diff --git a/aws/efs/README.md b/aws/efs/README.md index 9a48ca6b20a..a2ea678e7da 100644 --- a/aws/efs/README.md +++ b/aws/efs/README.md @@ -137,20 +137,16 @@ If you are not using RBAC or OpenShift you can continue to the usage section. ### Authorization -If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm policy` command accordingly. +If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" edit `deploy/rbac.yaml`. #### RBAC ```console +# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed +$ NAMESPACE=`kc config get-contexts | grep '^*' | tr -s ' ' | cut -d' ' -f5` +$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml $ kubectl create -f deploy/rbac.yaml ``` -#### OpenShift -```console -$ oc create -f deploy/openshift-clusterrole.yaml -clusterrole "efs-provisioner-runner" created -$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:efs-provisioner -$ oadm policy add-cluster-role-to-user efs-provisioner-runner system:serviceaccount:default:efs-provisioner -``` ### SELinux If SELinux is enforcing on the node where the provisioner runs, you must enable writing from a pod to a remote NFS server (EFS in this case) on the node by running: ```console diff --git a/aws/efs/deploy/openshift-clusterrole.yaml b/aws/efs/deploy/openshift-clusterrole.yaml deleted file mode 100644 index fb01593b7f8..00000000000 --- a/aws/efs/deploy/openshift-clusterrole.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: ClusterRole -apiVersion: v1 -metadata: - name: efs-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/aws/efs/deploy/rbac.yaml b/aws/efs/deploy/rbac.yaml index 98d497bd660..846cecb0f46 100644 --- a/aws/efs/deploy/rbac.yaml +++ b/aws/efs/deploy/rbac.yaml @@ -15,9 +15,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -26,8 +23,32 @@ metadata: subjects: - kind: ServiceAccount name: efs-provisioner + # replace with namespace where provisioner is deployed namespace: default roleRef: kind: ClusterRole name: efs-provisioner-runner - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-efs-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-efs-provisioner +subjects: + - kind: ServiceAccount + name: efs-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-efs-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/ceph/cephfs/deploy/rbac/clusterrole.yaml b/ceph/cephfs/deploy/rbac/clusterrole.yaml index 06f3de04d66..0407a3d9508 100644 --- a/ceph/cephfs/deploy/rbac/clusterrole.yaml +++ b/ceph/cephfs/deploy/rbac/clusterrole.yaml @@ -16,6 +16,3 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/ceph/cephfs/deploy/rbac/role.yaml b/ceph/cephfs/deploy/rbac/role.yaml index 4f0c1b5b3c8..7262144afc1 100644 --- a/ceph/cephfs/deploy/rbac/role.yaml +++ b/ceph/cephfs/deploy/rbac/role.yaml @@ -7,3 +7,6 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "delete"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/ceph/rbd/deploy/rbac/clusterrole.yaml b/ceph/rbd/deploy/rbac/clusterrole.yaml index f9e86817aa7..aa3884ff0be 100644 --- a/ceph/rbd/deploy/rbac/clusterrole.yaml +++ b/ceph/rbd/deploy/rbac/clusterrole.yaml @@ -15,9 +15,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["services"] resourceNames: ["kube-dns"] diff --git a/ceph/rbd/deploy/rbac/role.yaml b/ceph/rbd/deploy/rbac/role.yaml index 82ba0702bc6..783fe2a28fe 100644 --- a/ceph/rbd/deploy/rbac/role.yaml +++ b/ceph/rbd/deploy/rbac/role.yaml @@ -6,3 +6,6 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get"] +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] \ No newline at end of file diff --git a/digitalocean/manifests/rbac/clusterrole.yaml b/digitalocean/manifests/rbac/clusterrole.yaml index 92ac05fc59b..cfa55d58a2b 100644 --- a/digitalocean/manifests/rbac/clusterrole.yaml +++ b/digitalocean/manifests/rbac/clusterrole.yaml @@ -16,6 +16,3 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/digitalocean/manifests/rbac/role.yaml b/digitalocean/manifests/rbac/role.yaml index e83d3c051ff..685e23f6c79 100644 --- a/digitalocean/manifests/rbac/role.yaml +++ b/digitalocean/manifests/rbac/role.yaml @@ -7,3 +7,6 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] \ No newline at end of file diff --git a/flex/deploy/manifests/rbac.yaml b/flex/deploy/manifests/rbac.yaml index 60436703ef8..c728bf720fa 100644 --- a/flex/deploy/manifests/rbac.yaml +++ b/flex/deploy/manifests/rbac.yaml @@ -15,9 +15,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] --- @@ -41,3 +38,29 @@ apiVersion: v1 metadata: name: flex-provisioner +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-flex-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-flex-provisioner +subjects: + - kind: ServiceAccount + name: flex-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-flex-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/gluster/block/deploy/clusterrole.yaml b/gluster/block/deploy/clusterrole.yaml deleted file mode 100644 index 4d22fa77f12..00000000000 --- a/gluster/block/deploy/clusterrole.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: glusterblock-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "create", "delete"] diff --git a/gluster/block/deploy/clusterrolebinding.yaml b/gluster/block/deploy/clusterrolebinding.yaml deleted file mode 100644 index b55950f3407..00000000000 --- a/gluster/block/deploy/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: run-glusterblock-provisioner -subjects: - - kind: ServiceAccount - name: glusterblock-provisioner - namespace: default -roleRef: - kind: ClusterRole - name: glusterblock-provisioner-runner - apiGroup: rbac.authorization.k8s.io diff --git a/gluster/block/deploy/openshift/openshift-clusterrole.yaml b/gluster/block/deploy/openshift/openshift-clusterrole.yaml deleted file mode 100644 index ffe57717790..00000000000 --- a/gluster/block/deploy/openshift/openshift-clusterrole.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: ClusterRole -apiVersion: v1 -metadata: - name: glusterblock-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "create", "delete"] diff --git a/gluster/block/deploy/rbac.yaml b/gluster/block/deploy/rbac.yaml new file mode 100644 index 00000000000..d1e70d2aed1 --- /dev/null +++ b/gluster/block/deploy/rbac.yaml @@ -0,0 +1,59 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: glusterblock-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "delete"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: run-glusterblock-provisioner +subjects: + - kind: ServiceAccount + name: glusterblock-provisioner + namespace: default +roleRef: + kind: ClusterRole + name: glusterblock-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-glusterblock-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-glusterblock-provisioner +subjects: + - kind: ServiceAccount + name: glusterblock-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-glusterblock-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/gluster/file/deploy/openshift/openshift-clusterrole.yaml b/gluster/file/deploy/openshift/openshift-clusterrole.yaml deleted file mode 100644 index 12b01d69b66..00000000000 --- a/gluster/file/deploy/openshift/openshift-clusterrole.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: ClusterRole -apiVersion: v1 -metadata: - name: glusterfile-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "create", "delete"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] diff --git a/gluster/file/deploy/rbac.yaml b/gluster/file/deploy/rbac.yaml new file mode 100644 index 00000000000..fa5c520bead --- /dev/null +++ b/gluster/file/deploy/rbac.yaml @@ -0,0 +1,62 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: glusterfile-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "create", "delete"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: run-glusterfile-provisioner +subjects: + - kind: ServiceAccount + name: glusterfile-provisioner + namespace: default +roleRef: + kind: ClusterRole + name: glusterfile-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-glusterfile-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-glusterfile-provisioner +subjects: + - kind: ServiceAccount + name: glusterfile-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-glusterfile-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/iscsi/targetd/ansible/roles/deploy-provisioner/templates/iscsi-auth.yaml b/iscsi/targetd/ansible/roles/deploy-provisioner/templates/iscsi-auth.yaml index 669f61043ca..de53bb2ff9c 100644 --- a/iscsi/targetd/ansible/roles/deploy-provisioner/templates/iscsi-auth.yaml +++ b/iscsi/targetd/ansible/roles/deploy-provisioner/templates/iscsi-auth.yaml @@ -15,9 +15,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: v1 diff --git a/iscsi/targetd/kubernetes/iscsi-provisioner-d.yaml b/iscsi/targetd/kubernetes/iscsi-provisioner-d.yaml index babcafc0d8d..36f7264b0d9 100644 --- a/iscsi/targetd/kubernetes/iscsi-provisioner-d.yaml +++ b/iscsi/targetd/kubernetes/iscsi-provisioner-d.yaml @@ -15,9 +15,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/lib/controller/controller.go b/lib/controller/controller.go index 2276e67589e..7c8e528d0b7 100644 --- a/lib/controller/controller.go +++ b/lib/controller/controller.go @@ -18,6 +18,7 @@ package controller import ( "fmt" + "io/ioutil" "net" "net/http" "os" @@ -139,6 +140,10 @@ type ProvisionController struct { // The path of metrics endpoint path. metricsPath string + // Whether to do kubernetes leader election at all. It should basically + // always be done when possible to avoid duplicate Provision attempts. + leaderElection bool + leaderElectionNamespace string // Parameters of leaderelection.LeaderElectionConfig. leaseDuration, renewDeadline, retryPeriod time.Duration @@ -161,6 +166,8 @@ const ( DefaultFailedProvisionThreshold = 15 // DefaultFailedDeleteThreshold is used when option function FailedDeleteThreshold is omitted DefaultFailedDeleteThreshold = 15 + // DefaultLeaderElection is used when option function LeaderElection is omitted + DefaultLeaderElection = true // DefaultLeaseDuration is used when option function LeaseDuration is omitted DefaultLeaseDuration = 15 * time.Second // DefaultRenewDeadline is used when option function RenewDeadline is omitted @@ -263,6 +270,31 @@ func FailedDeleteThreshold(failedDeleteThreshold int) func(*ProvisionController) } } +// LeaderElection determines whether to enable leader election or not. Defaults +// to true. +func LeaderElection(leaderElection bool) func(*ProvisionController) error { + return func(c *ProvisionController) error { + if c.HasRun() { + return errRuntime + } + c.leaderElection = leaderElection + return nil + } +} + +// LeaderElectionNamespace is the kubernetes namespace in which to create the +// leader election object. Defaults to the same namespace in which the +// the controller runs. +func LeaderElectionNamespace(leaderElectionNamespace string) func(*ProvisionController) error { + return func(c *ProvisionController) error { + if c.HasRun() { + return errRuntime + } + c.leaderElectionNamespace = leaderElectionNamespace + return nil + } +} + // LeaseDuration is the duration that non-leader candidates will // wait to force acquire leadership. This is measured against time of // last observed ack. Defaults to 15 seconds. @@ -416,6 +448,8 @@ func NewProvisionController( createProvisionedPVInterval: DefaultCreateProvisionedPVInterval, failedProvisionThreshold: DefaultFailedProvisionThreshold, failedDeleteThreshold: DefaultFailedDeleteThreshold, + leaderElection: DefaultLeaderElection, + leaderElectionNamespace: getInClusterNamespace(), leaseDuration: DefaultLeaseDuration, renewDeadline: DefaultRenewDeadline, retryPeriod: DefaultRetryPeriod, @@ -648,31 +682,36 @@ func (ctrl *ProvisionController) Run(stopCh <-chan struct{}) { <-stopCh } - rl, err := resourcelock.New("endpoints", - "kube-system", - strings.Replace(ctrl.provisionerName, "/", "-", -1), - ctrl.client.CoreV1(), - resourcelock.ResourceLockConfig{ - Identity: ctrl.id, - EventRecorder: ctrl.eventRecorder, - }) - if err != nil { - glog.Fatalf("Error creating lock: %v", err) - } - - leaderelection.RunOrDie(leaderelection.LeaderElectionConfig{ - Lock: rl, - LeaseDuration: ctrl.leaseDuration, - RenewDeadline: ctrl.renewDeadline, - RetryPeriod: ctrl.retryPeriod, - Callbacks: leaderelection.LeaderCallbacks{ - OnStartedLeading: run, - OnStoppedLeading: func() { - glog.Fatalf("leaderelection lost") + if ctrl.leaderElection { + // TODO: passed in stopCh is ignored. + rl, err := resourcelock.New("endpoints", + ctrl.leaderElectionNamespace, + strings.Replace(ctrl.provisionerName, "/", "-", -1), + ctrl.client.CoreV1(), + resourcelock.ResourceLockConfig{ + Identity: ctrl.id, + EventRecorder: ctrl.eventRecorder, + }) + if err != nil { + glog.Fatalf("Error creating lock: %v", err) + } + + leaderelection.RunOrDie(leaderelection.LeaderElectionConfig{ + Lock: rl, + LeaseDuration: ctrl.leaseDuration, + RenewDeadline: ctrl.renewDeadline, + RetryPeriod: ctrl.retryPeriod, + Callbacks: leaderelection.LeaderCallbacks{ + OnStartedLeading: run, + OnStoppedLeading: func() { + glog.Fatalf("leaderelection lost") + }, }, - }, - }) - panic("unreachable") + }) + panic("unreachable") + } else { + run(stopCh) + } } func (ctrl *ProvisionController) runClaimWorker() { @@ -1164,6 +1203,22 @@ func logOperation(operation, format string, a ...interface{}) string { return fmt.Sprintf(fmt.Sprintf("%s: %s", operation, format), a...) } +// getInClusterNamespace returns the namespace in which the controller runs. +func getInClusterNamespace() string { + if ns := os.Getenv("POD_NAMESPACE"); ns != "" { + return ns + } + + // Fall back to the namespace associated with the service account token, if available + if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil { + if ns := strings.TrimSpace(string(data)); len(ns) > 0 { + return ns + } + } + + return "default" +} + // getProvisionedVolumeNameForClaim returns PV.Name for the provisioned volume. // The name must be unique. func (ctrl *ProvisionController) getProvisionedVolumeNameForClaim(claim *v1.PersistentVolumeClaim) string { diff --git a/nfs-client/README.md b/nfs-client/README.md index 03e55c23fc8..4967ba49e4a 100644 --- a/nfs-client/README.md +++ b/nfs-client/README.md @@ -14,15 +14,15 @@ To note again, you must *already* have an NFS Server. Get all of the files in the [deploy](https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client/deploy) directory of this repository. These instructions assume that you have cloned the [external-storage](https://github.com/kubernetes-incubator/external-storage) repository and have a bash-shell open in the ``nfs-client`` directory. -**Step 3: Setup authorization**. If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm policy` command accordingly. +**Step 3: Setup authorization**. If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" edit `deploy/rbac.yaml`. Kubernetes: ```sh -$ kubectl create -f deploy/auth/serviceaccount.yaml -f deploy/auth/clusterrole.yaml -f deploy/auth/clusterrolebinding.yaml -serviceaccount "nfs-client-provisioner" created -clusterrole "nfs-client-provisioner-runner" created -clusterrolebinding "run-nfs-client-provisioner" created +# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed +$ NAMESPACE=`oc project -q` +$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml +$ kubectl create -f deploy/rbac.yaml ``` OpenShift: @@ -30,11 +30,11 @@ OpenShift: On some installations of OpenShift the default admin user does not have cluster-admin permissions. If these commands fail refer to the OpenShift documentation for **User and Role Management** or contact your OpenShift provider to help you grant the right permissions to your admin user. ```sh -$ oc create -f deploy/auth/openshift-clusterrole.yaml -f deploy/auth/serviceaccount.yaml -serviceaccount "nfs-client-provisioner" created -clusterrole "nfs-client-provisioner-runner" created -$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:nfs-client-provisioner -$ oadm policy add-cluster-role-to-user nfs-client-provisioner-runner system:serviceaccount:default:nfs-client-provisioner +# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed +$ NAMESPACE=`oc project -q` +$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml +$ oc create -f deploy/rbac.yaml +$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:$NAMESPACE:nfs-client-provisioner ``` **Step 4: Configure the NFS-Client provisioner** diff --git a/nfs-client/deploy/auth/clusterrole.yaml b/nfs-client/deploy/auth/clusterrole.yaml deleted file mode 100644 index 0ecb088bd50..00000000000 --- a/nfs-client/deploy/auth/clusterrole.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-client-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] \ No newline at end of file diff --git a/nfs-client/deploy/auth/clusterrolebinding.yaml b/nfs-client/deploy/auth/clusterrolebinding.yaml deleted file mode 100644 index 0e949a27f5a..00000000000 --- a/nfs-client/deploy/auth/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: run-nfs-client-provisioner -subjects: - - kind: ServiceAccount - name: nfs-client-provisioner - namespace: default -roleRef: - kind: ClusterRole - name: nfs-client-provisioner-runner - apiGroup: rbac.authorization.k8s.io diff --git a/nfs-client/deploy/auth/openshift-clusterrole.yaml b/nfs-client/deploy/auth/openshift-clusterrole.yaml deleted file mode 100644 index 2f50f5b2d38..00000000000 --- a/nfs-client/deploy/auth/openshift-clusterrole.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: ClusterRole -apiVersion: v1 -metadata: - name: nfs-client-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/nfs-client/deploy/auth/serviceaccount.yaml b/nfs-client/deploy/auth/serviceaccount.yaml deleted file mode 100644 index edead9ade16..00000000000 --- a/nfs-client/deploy/auth/serviceaccount.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nfs-client-provisioner diff --git a/nfs-client/deploy/deployment-arm.yaml b/nfs-client/deploy/deployment-arm.yaml index 9f09acca619..785302bd3f5 100644 --- a/nfs-client/deploy/deployment-arm.yaml +++ b/nfs-client/deploy/deployment-arm.yaml @@ -1,3 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nfs-client-provisioner +--- kind: Deployment apiVersion: extensions/v1beta1 metadata: diff --git a/nfs-client/deploy/deployment.yaml b/nfs-client/deploy/deployment.yaml index 1b79367651e..271ca0601ed 100644 --- a/nfs-client/deploy/deployment.yaml +++ b/nfs-client/deploy/deployment.yaml @@ -1,3 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nfs-client-provisioner +--- kind: Deployment apiVersion: extensions/v1beta1 metadata: diff --git a/nfs-client/deploy/rbac.yaml b/nfs-client/deploy/rbac.yaml new file mode 100644 index 00000000000..79bc7290a5c --- /dev/null +++ b/nfs-client/deploy/rbac.yaml @@ -0,0 +1,54 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: nfs-client-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: run-nfs-client-provisioner +subjects: + - kind: ServiceAccount + name: nfs-client-provisioner + namespace: default +roleRef: + kind: ClusterRole + name: nfs-client-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-client-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-client-provisioner +subjects: + - kind: ServiceAccount + name: nfs-client-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-nfs-client-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/nfs/deploy/kubernetes/rbac.yaml b/nfs/deploy/kubernetes/rbac.yaml index 4f6f275d81e..dab7b82e5bb 100644 --- a/nfs/deploy/kubernetes/rbac.yaml +++ b/nfs/deploy/kubernetes/rbac.yaml @@ -16,10 +16,7 @@ rules: resources: ["events"] verbs: ["create", "update", "patch"] - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["services"] + resources: ["services", "endpoints"] verbs: ["get"] - apiGroups: ["extensions"] resources: ["podsecuritypolicies"] @@ -33,9 +30,32 @@ metadata: subjects: - kind: ServiceAccount name: nfs-provisioner - namespace: default -# update namespace above to your namespace in order to make this work + # replace with namespace where provisioner is deployed + namespace: aosiefjase roleRef: kind: ClusterRole name: nfs-provisioner-runner apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-provisioner +subjects: + - kind: ServiceAccount + name: nfs-provisioner + # replace with namespace where provisioner is deployed + namespace: aosiefjase +roleRef: + kind: Role + name: leader-locking-nfs-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/nfs/docs/deployment.md b/nfs/docs/deployment.md index a31a4432e41..657216c1675 100644 --- a/nfs/docs/deployment.md +++ b/nfs/docs/deployment.md @@ -54,11 +54,12 @@ Note that if you continue with the `hostPath` volume, its path must exist on the Create the deployment and its service. ``` -$ kubectl create -f deploy/kubernetes/psp.yaml # or if openshift: oc create -f deploy/kubernetes/scc.yaml +$ kubectl create -f deploy/kubernetes/psp.yaml # or if openshift: oc create -f deploy/kubernetes/scc.yaml\ +# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed +$ NAMESPACE=`kc config get-contexts | grep '^*' | tr -s ' ' | cut -d' ' -f5` +$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/kubernetes/rbac.yaml $ kubectl create -f deploy/kubernetes/rbac.yaml $ kubectl create -f deploy/kubernetes/deployment.yaml -service "nfs-provisioner" created -deployment "nfs-provisioner" created ``` ### In Kubernetes - StatefulSet of 1 replica diff --git a/nfs/test/e2e/nfs.go b/nfs/test/e2e/nfs.go index 953be3838da..4d5980f389a 100644 --- a/nfs/test/e2e/nfs.go +++ b/nfs/test/e2e/nfs.go @@ -18,13 +18,14 @@ package storage import ( "fmt" + "io/ioutil" + "os/exec" "path/filepath" "time" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "io/ioutil" "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" @@ -77,18 +78,18 @@ var _ = Describe("external-storage", func() { nsFlag := fmt.Sprintf("--namespace=%v", ns) By("creating nfs-provisioner RBAC") - framework.RunKubectlOrDie("create", "-f", mkpath("rbac.yaml")) - - crb, err := c.RbacV1().ClusterRoleBindings().Get(nfsRBACCRBName, metav1.GetOptions{}) - Expect(err).NotTo(HaveOccurred()) - crb.Subjects[0].Namespace = ns - crb, err = c.RbacV1().ClusterRoleBindings().Update(crb) - Expect(err).NotTo(HaveOccurred()) + cmd := exec.Command("bash", "-c", fmt.Sprintf("sed -i'' 's/namespace:.*/namespace: %s/g' %s", ns, mkpath("rbac.yaml"))) + framework.ExpectNoError(cmd.Run()) + framework.RunKubectlOrDie("create", "-f", mkpath("rbac.yaml"), nsFlag) By("creating an nfs-provisioner statefulset") - framework.RunKubectlOrDie("create", "-f", mkpath("statefulset.yaml"), nsFlag) tmpDir, err := ioutil.TempDir("", "nfs-provisioner-statefulset") Expect(err).NotTo(HaveOccurred()) + cmd = exec.Command("bash", "-c", fmt.Sprintf("sed -i'' 's|path:.*|path: %s|g' %s", tmpDir, mkpath("statefulset.yaml"))) + framework.ExpectNoError(cmd.Run()) + cmd = exec.Command("bash", "-c", fmt.Sprintf("sed -i'' '/-provisioner=/a \\ - \"-grace-period=10\"' %s", mkpath("statefulset.yaml"))) + framework.ExpectNoError(cmd.Run()) + framework.RunKubectlOrDie("create", "-f", mkpath("statefulset.yaml"), nsFlag) ss, err := c.AppsV1().StatefulSets(ns).Get(nfsStatefulSetName, metav1.GetOptions{}) Expect(err).NotTo(HaveOccurred()) @@ -96,15 +97,6 @@ var _ = Describe("external-storage", func() { sst := framework.NewStatefulSetTester(c) sst.WaitForRunningAndReady(*ss.Spec.Replicas, ss) - ss, err = c.AppsV1().StatefulSets(ns).Get(nfsStatefulSetName, metav1.GetOptions{}) - Expect(err).NotTo(HaveOccurred()) - ss.Spec.Template.Spec.Volumes[0].HostPath.Path = tmpDir - ss.Spec.Template.Spec.Containers[0].Args = []string{"-grace-period=10"} - ss, err = c.AppsV1().StatefulSets(ns).Update(ss) - Expect(err).NotTo(HaveOccurred()) - - sst.WaitForRunningAndReady(*ss.Spec.Replicas, ss) - By("creating a class") framework.RunKubectlOrDie("create", "-f", mkpath("class.yaml")) @@ -143,6 +135,7 @@ var _ = Describe("external-storage", func() { By("creating a pod to write to the volume") framework.RunKubectlOrDie("create", "-f", mkpath("write-pod.yaml"), nsFlag) framework.ExpectNoError(framework.WaitForPodSuccessInNamespace(c, nfsWritePodName, ns)) + framework.DeletePodOrFail(c, ns, nfsWritePodName) By("creating a pod to read from the volume") framework.RunKubectlOrDie("create", "-f", mkpath("read-pod.yaml"), nsFlag) @@ -155,6 +148,7 @@ var _ = Describe("external-storage", func() { By("creating a pod to read from the volume again") framework.RunKubectlOrDie("create", "-f", mkpath("read-pod.yaml"), nsFlag) framework.ExpectNoError(framework.WaitForPodSuccessInNamespace(c, nfsReadPodName, ns)) + framework.DeletePodOrFail(c, ns, nfsReadPodName) By("deleting the claim") err = c.CoreV1().PersistentVolumeClaims(ns).Delete(nfsClaimName, nil) diff --git a/nfs/test/e2e/test.sh b/nfs/test/e2e/test.sh index a4c1809c99d..a6e339b7c00 100755 --- a/nfs/test/e2e/test.sh +++ b/nfs/test/e2e/test.sh @@ -24,10 +24,10 @@ GOPATH=$TEST_DIR # Download kubernetes source if [ ! -e "$GOPATH/src/k8s.io/kubernetes" ]; then - mkdir -p $GOPATH/src/k8s.io - curl -L https://github.com/kubernetes/kubernetes/archive/v${KUBE_VERSION}.tar.gz | tar xz -C $TEST_DIR/src/k8s.io/ - rm -rf $GOPATH/src/k8s.io/kubernetes - mv $GOPATH/src/k8s.io/kubernetes-$KUBE_VERSION $GOPATH/src/k8s.io/kubernetes + mkdir -p $GOPATH/src/k8s.io + curl -L https://github.com/kubernetes/kubernetes/archive/v${KUBE_VERSION}.tar.gz | tar xz -C $TEST_DIR/src/k8s.io/ + rm -rf $GOPATH/src/k8s.io/kubernetes + mv $GOPATH/src/k8s.io/kubernetes-$KUBE_VERSION $GOPATH/src/k8s.io/kubernetes fi cd $GOPATH/src/k8s.io/kubernetes @@ -46,7 +46,6 @@ cp -r $TEST_DIR/testing-manifests/* ./test/e2e/testing-manifests # Build ginkgo and e2e.test hack/update-bazel.sh -make clean make ginkgo if ! type bazel; then wget https://github.com/bazelbuild/bazel/releases/download/0.16.0/bazel-0.16.0-installer-linux-x86_64.sh @@ -58,8 +57,10 @@ rm -f ./_output/bin/e2e.test cp ./bazel-bin/test/e2e/e2e.test ./_output/bin # Download kubectl to _output directory -curl -o ./_output/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -chmod +x ./_output/bin/kubectl +if [ ! -e "./_output/bin/kubectl" ]; then + curl -o ./_output/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl + chmod +x ./_output/bin/kubectl +fi # Run tests assuming local cluster i.e. one started with hack/local-up-cluster.sh go run hack/e2e.go -- --provider=local --check-version-skew=false --test --test_args="--ginkgo.focus=external-storage" diff --git a/snapshot/deploy/kubernetes/aws/snapshot-rbac.yaml b/snapshot/deploy/kubernetes/aws/snapshot-rbac.yaml index 245c61dbd94..66efca41b36 100644 --- a/snapshot/deploy/kubernetes/aws/snapshot-rbac.yaml +++ b/snapshot/deploy/kubernetes/aws/snapshot-rbac.yaml @@ -20,9 +20,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] @@ -45,4 +42,26 @@ subjects: - kind: ServiceAccount name: snapshot-controller-runner namespace: default - +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-snapshot-controller +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-snapshot-controller +subjects: + - kind: ServiceAccount + name: snapshot-controller-runner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-snapshot-controller + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/snapshot/deploy/kubernetes/hostpath/snapshot-rbac.yaml b/snapshot/deploy/kubernetes/hostpath/snapshot-rbac.yaml index 245c61dbd94..66efca41b36 100644 --- a/snapshot/deploy/kubernetes/hostpath/snapshot-rbac.yaml +++ b/snapshot/deploy/kubernetes/hostpath/snapshot-rbac.yaml @@ -20,9 +20,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] @@ -45,4 +42,26 @@ subjects: - kind: ServiceAccount name: snapshot-controller-runner namespace: default - +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-snapshot-controller +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-snapshot-controller +subjects: + - kind: ServiceAccount + name: snapshot-controller-runner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-snapshot-controller + apiGroup: rbac.authorization.k8s.io \ No newline at end of file