name: csi-provisioner | ||
| image: gcr.io/k8s-staging-csi/csi-provisioner:canary |
mock/README.md
Outdated
| Limitation about this mock CSI Driver are: | ||
| - It only supports single node. | ||
| - It requires all the components to run on the same node, i.e. the pod that uses pv created by this CSI driver should be on the same node with the driver. | ||
| csi driver |
There was a problem hiding this comment.
this looks like an extra line
| serviceAccount: csi-mock | ||
| containers: | ||
| - name: csi-provisioner | ||
| image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v1.6.0 |
There was a problem hiding this comment.
The repo should be "k8s.gcr.io/sig-storage/csi-provisioner..." instead. k8s.gcr.io maps to gcr.io/k8s-artifacts-prod. The staging repo is for pre-release testing only and images are temporarily and get deleted after 30 days or so.
| args: | ||
| - "--csi-address=$(ADDRESS)" | ||
| env: | ||
| - name: ADDRESS |
There was a problem hiding this comment.
I think since this env is hardcoded, we don't need to actually define an env variable for it, and can just use it directly in the argument.
| apiVersion: v1 | ||
| fieldPath: spec.nodeName | ||
| securityContext: | ||
| privileged: true |
There was a problem hiding this comment.
Normally most of these containers do not have to be privileged. Usually only the driver container has to be privileged in order to do the mount operation.
However, selinux systems require privileged in order to access the csi socket as a hostpath. Maybe add the same comment here, and make all the containers privileged.
| args: | ||
| - "--v=5" | ||
| - "--csi-address=$(ADDRESS)" | ||
| - "--leader-election=false" |
There was a problem hiding this comment.
I think we don't actually need to explicitly set this since the default is false
| # deploy this pod only on where csi-mock-driver exists | ||
| # This is because csi-mock-driver keeps all states in memory and the process that | ||
| # provisioned the PV needs to be the same process that's mounting it | ||
| affinity: |
There was a problem hiding this comment.
as a future improvement, if we add topology support to the mock driver, then we don't need this in the pod. The pv provisioned will have a nodeaffinity on it, and the pod will always get scheduled to the correct node.
There was a problem hiding this comment.
Yeah, that sounds awesome. I will make a comment on this as TODO then.
mock/README.md
Outdated
| Limitation about this mock CSI Driver are: | ||
| - It only supports single node. | ||
| - It requires all the components to run on the same node, i.e. the pod that uses pv created by this CSI driver should be on the same node with the driver. | ||
| csi driver |
| serviceAccount: csi-mock | ||
| containers: | ||
| - name: csi-provisioner | ||
| image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v1.6.0 |
| args: | ||
| - "--csi-address=$(ADDRESS)" | ||
| env: | ||
| - name: ADDRESS |
| apiVersion: v1 | ||
| fieldPath: spec.nodeName | ||
| securityContext: | ||
| privileged: true |
| args: | ||
| - "--v=5" | ||
| - "--csi-address=$(ADDRESS)" | ||
| - "--leader-election=false" |
| # deploy this pod only on where csi-mock-driver exists | ||
| # This is because csi-mock-driver keeps all states in memory and the process that | ||
| # provisioned the PV needs to be the same process that's mounting it | ||
| affinity: |
There was a problem hiding this comment.
Yeah, that sounds awesome. I will make a comment on this as TODO then.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Jiawei0227, msau42 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This commit adds an example folder which contains a deploy instruction of the full CSI mock driver including csi-provisioner, csi-resizer, csi-snapshotter and csi-node-driver-registrar. This helps to playaround with the CSI mock driver to understand the functionality. Tested on GCP. - Update the image registry to k8s.gcr.io/sig-storage/xxx - Set privileged container for all container.
|
regarding you question on privileged vs running as uid 0, my basic understanding is that privileged enables a lot more than just the uid: all the host devices get mounted in the container, and there's also a number of linux capabilities that get enabled: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged |
Jiawei0227
force-pushed
the
csi-mock-deploy
branch
from
9c81518
to
6c3ddee
Compare
|
Okay, thanks! Commits squashed. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Can you also add a release note saying that deployment manifests and examples are added for mock driver |
k8s-ci-robot
added
the
release-note
k8s-ci-robot
removed
the
release-note-none
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
This commit adds an example folder which contains a deploy instruction
of the full CSI mock driver including csi-provisioner, csi-resizer,
csi-snapshotter and csi-node-driver-registrar.
This helps to playaround with the CSI mock driver to understand the
functionality.
Tested on GCP.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This is a demo deployment of mock csi driver with all the containers.
Does this PR introduce a user-facing change?: