-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mock CSI driver deploy example #277
Add mock CSI driver deploy example #277
Conversation
@Jiawei0227: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Welcome @Jiawei0227! |
Hi @Jiawei0227. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I signed it |
example/README.md
Outdated
installed in the default namespace. Correspondingly, you can find a pod with prefix `csi-mockplugin`. In the meantime, | ||
a `StorageClass` called `test-csi-mock` will be generated along with a `VolumeSnapshotClass` called `csi-mock-snapclass`. | ||
|
||
Note that if you are using version prior to 1.17, [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter#usage) will require to be manual installed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prior to 1.17, there was no snapshot controller. I think maybe a more accurate note is to say that the k8s distribution is supposed to install the snapshot-controller, but if it doesn't, then you'll have to manually install it separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
serviceAccount: csi-mock | ||
containers: | ||
- name: csi-provisioner | ||
image: gcr.io/k8s-staging-csi/csi-provisioner:canary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're switching to k8s.gcr.io as our image repo. Can you use the images available there? Here's this list of image tags currently available:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
image: gcr.io/k8s-staging-csi/csi-provisioner:canary | ||
args: | ||
- "--csi-address=$(ADDRESS)" | ||
- "--leader-election" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can probably disable leader election for all the sidecars since the mock driver is not resilient to restarts anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
type: Directory | ||
|
||
--- | ||
apiVersion: storage.k8s.io/v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v1 was made available in 1.18. So we should document that this example requires 1.18+
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/pvc-test.yaml
Outdated
name: example-pvc | ||
spec: | ||
accessModes: | ||
- ReadWriteMany |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mock driver is closer to readwriteonce. I'm not even sure it can handle data persisting across a pod restart, but it definitely doesn't support sharing data across multiple nodes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/README.md
Outdated
@@ -0,0 +1,28 @@ | |||
# CSI Mock Driver Example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be better under the mock/ directory. We can point to it from the top level readme.
In the mock/readme.md, it would be also good to describe the high level limitations of the mock driver, such as:
- requires all the components to run on the same node
- only supports single node
- does not persist data across restarts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/README.md
Outdated
# CSI Mock Driver Example | ||
|
||
This folder contains an example manifest of deploying CSIDriver including `csi-driver-node-registrar`, `csi-provisioner`, | ||
`csi-resizer` and `csi-snapshotter` onto a cluster. For testing purpose, `csi-attcher` is not included. Thus, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
csi-attacher
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/pvc-test.yaml
Outdated
spec: | ||
accessModes: | ||
- ReadWriteMany | ||
storageClassName: test-csi-mock |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing a storageclass yaml?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The storageclass is included in deploy/csi-mock-driver-deployment.yaml
ce129d3
to
ce4c3ce
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@msau42 Thanks for the quick review! Have addressed the comments.
example/pvc-test.yaml
Outdated
spec: | ||
accessModes: | ||
- ReadWriteMany | ||
storageClassName: test-csi-mock |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The storageclass is included in deploy/csi-mock-driver-deployment.yaml
example/pvc-test.yaml
Outdated
name: example-pvc | ||
spec: | ||
accessModes: | ||
- ReadWriteMany |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
type: Directory | ||
|
||
--- | ||
apiVersion: storage.k8s.io/v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
image: gcr.io/k8s-staging-csi/csi-provisioner:canary | ||
args: | ||
- "--csi-address=$(ADDRESS)" | ||
- "--leader-election" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/README.md
Outdated
@@ -0,0 +1,28 @@ | |||
# CSI Mock Driver Example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/README.md
Outdated
# CSI Mock Driver Example | ||
|
||
This folder contains an example manifest of deploying CSIDriver including `csi-driver-node-registrar`, `csi-provisioner`, | ||
`csi-resizer` and `csi-snapshotter` onto a cluster. For testing purpose, `csi-attcher` is not included. Thus, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
example/README.md
Outdated
installed in the default namespace. Correspondingly, you can find a pod with prefix `csi-mockplugin`. In the meantime, | ||
a `StorageClass` called `test-csi-mock` will be generated along with a `VolumeSnapshotClass` called `csi-mock-snapclass`. | ||
|
||
Note that if you are using version prior to 1.17, [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter#usage) will require to be manual installed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
serviceAccount: csi-mock | ||
containers: | ||
- name: csi-provisioner | ||
image: gcr.io/k8s-staging-csi/csi-provisioner:canary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
mock/README.md
Outdated
Limitation about this mock CSI Driver are: | ||
- It only supports single node. | ||
- It requires all the components to run on the same node, i.e. the pod that uses pv created by this CSI driver should be on the same node with the driver. | ||
csi driver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks like an extra line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
serviceAccount: csi-mock | ||
containers: | ||
- name: csi-provisioner | ||
image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v1.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The repo should be "k8s.gcr.io/sig-storage/csi-provisioner..." instead. k8s.gcr.io maps to gcr.io/k8s-artifacts-prod. The staging repo is for pre-release testing only and images are temporarily and get deleted after 30 days or so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
args: | ||
- "--csi-address=$(ADDRESS)" | ||
env: | ||
- name: ADDRESS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think since this env is hardcoded, we don't need to actually define an env variable for it, and can just use it directly in the argument.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto throughout
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apiVersion: v1 | ||
fieldPath: spec.nodeName | ||
securityContext: | ||
privileged: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normally most of these containers do not have to be privileged. Usually only the driver container has to be privileged in order to do the mount operation.
However, selinux systems require privileged in order to access the csi socket as a hostpath. Maybe add the same comment here, and make all the containers privileged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
args: | ||
- "--v=5" | ||
- "--csi-address=$(ADDRESS)" | ||
- "--leader-election=false" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't actually need to explicitly set this since the default is false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
# deploy this pod only on where csi-mock-driver exists | ||
# This is because csi-mock-driver keeps all states in memory and the process that | ||
# provisioned the PV needs to be the same process that's mounting it | ||
affinity: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as a future improvement, if we add topology support to the mock driver, then we don't need this in the pod. The pv provisioned will have a nodeaffinity on it, and the pod will always get scheduled to the correct node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that sounds awesome. I will make a comment on this as TODO then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks for the review! I am kind of new to this, so I am curious what's the difference between runAsUser: 0
v.s. privileged: true
. I looked up online and could not find a clear explanation.
mock/README.md
Outdated
Limitation about this mock CSI Driver are: | ||
- It only supports single node. | ||
- It requires all the components to run on the same node, i.e. the pod that uses pv created by this CSI driver should be on the same node with the driver. | ||
csi driver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
serviceAccount: csi-mock | ||
containers: | ||
- name: csi-provisioner | ||
image: gcr.io/k8s-staging-sig-storage/csi-provisioner:v1.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
args: | ||
- "--csi-address=$(ADDRESS)" | ||
env: | ||
- name: ADDRESS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apiVersion: v1 | ||
fieldPath: spec.nodeName | ||
securityContext: | ||
privileged: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
args: | ||
- "--v=5" | ||
- "--csi-address=$(ADDRESS)" | ||
- "--leader-election=false" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
# deploy this pod only on where csi-mock-driver exists | ||
# This is because csi-mock-driver keeps all states in memory and the process that | ||
# provisioned the PV needs to be the same process that's mounting it | ||
affinity: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that sounds awesome. I will make a comment on this as TODO then.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Jiawei0227, msau42 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This commit adds an example folder which contains a deploy instruction of the full CSI mock driver including csi-provisioner, csi-resizer, csi-snapshotter and csi-node-driver-registrar. This helps to playaround with the CSI mock driver to understand the functionality. Tested on GCP. - Update the image registry to k8s.gcr.io/sig-storage/xxx - Set privileged container for all container.
regarding you question on privileged vs running as uid 0, my basic understanding is that privileged enables a lot more than just the uid: all the host devices get mounted in the container, and there's also a number of linux capabilities that get enabled: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged |
9c81518
to
6c3ddee
Compare
Okay, thanks! Commits squashed. |
/lgtm |
Can you also add a release note saying that deployment manifests and examples are added for mock driver |
/ok-to-test |
This commit adds an example folder which contains a deploy instruction
of the full CSI mock driver including csi-provisioner, csi-resizer,
csi-snapshotter and csi-node-driver-registrar.
This helps to playaround with the CSI mock driver to understand the
functionality.
Tested on GCP.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This is a demo deployment of mock csi driver with all the containers.
Does this PR introduce a user-facing change?: