diff --git a/Dockerfile b/Dockerfile index 17b8f92b..b75fef2d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ FROM alpine:3.15 LABEL maintainers="Weka" LABEL description="Weka CSI Driver" # Add util-linux to get a new version of losetup. -RUN apk add util-linux +RUN apk add util-linux libselinux libselinux-utils util-linux pciutils usbutils coreutils binutils findutils grep bash COPY --from=go-builder /bin/wekafsplugin /wekafsplugin ARG binary=/bin/wekafsplugin ENTRYPOINT ["/wekafsplugin"] diff --git a/README.md b/README.md index 4d8eec0e..0be31a22 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # CSI WekaFS Driver -![Version: 0.7.4](https://img.shields.io/badge/Version-0.7.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.4](https://img.shields.io/badge/AppVersion-v0.7.4-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/csi-wekafs)](https://artifacthub.io/packages/search?repo=csi-wekafs) @@ -16,6 +16,7 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c ## Usage - [Deploy an Example application](docs/usage.md) +- [SELinux Support & Installation Notes](selinux/README.md) ## Additional Documentation - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin) @@ -33,17 +34,22 @@ make build |-----|------|---------|-------------| | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned | | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) | -| csiDriverVersion | string | `"0.7.4"` | CSI driver version | +| csiDriverVersion | string | `"0.8.0"` | CSI driver version | | images.livenessprobesidecar | string | `"k8s.gcr.io/sig-storage/livenessprobe:v2.6.0"` | CSI liveness probe sidecar image URL | | images.attachersidecar | string | `"k8s.gcr.io/sig-storage/csi-attacher:v3.4.0"` | CSI attacher sidecar image URL | | images.provisionersidecar | string | `"k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0"` | CSI provisioner sidecar image URL | | images.registrarsidecar | string | `"k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.0"` | CSI registrar sidercar | | images.resizersidecar | string | `"k8s.gcr.io/sig-storage/csi-resizer:v1.4.0"` | CSI provisioner sidecar image URL | | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL | -| images.csidriverTag | string | `"0.7.4"` | CSI driver tag | +| images.csidriverTag | string | `"0.8.0"` | CSI driver tag | | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components | | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) | | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) | | nodeSelector | object | `{}` | Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only | | logLevel | int | `5` | Log level of CSI plugin | +| legacyVolumeSecretName | string | `""` | for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin | +| priorityClassName | string | `""` | Optional CSI Plugin priorityClassName | +| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off) In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! | +| selinuxNodeLabel | string | `"csi.weka.io/selinux_enabled"` | This label must be set to "true" on SELinux-enabled Kubernetes nodes, e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label csi.weka.io/selinux_enabled="true" | +| kubeletPath | string | `"/var/lib/kubelet"` | kubelet path, in cases Kubernetes is installed not in default folder | diff --git a/README.md.gotmpl b/README.md.gotmpl index e0050044..3fbb4fdd 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -16,6 +16,7 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c ## Usage - [Deploy an Example application](docs/usage.md) +- [SELinux Support & Installation Notes](selinux/README.md) ## Additional Documentation - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin) diff --git a/RELEASE.md b/RELEASE.md index 16f9da33..638d5999 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,3 +1,18 @@ +# Release 0.8.0 +## New features +### SELinux support +Weka CSI Plugin can now work with SELinux-enabled Kubernetes clusters. +> **NOTE:** Special configuration is required to deploy the Weka CSI plugin in SELinux-compatible mode +> Refer to [SELinux Support Readme](selinux/README.md) for additional information +## Improvements +- Helm Charts were separated on per-object basis for better supportability +- Custom `kubelet` path may be set, e.g. for using Kubernetes installed into non-default directory + +## Bug Fixes +- Part of new settings in `values.yaml` were not documented +- Improved logging on failure to mount a filesystem due to authorization error +- Fixed a situation in which `csi-registrar` container (part of node server) could enter crash loop due to `csi.Node.v1` not found + # Release 0.7.4 ## New features ### Support for authenticated FileSystems and additional organizations diff --git a/cmd/wekafsplugin/main.go b/cmd/wekafsplugin/main.go index 7ed800b5..bd364309 100644 --- a/cmd/wekafsplugin/main.go +++ b/cmd/wekafsplugin/main.go @@ -44,7 +44,8 @@ var ( showVersion = flag.Bool("version", false, "Show version.") dynamicSubPath = flag.String("dynamic-path", "csi-volumes", "Store dynamically provisioned volumes in subdirectory rather than in root directory of th filesystem") - csimodetext = flag.String("csimode", "all", "Mode of CSI plugin, either \"controller\", \"node\", \"all\" (default)") + csimodetext = flag.String("csimode", "all", "Mode of CSI plugin, either \"controller\", \"node\", \"all\" (default)") + selinuxSupport = flag.Bool("selinux-support", false, "Enable support for SELinux") // Set by the build process version = "" ) @@ -60,14 +61,19 @@ func main() { if csiMode != wekafs.CsiModeAll && csiMode != wekafs.CsiModeController && csiMode != wekafs.CsiModeNode { wekafs.Die("Invalid mode specified for CSI driver") } - glog.Infof("Running in mode: %s", csiMode) + glog.Infof("Running in mode: %s, SELinux support: %s", csiMode, func() string { + if *selinuxSupport { + return "ON" + } + return "OFF" + }()) handle() os.Exit(0) } func handle() { - driver, err := wekafs.NewWekaFsDriver(*driverName, *nodeID, *endpoint, *maxVolumesPerNode, version, *debugPath, *dynamicSubPath, csiMode) + driver, err := wekafs.NewWekaFsDriver(*driverName, *nodeID, *endpoint, *maxVolumesPerNode, version, *debugPath, *dynamicSubPath, csiMode, *selinuxSupport) if err != nil { fmt.Printf("Failed to initialize driver: %s", err.Error()) os.Exit(1) diff --git a/deploy/helm/csi-wekafsplugin/Chart.yaml b/deploy/helm/csi-wekafsplugin/Chart.yaml index f09acde4..4fddaa8e 100755 --- a/deploy/helm/csi-wekafsplugin/Chart.yaml +++ b/deploy/helm/csi-wekafsplugin/Chart.yaml @@ -2,9 +2,9 @@ apiVersion: v2 name: csi-wekafsplugin description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for WekaFS - the world fastest filesystem sources: - - https://github.com/weka/csi-wekafs/tree/v0.7.4/deploy/helm/csi-wekafsplugin + - https://github.com/weka/csi-wekafs/tree/v0.8.0/deploy/helm/csi-wekafsplugin home: https://github.com/weka/csi-wekafs icon: https://weka.github.io/csi-wekafs/logo.png type: application -version: 0.7.4 -appVersion: v0.7.4 +version: 0.8.0 +appVersion: v0.8.0 diff --git a/deploy/helm/csi-wekafsplugin/README.md b/deploy/helm/csi-wekafsplugin/README.md index bd4e69ed..a0d5d620 100644 --- a/deploy/helm/csi-wekafsplugin/README.md +++ b/deploy/helm/csi-wekafsplugin/README.md @@ -12,9 +12,12 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c ## Deployment ```shell helm repo add csi-wekafs https://weka.github.io/csi-wekafs -helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace +helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace [--set selinuxSupport=] ``` +> **NOTE:** Since version 0.8.0, Weka CSI plugin supports installation on SELinux-enabled Kubernetes clusters +> Refer to [SELinux Support & Installation Notes](selinux/README.md) for additional information + > **NOTE:** Since version 0.7.0, Weka CSI plugin transitions to API-based deployment model which requires API > connectivity and credentials parameters to be set in Storage Class. > @@ -28,6 +31,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs ## Usage - [Deploy an Example application](https://github.com/weka/csi-wekafs/blob/master/docs/usage.md) +- [SELinux Support & Installation Notes](selinux/README.md) ## Additional Documentation - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin) @@ -38,17 +42,22 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs |-----|------|---------|-------------| | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned | | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) | -| csiDriverVersion | string | `"0.7.4"` | CSI driver version | +| csiDriverVersion | string | `"0.8.0"` | CSI driver version | | images.livenessprobesidecar | string | `"k8s.gcr.io/sig-storage/livenessprobe:v2.6.0"` | CSI liveness probe sidecar image URL | | images.attachersidecar | string | `"k8s.gcr.io/sig-storage/csi-attacher:v3.4.0"` | CSI attacher sidecar image URL | | images.provisionersidecar | string | `"k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0"` | CSI provisioner sidecar image URL | | images.registrarsidecar | string | `"k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.0"` | CSI registrar sidercar | | images.resizersidecar | string | `"k8s.gcr.io/sig-storage/csi-resizer:v1.4.0"` | CSI provisioner sidecar image URL | | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL | -| images.csidriverTag | string | `"0.7.4"` | CSI driver tag | +| images.csidriverTag | string | `"0.8.0"` | CSI driver tag | | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components | | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) | | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) | | nodeSelector | object | `{}` | Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only | | logLevel | int | `5` | Log level of CSI plugin | +| legacyVolumeSecretName | string | `""` | for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin | +| priorityClassName | string | `""` | Optional CSI Plugin priorityClassName | +| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off) In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! | +| selinuxNodeLabel | string | `"csi.weka.io/selinux_enabled"` | This label must be set to "true" on SELinux-enabled Kubernetes nodes, e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label csi.weka.io/selinux_enabled="true" | +| kubeletPath | string | `"/var/lib/kubelet"` | kubelet path, in cases Kubernetes is installed not in default folder | diff --git a/deploy/helm/csi-wekafsplugin/README.md.gotmpl b/deploy/helm/csi-wekafsplugin/README.md.gotmpl index cfff35c0..626c933e 100644 --- a/deploy/helm/csi-wekafsplugin/README.md.gotmpl +++ b/deploy/helm/csi-wekafsplugin/README.md.gotmpl @@ -12,9 +12,12 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c ## Deployment ```shell helm repo add csi-wekafs https://weka.github.io/csi-wekafs -helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace +helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace [--set selinuxSupport=] ``` +> **NOTE:** Since version 0.8.0, Weka CSI plugin supports installation on SELinux-enabled Kubernetes clusters +> Refer to [SELinux Support & Installation Notes](selinux/README.md) for additional information + > **NOTE:** Since version 0.7.0, Weka CSI plugin transitions to API-based deployment model which requires API > connectivity and credentials parameters to be set in Storage Class. > @@ -28,6 +31,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs ## Usage - [Deploy an Example application](https://github.com/weka/csi-wekafs/blob/master/docs/usage.md) +- [SELinux Support & Installation Notes](selinux/README.md) ## Additional Documentation - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin) diff --git a/deploy/helm/csi-wekafsplugin/templates/NOTES.txt b/deploy/helm/csi-wekafsplugin/templates/NOTES.txt index 426acbc0..189bf598 100644 --- a/deploy/helm/csi-wekafsplugin/templates/NOTES.txt +++ b/deploy/helm/csi-wekafsplugin/templates/NOTES.txt @@ -8,3 +8,6 @@ To learn more about the release, try: $ helm get all {{ .Release.Name }} Official Weka CSI Plugin documentation can be found here: https://docs.weka.io/appendix/weka-csi-plugin + +Examples on how to configure a storage class and start using the driver are here: +https://github.com/weka/csi-wekafs/tree/master/examples diff --git a/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrole.yaml b/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrole.yaml new file mode 100644 index 00000000..b36f4ed9 --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrole.yaml @@ -0,0 +1,63 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller + labels: + app: {{ .Release.Name }}-controller + component: {{ .Release.Name }}-controller + release: {{ .Release.Name }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "create", "get", "list", "watch", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] diff --git a/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrolebinding.yaml b/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrolebinding.yaml new file mode 100644 index 00000000..4a84e6a2 --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller + labels: + app: {{ .Release.Name }}-controller + component: {{ .Release.Name }}-controller + release: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/helm/csi-wekafsplugin/templates/controllerserver-serviceaccount.yaml b/deploy/helm/csi-wekafsplugin/templates/controllerserver-serviceaccount.yaml new file mode 100644 index 00000000..26a9794b --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/controllerserver-serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +imagePullSecrets: + - name: {{ .Release.Name }}-creds +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-controller + component: {{ .Release.Name }}-controller + release: {{ .Release.Name }} + diff --git a/deploy/helm/csi-wekafsplugin/templates/controllerserver.yaml b/deploy/helm/csi-wekafsplugin/templates/controllerserver-statefulset.yaml similarity index 64% rename from deploy/helm/csi-wekafsplugin/templates/controllerserver.yaml rename to deploy/helm/csi-wekafsplugin/templates/controllerserver-statefulset.yaml index 07b16ecf..47a4faf8 100755 --- a/deploy/helm/csi-wekafsplugin/templates/controllerserver.yaml +++ b/deploy/helm/csi-wekafsplugin/templates/controllerserver-statefulset.yaml @@ -1,98 +1,12 @@ -apiVersion: v1 -kind: ServiceAccount -imagePullSecrets: -- name: {{ .Release.Name }}-creds -metadata: - name: {{ .Release.Name }}-controller - namespace: {{ .Release.Namespace }} - ---- -# cluster role ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-controller -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "list", "watch", "delete", "get", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "create", "get", "list", "watch", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] - ---- -# cluster role binding ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-controller -subjects: - - kind: ServiceAccount - name: {{ .Release.Name }}-controller - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ .Release.Name }}-controller - apiGroup: rbac.authorization.k8s.io - ---- -# stateful set of controller ---- kind: StatefulSet apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-controller + component: {{ .Release.Name }}-controller + release: {{ .Release.Name }} spec: selector: matchLabels: @@ -103,6 +17,8 @@ spec: metadata: labels: app: {{ .Release.Name }}-controller + component: {{ .Release.Name }}-controller + release: {{ .Release.Name }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8}} @@ -190,10 +106,10 @@ spec: volumeMounts: - mountPath: /csi name: socket-dir - - mountPath: /var/lib/kubelet/pods + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods mountPropagation: Bidirectional name: mountpoint-dir - - mountPath: /var/lib/kubelet/plugins + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins mountPropagation: Bidirectional name: plugins-dir - mountPath: /var/lib/csi-wekafs-data @@ -225,19 +141,19 @@ spec: {{- end }} volumes: - hostPath: - path: /var/lib/kubelet/plugins/csi-wekafs + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins/csi-wekafs type: DirectoryOrCreate name: socket-dir - hostPath: - path: /var/lib/kubelet/pods + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods type: DirectoryOrCreate name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/plugins_registry + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins_registry type: Directory name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins type: Directory name: plugins-dir - hostPath: diff --git a/deploy/helm/csi-wekafsplugin/templates/driver.yaml b/deploy/helm/csi-wekafsplugin/templates/driver.yaml index 83e1d868..989df849 100755 --- a/deploy/helm/csi-wekafsplugin/templates/driver.yaml +++ b/deploy/helm/csi-wekafsplugin/templates/driver.yaml @@ -1,4 +1,8 @@ +{{ if semverCompare ">=1.18.0-beta.1" .Capabilities.KubeVersion.Version }} apiVersion: storage.k8s.io/v1 +{{ else }} +apiVersion: storage.k8s.io/v1beta1 +{{ end }} kind: CSIDriver metadata: name: {{ required "Provide CSI Driver Name" .Values.csiDriverName }} diff --git a/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrole.yaml b/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrole.yaml new file mode 100644 index 00000000..ac6c792b --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrole.yaml @@ -0,0 +1,33 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node + labels: + app: {{ .Release.Name }}-node + component: {{ .Release.Name }}-node + release: {{ .Release.Name }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "delete", "get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["persistentvolumesclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] diff --git a/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrolebinding.yaml b/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrolebinding.yaml new file mode 100644 index 00000000..741794c5 --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/nodeserver-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node + labels: + app: {{ .Release.Name }}-node + component: {{ .Release.Name }}-node + release: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-node + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml b/deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml new file mode 100644 index 00000000..460d8fd1 --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml @@ -0,0 +1,165 @@ +{{- if or (eq (.Values.selinuxSupport | default "off") "enforced") (eq (.Values.selinuxSupport | toString) "mixed") }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node-selinux + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node + component: {{ .Release.Name }}-node-selinux + release: {{ .Release.Name }} + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .Values.selinuxNodeLabel }} + operator: In + values: + - "true" + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8}} + {{- end }} + serviceAccountName: {{ .Release.Name }}-node + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + hostNetwork: true + containers: + - name: wekafs + securityContext: + privileged: true + image: {{ .Values.images.csidriver }}:v{{ .Values.images.csidriverTag }} + imagePullPolicy: Always + args: + - "--v={{ .Values.logLevel | default 5 }}" + - "--drivername=$(CSI_DRIVER_NAME)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--dynamic-path=$(CSI_DYNAMIC_PATH)" + - "--csimode=$(X_CSI_MODE)" + - "--selinux-support" + ports: + - containerPort: 9898 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 2 + env: + - name: CSI_DRIVER_NAME + value: {{ required "Provide CSI Driver Name" .Values.csiDriverName }} + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_DYNAMIC_PATH + value: {{ required "Provide CSI Driver Dynamic Volume Creation Path" .Values.dynamicProvisionPath }} + - name: X_CSI_MODE + value: node + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins + mountPropagation: Bidirectional + name: plugins-dir + - mountPath: /var/lib/csi-wekafs-data + name: csi-data-dir + - mountPath: /dev + name: dev-dir +{{- if .Values.legacyVolumeSecretName }} + - mountPath: /legacy-volume-access + name: legacy-volume-access + readOnly: true +{{- end }} + - name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + image: {{ required "Provide Liveness Probe image." .Values.images.livenessprobesidecar }} + args: + - "--v={{ .Values.logLevel | default 5 }}" + - "--csi-address=$(ADDRESS)" + - "--health-port=$(HEALTH_PORT)" + env: + - name: ADDRESS + value: unix:///csi/csi.sock + - name: HEALTH_PORT + value: "9898" + + - name: csi-registrar + image: {{ required "Provide the csi node registrar sidecar container image." .Values.images.registrarsidecar }} + args: + - "--v={{ .Values.logLevel | default 5 }}" + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(KUBELET_REGISTRATION_PATH)" + securityContext: + privileged: true + env: + - name: ADDRESS + value: unix:///csi/csi.sock + - name: KUBELET_REGISTRATION_PATH + value: "{{ (.Values.kubeletPath | default "/var/lib/kubelet") | toString }}/plugins/csi-wekafs/csi.sock" + + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - mountPath: /var/lib/csi-wekafs-data + name: csi-data-dir + {{- with .Values.nodePluginTolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - hostPath: + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins + type: Directory + name: plugins-dir + - hostPath: + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins/csi-wekafs + type: DirectoryOrCreate + name: socket-dir + - hostPath: + # 'path' is where PV data is persisted on host. + # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot + path: /var/lib/csi-wekafs-data/ + type: DirectoryOrCreate + name: csi-data-dir + - hostPath: + path: /dev + type: Directory + name: dev-dir +{{- if .Values.legacyVolumeSecretName }} + - name: legacy-volume-access + secret: + secretName: {{ .Values.legacyVolumeSecretName }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/deploy/helm/csi-wekafsplugin/templates/nodeserver.yaml b/deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset.yaml old mode 100755 new mode 100644 similarity index 71% rename from deploy/helm/csi-wekafsplugin/templates/nodeserver.yaml rename to deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset.yaml index 475f7ca5..3e33328a --- a/deploy/helm/csi-wekafsplugin/templates/nodeserver.yaml +++ b/deploy/helm/csi-wekafsplugin/templates/nodeserver-daemonset.yaml @@ -1,56 +1,4 @@ -apiVersion: v1 -kind: ServiceAccount -imagePullSecrets: -- name: {{ .Release.Name }}-creds -metadata: - name: {{ .Release.Name }}-node - namespace: {{ .Release.Namespace }} - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-node -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["create", "delete", "get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["persistentvolumesclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-node -subjects: - - kind: ServiceAccount - name: {{ .Release.Name }}-node - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ .Release.Name }}-node - apiGroup: rbac.authorization.k8s.io ---- +{{- if or (eq (.Values.selinuxSupport | default "off") "off") (eq (.Values.selinuxSupport | toString) "mixed") }} kind: DaemonSet apiVersion: apps/v1 metadata: @@ -64,11 +12,25 @@ spec: metadata: labels: app: {{ .Release.Name }}-node + component: {{ .Release.Name }}-node + release: {{ .Release.Name }} spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .Values.selinuxNodeLabel }} + operator: NotIn + values: + - "true" {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8}} {{- end }} serviceAccountName: {{ .Release.Name }}-node + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} hostNetwork: true containers: - name: wekafs @@ -111,10 +73,10 @@ spec: volumeMounts: - mountPath: /csi name: socket-dir - - mountPath: /var/lib/kubelet/pods + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods mountPropagation: Bidirectional name: mountpoint-dir - - mountPath: /var/lib/kubelet/plugins + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins mountPropagation: Bidirectional name: plugins-dir - mountPath: /var/lib/csi-wekafs-data @@ -146,12 +108,14 @@ spec: args: - "--v={{ .Values.logLevel | default 5 }}" - "--csi-address=$(ADDRESS)" - - "--kubelet-registration-path=/var/lib/kubelet/plugins/csi-wekafs/csi.sock" + - "--kubelet-registration-path=$(KUBELET_REGISTRATION_PATH)" securityContext: privileged: true env: - name: ADDRESS value: unix:///csi/csi.sock + - name: KUBELET_REGISTRATION_PATH + value: "{{ (.Values.kubeletPath | default "/var/lib/kubelet") | toString }}/plugins/csi-wekafs/csi.sock" volumeMounts: - mountPath: /csi name: socket-dir @@ -165,21 +129,21 @@ spec: {{- end }} volumes: - hostPath: - path: /var/lib/kubelet/plugins/csi-wekafs - type: DirectoryOrCreate - name: socket-dir - - hostPath: - path: /var/lib/kubelet/pods + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods type: DirectoryOrCreate name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/plugins_registry + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins_registry type: Directory name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins type: Directory name: plugins-dir + - hostPath: + path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins/csi-wekafs + type: DirectoryOrCreate + name: socket-dir - hostPath: # 'path' is where PV data is persisted on host. # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot @@ -195,3 +159,4 @@ spec: secret: secretName: {{ .Values.legacyVolumeSecretName }} {{- end }} +{{- end }} diff --git a/deploy/helm/csi-wekafsplugin/templates/nodeserver-serviceaccount.yaml b/deploy/helm/csi-wekafsplugin/templates/nodeserver-serviceaccount.yaml new file mode 100644 index 00000000..0e89c844 --- /dev/null +++ b/deploy/helm/csi-wekafsplugin/templates/nodeserver-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +imagePullSecrets: + - name: {{ .Release.Name }}-creds +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-node + component: {{ .Release.Name }}-node + release: {{ .Release.Name }} diff --git a/deploy/helm/csi-wekafsplugin/values.yaml b/deploy/helm/csi-wekafsplugin/values.yaml index 5fbb312c..0ef8f98f 100755 --- a/deploy/helm/csi-wekafsplugin/values.yaml +++ b/deploy/helm/csi-wekafsplugin/values.yaml @@ -5,7 +5,7 @@ dynamicProvisionPath: "csi-volumes" # -- Name of the driver (and provisioner) csiDriverName: "csi.weka.io" # -- CSI driver version -csiDriverVersion: &csiDriverVersion 0.7.4 +csiDriverVersion: &csiDriverVersion 0.8.0 images: # -- CSI liveness probe sidecar image URL livenessprobesidecar: k8s.gcr.io/sig-storage/livenessprobe:v2.6.0 @@ -34,6 +34,19 @@ nodePluginTolerations: *globalPluginTolerations nodeSelector: {} # -- Log level of CSI plugin logLevel: 5 - # -- for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin -# legacyVolumeSecretName: csi-wekafs-api-secret +legacyVolumeSecretName: "" +# -- Optional CSI Plugin priorityClassName +priorityClassName: "" +# -- Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off) +# In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below +# In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts +# In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. +# WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! +selinuxSupport: off +# -- This label must be set to "true" on SELinux-enabled Kubernetes nodes, +# e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label +# csi.weka.io/selinux_enabled="true" +selinuxNodeLabel: "csi.weka.io/selinux_enabled" +# -- kubelet path, in cases Kubernetes is installed not in default folder +kubeletPath: "/var/lib/kubelet" diff --git a/examples/dynamic_api/csi-daemonset.app-on-dir-api.yaml b/examples/dynamic_api/csi-daemonset.app-on-dir-api.yaml index 6a61b20f..769a69bc 100644 --- a/examples/dynamic_api/csi-daemonset.app-on-dir-api.yaml +++ b/examples/dynamic_api/csi-daemonset.app-on-dir-api.yaml @@ -2,6 +2,8 @@ kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-wekafs-test-api + labels: + app: "csi-daemonset-app-on-dir-api" spec: selector: matchLabels: @@ -10,7 +12,9 @@ spec: metadata: labels: kubernetes.io/os: linux + app: "csi-daemonset-app-on-dir-api" spec: + terminationGracePeriodSeconds: 1 # make sure that pod is scheduled only on node having weka CSI node running nodeSelector: topology.csi.weka.io/global: "true" diff --git a/examples/static_api/csi-app-on-dir-static-api.yaml b/examples/static_api/csi-app-on-dir-static-api.yaml new file mode 100644 index 00000000..45318ca8 --- /dev/null +++ b/examples/static_api/csi-app-on-dir-static-api.yaml @@ -0,0 +1,17 @@ +kind: Pod +apiVersion: v1 +metadata: + name: csi-app-on-dir-static-api +spec: + containers: + - name: my-frontend + image: busybox + volumeMounts: + - mountPath: "/data" + name: my-csi-volume + command: ["/bin/sh"] + args: ["-c", "while true; do echo `date` hello >> /data/temp.txt; sleep 10;done"] + volumes: + - name: my-csi-volume + persistentVolumeClaim: + claimName: pvc-wekafs-dir-static-api # defined in pvc-wekafs-dir.yaml diff --git a/examples/static_api/csi-wekafs-api-secret.yaml b/examples/static_api/csi-wekafs-api-secret.yaml new file mode 100644 index 00000000..3ecaa4f0 --- /dev/null +++ b/examples/static_api/csi-wekafs-api-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: csi-wekafs-api-secret + namespace: csi-wekafs +type: Opaque +data: + # username to connect to the cluster API (base64-encoded) + username: YWRtaW4= + # password to connect to the cluster API (base64-encoded) + password: YWRtaW4= + # organization to connect to (default Root, base64-encoded) + organization: Um9vdA== + # comma-separated list of cluster management endpoints in form of (base64-encoded) + # It is recommended to configure at least 2 management endpoints (cluster backend nodes), or a load-balancer if used + # e.g. 172.31.15.113:14000,172.31.12.91:14000 + endpoints: MTcyLjMxLjE1LjExMzoxNDAwMCwxNzIuMzEuMTIuOTE6MTQwMDAsMTcyLjMxLjEyLjk0OjE0MDAwLDE3Mi4zMS4xMC45NToxNDAwMCwxNzIuMzEuMy4xNjc6MTQwMDAsMTcyLjMxLjguMTM1OjE0MDAw + # protocol to use for API connection (may be either http or https, base64-encoded) + scheme: aHR0cA== diff --git a/examples/static_api/pv-wekafs-dir-static-api.yaml b/examples/static_api/pv-wekafs-dir-static-api.yaml new file mode 100644 index 00000000..7bc5f6bc --- /dev/null +++ b/examples/static_api/pv-wekafs-dir-static-api.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-wekafs-dir-static-api +spec: + storageClassName: storageclass-wekafs-dir-static-api + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem + capacity: + storage: 1Gi + csi: + driver: csi.weka.io + # volumeHandle must be formatted as following: + # dir/v1// + # The path must exist, otherwise publish request will fail + volumeHandle: dir/v1/default/test/path + nodePublishSecretRef: + name: "csi-wekafs-api-secret" + namespace: "csi-wekafs" + diff --git a/examples/static_api/pvc-wekafs-dir-static-api.yaml b/examples/static_api/pvc-wekafs-dir-static-api.yaml new file mode 100644 index 00000000..cf0be08c --- /dev/null +++ b/examples/static_api/pvc-wekafs-dir-static-api.yaml @@ -0,0 +1,13 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pvc-wekafs-dir-static-api +spec: + accessModes: + - ReadWriteMany + storageClassName: storageclass-wekafs-dir-static-api + volumeName: pv-wekafs-dir-static-api + volumeMode: Filesystem + resources: + requests: + storage: 1Gi diff --git a/examples/static_api/storageclass-wekafs-dir-static-api.yaml b/examples/static_api/storageclass-wekafs-dir-static-api.yaml new file mode 100644 index 00000000..b10ecac1 --- /dev/null +++ b/examples/static_api/storageclass-wekafs-dir-static-api.yaml @@ -0,0 +1,41 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: storageclass-wekafs-dir-static-api +provisioner: csi.weka.io +reclaimPolicy: Delete +volumeBindingMode: Immediate +allowVolumeExpansion: true +parameters: + volumeType: dir/v1 + filesystemName: default + + # optional parameters setting UID, GID and permissions on volume + # UID of the volume owner, default 0 (root) + #ownerUid: "1000" + + # GID of the volume owner, default 0 (root) + #ownerGid: "1000" + + # permissions in Unix octal format, default "0750" + #permissions: "0775" + + # if the values below are not set, quota will not be enforced for this storage class + # capacity enforcement mode (either SOFT or HARD) + # - HARD: pod will not be able to write above quota + # - SOFT: warning will be issued on Weka cluster, but writing will not be blocked + capacityEnforcement: HARD + # name of the secret that stores API credentials for a cluster + # change the name of secret to match secret of a particular cluster (if you have several Weka clusters) + csi.storage.k8s.io/provisioner-secret-name: &secretName csi-wekafs-api-secret + # change the name of the namespace in which the cluster API credentials + csi.storage.k8s.io/provisioner-secret-namespace: &secretNamespace csi-wekafs + # do not change anything below this line, or set to same parameters as above + csi.storage.k8s.io/controller-publish-secret-name: *secretName + csi.storage.k8s.io/controller-publish-secret-namespace: *secretNamespace + csi.storage.k8s.io/controller-expand-secret-name: *secretName + csi.storage.k8s.io/controller-expand-secret-namespace: *secretNamespace + csi.storage.k8s.io/node-stage-secret-name: *secretName + csi.storage.k8s.io/node-stage-secret-namespace: *secretNamespace + csi.storage.k8s.io/node-publish-secret-name: *secretName + csi.storage.k8s.io/node-publish-secret-namespace: *secretNamespace diff --git a/go.mod b/go.mod index 06ef2320..283fec93 100644 --- a/go.mod +++ b/go.mod @@ -3,19 +3,17 @@ module github.com/wekafs/csi-wekafs go 1.16 require ( - github.com/container-storage-interface/spec v1.5.0 + github.com/container-storage-interface/spec v1.6.0 + github.com/go-logr/logr v1.2.3 // indirect github.com/golang/glog v1.0.0 github.com/google/uuid v1.3.0 - github.com/hashicorp/go-version v1.3.0 - github.com/kubernetes-csi/csi-lib-utils v0.10.0 - github.com/pkg/xattr v0.4.4 - golang.org/x/net v0.0.0-20211104170005-ce137452f963 - golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect - golang.org/x/text v0.3.7 // indirect - google.golang.org/genproto v0.0.0-20211104193956-4c6863e31247 // indirect - google.golang.org/grpc v1.42.0 - k8s.io/apimachinery v0.22.3 + github.com/hashicorp/go-version v1.5.0 + github.com/kubernetes-csi/csi-lib-utils v0.11.0 + github.com/pkg/xattr v0.4.7 + golang.org/x/net v0.0.0-20220607020251-c690dde0001d + google.golang.org/genproto v0.0.0-20220607223854-30acc4cbd2aa // indirect + google.golang.org/grpc v1.47.0 + k8s.io/apimachinery v0.24.1 k8s.io/helm v2.17.0+incompatible - k8s.io/klog/v2 v2.30.0 // indirect - k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b + k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 ) diff --git a/go.sum b/go.sum index 31e51887..502e9b20 100644 --- a/go.sum +++ b/go.sum @@ -46,6 +46,7 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -64,12 +65,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/container-storage-interface/spec v1.5.0 h1:lvKxe3uLgqQeVQcrnL2CPQKISoKjTJxojEs9cBk+HXo= github.com/container-storage-interface/spec v1.5.0/go.mod h1:8K96oQNkJ7pFcC2R9Z1ynGGBB1I93kcS6PGg3SsOk8s= +github.com/container-storage-interface/spec v1.6.0 h1:vwN9uCciKygX/a0toYryoYD5+qI9ZFeAMuhEEKO+JBA= +github.com/container-storage-interface/spec v1.6.0/go.mod h1:8K96oQNkJ7pFcC2R9Z1ynGGBB1I93kcS6PGg3SsOk8s= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= @@ -91,16 +92,17 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -112,10 +114,13 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -154,14 +159,16 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= @@ -180,6 +187,7 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= @@ -198,8 +206,8 @@ github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerX github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw= -github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.5.0 h1:O293SZ2Eg+AAYijkVK3jR786Am1bhDEh2GHT0tIVE5E= +github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -217,6 +225,7 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= @@ -233,8 +242,8 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kubernetes-csi/csi-lib-utils v0.10.0 h1:Aqm8X81eCzzfH/bvIEqSWtcbK9HF9NbFk4d+le1snVA= -github.com/kubernetes-csi/csi-lib-utils v0.10.0/go.mod h1:BmGZZB16L18+9+Lgg9YWwBKfNEHIDdgGfAyuW6p2NV0= +github.com/kubernetes-csi/csi-lib-utils v0.11.0 h1:FHWOBtAZBA/hVk7v/qaXgG9Sxv0/n06DebPFuDwumqg= +github.com/kubernetes-csi/csi-lib-utils v0.11.0/go.mod h1:BmGZZB16L18+9+Lgg9YWwBKfNEHIDdgGfAyuW6p2NV0= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -257,6 +266,7 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -277,8 +287,8 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/xattr v0.4.4 h1:FSoblPdYobYoKCItkqASqcrKCxRn9Bgurz0sCBwzO5g= -github.com/pkg/xattr v0.4.4/go.mod h1:sBD3RAqlr8Q+RC3FutZcikpT8nyDrIEEBw2J744gVWs= +github.com/pkg/xattr v0.4.7 h1:XoA3KzmFvyPlH4RwX5eMcgtzcaGBaSvgt3IoFQfbrmQ= +github.com/pkg/xattr v0.4.7/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= @@ -434,8 +444,9 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211104170005-ce137452f963 h1:8gJUadZl+kWvZBqG/LautX0X6qe5qTC2VI/3V3NBRAY= -golang.org/x/net v0.0.0-20211104170005-ce137452f963/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8= +golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -486,19 +497,24 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4= -golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -546,9 +562,11 @@ golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -591,8 +609,8 @@ google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20211104193956-4c6863e31247 h1:ZONpjmFT5e+I/0/xE3XXbG5OIvX2hRYzol04MhKBl2E= -google.golang.org/genproto v0.0.0-20211104193956-4c6863e31247/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220607223854-30acc4cbd2aa h1:u5ndLsuhUo/bFuumgRSYgK92eCf5IEAogxgNBqAjNqs= +google.golang.org/genproto v0.0.0-20220607223854-30acc4cbd2aa/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -605,9 +623,8 @@ google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTp google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.42.0 h1:XT2/MFpuPFsEX2fWh3YQtHkZ+WYZFQRfaUgLZYj/p6A= -google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8= +google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -620,8 +637,9 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -656,24 +674,30 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU= k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= -k8s.io/apimachinery v0.22.3 h1:mrvBG5CZnEfwgpVqWcrRKvdsYECTrhAR6cApAgdsflk= -k8s.io/apimachinery v0.22.3/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/apimachinery v0.24.1 h1:ShD4aDxTQKN5zNf8K1RQ2u98ELLdIW7jEnlO9uAMX/I= +k8s.io/apimachinery v0.24.1/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg= k8s.io/component-base v0.22.0/go.mod h1:SXj6Z+V6P6GsBhHZVbWCw9hFjUdUYnJerlhhPnYCBCg= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw= -k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= +k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b h1:wxEMGetGMur3J1xuGLQY7GEQYg9bZxKn3tKo5k/eYcs= -k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/pkg/wekafs/apiclient/apiclient.go b/pkg/wekafs/apiclient/apiclient.go index 0058647d..67f3ae14 100644 --- a/pkg/wekafs/apiclient/apiclient.go +++ b/pkg/wekafs/apiclient/apiclient.go @@ -26,6 +26,7 @@ const ( ApiRetryIntervalSeconds = 1 ApiRetryMaxCount = 5 RetryBackoffExponentialFactor = 1 + RootOrganizationName = "Root" ) //ApiClient is a structure that defines Weka API client diff --git a/pkg/wekafs/controllerserver.go b/pkg/wekafs/controllerserver.go index 352fd127..2e0e953b 100644 --- a/pkg/wekafs/controllerserver.go +++ b/pkg/wekafs/controllerserver.go @@ -119,7 +119,7 @@ func CreateVolumeError(errorCode codes.Code, errorMessage string) (*csi.CreateVo //goland:noinspection GoUnusedParameter func (cs *controllerServer) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) { glog.V(3).Infof("Received a CreateVolume request: %s", createKeyValuePairs(req.GetParameters())) - defer glog.V(3).Infof("Completed processing request: %s", createKeyValuePairs(req.GetParameters())) + defer glog.V(3).Infof("Completed processing CreateVolume request: %s", createKeyValuePairs(req.GetParameters())) cs.creatLock.Lock() defer cs.creatLock.Unlock() if err := cs.validateControllerServiceRequest(csi.ControllerServiceCapability_RPC_CREATE_DELETE_VOLUME); err != nil { diff --git a/pkg/wekafs/mounter.go b/pkg/wekafs/mounter.go index bd39c29f..658913bf 100644 --- a/pkg/wekafs/mounter.go +++ b/pkg/wekafs/mounter.go @@ -30,13 +30,14 @@ type wekaMount struct { type mountsMap map[fsMountRequest]*wekaMount type wekaMounter struct { - mountMap mountsMap - lock sync.Mutex - kMounter mount.Interface - debugPath string + mountMap mountsMap + lock sync.Mutex + kMounter mount.Interface + debugPath string + selinuxSupport bool } -func (m *wekaMount) incRef(apiClient *apiclient.ApiClient) error { +func (m *wekaMount) incRef(apiClient *apiclient.ApiClient, selinuxSupport bool) error { m.lock.Lock() defer m.lock.Unlock() if m.refCount < 0 { @@ -44,7 +45,7 @@ func (m *wekaMount) incRef(apiClient *apiclient.ApiClient) error { m.refCount = 0 // to make sure that we don't have negative refcount later } if m.refCount == 0 { - if err := m.doMount(apiClient); err != nil { + if err := m.doMount(apiClient, selinuxSupport); err != nil { return err } } @@ -81,14 +82,15 @@ func (m *wekaMount) doUnmount() error { return err } -func (m *wekaMount) doMount(apiClient *apiclient.ApiClient) error { +func (m *wekaMount) doMount(apiClient *apiclient.ApiClient, selinuxSupport bool) error { glog.Infof("Creating mount for filesystem %s on mount point %s", m.fsRequest.fs, m.mountPoint) mountToken := "" + var mountOptionsSensitive []string if err := os.MkdirAll(m.mountPoint, DefaultVolumePermissions); err != nil { return err } if m.debugPath == "" { - mountOptions := getMountOptions(m.fsRequest) + mountOptions := getMountOptions(m.fsRequest, selinuxSupport) if apiClient == nil { glog.V(3).Infof("No API client for mount, not requesting mount token") } else { @@ -97,16 +99,14 @@ func (m *wekaMount) doMount(apiClient *apiclient.ApiClient) error { if mountToken, err = apiClient.GetMountTokenForFilesystemName(m.fsRequest.fs); err != nil { return err } - mountOptions = append(mountOptions, fmt.Sprintf("token=%s", mountToken)) + mountOptionsSensitive = append(mountOptionsSensitive, fmt.Sprintf("token=%s", mountToken)) } - - glog.V(3).Infof("Calling k8s mounter for fs: %s (xattr %t) @ %s, authenticated: %s", - m.fsRequest.fs, m.fsRequest.xattr, m.mountPoint, func() string { + glog.V(3).Infof("Calling k8s mounter for fs: %s (xattr %t) @ %s, options: %s, authenticated: %s", + m.fsRequest.fs, m.fsRequest.xattr, m.mountPoint, mountOptions, func() string { return strconv.FormatBool(mountToken != "") }(), ) - - return m.kMounter.Mount(m.fsRequest.fs, m.mountPoint, "wekafs", mountOptions) + return m.kMounter.MountSensitive(m.fsRequest.fs, m.mountPoint, "wekafs", mountOptions, mountOptionsSensitive) } else { fakePath := filepath.Join(m.debugPath, m.fsRequest.fs) if err := os.MkdirAll(fakePath, DefaultVolumePermissions); err != nil { @@ -122,11 +122,14 @@ func getDefaultMountOptions() []string { return []string{"writecache"} } -func getMountOptions(fs *fsMountRequest) []string { +func getMountOptions(fs *fsMountRequest, selinuxSupport bool) []string { var mountOptions = getDefaultMountOptions() if fs.xattr { mountOptions = append(mountOptions, "acl") } + if selinuxSupport { + mountOptions = append(mountOptions, "fscontext=\"system_u:object_r:wekafs_csi_volume_t:s0\"") + } return mountOptions } @@ -163,7 +166,7 @@ func (m *wekaMounter) mountParams(fs string, xattr bool, apiClient *apiclient.Ap request := fsMountRequest{fs, xattr} m.initFsMountObject(request) mounter := m.mountMap[request] - mountErr := mounter.incRef(apiClient) + mountErr := mounter.incRef(apiClient, m.selinuxSupport) if mountErr != nil { glog.Errorf("Failed mounting %s at %s: %e", fs, mounter.mountPoint, mountErr) @@ -187,10 +190,12 @@ func (m *wekaMounter) MountXattr(fs string, apiClient *apiclient.ApiClient) (str } func (m *wekaMounter) Unmount(fs string) error { + defer m.LogActiveMounts() return m.unmount(fs, false) } func (m *wekaMounter) UnmountXattr(fs string) error { + defer m.LogActiveMounts() return m.unmount(fs, true) } diff --git a/pkg/wekafs/nodeserver.go b/pkg/wekafs/nodeserver.go index 61fa788a..99d496a6 100644 --- a/pkg/wekafs/nodeserver.go +++ b/pkg/wekafs/nodeserver.go @@ -34,7 +34,7 @@ import ( const TopologyKeyNode = "topology.wekafs.csi/node" const TopologyLabelNode = "topology.csi.weka.io/node" const TopologyLabelWeka = "topology.csi.weka.io/global" -const WekaModule = "wekafsgw" +const WekaKernelModuleName = "wekafsgw" const crashOnNoWeka = false type nodeServer struct { @@ -77,9 +77,9 @@ func NewNodeServer(nodeId string, maxVolumesPerNode int64, api *apiStore, mounte func isWekaInstalled() bool { glog.Info("Checking if wekafs is installed on host") - cmd := fmt.Sprintf("lsmod | grep -w %s", WekaModule) + cmd := fmt.Sprintf("lsmod | grep -w %s", WekaKernelModuleName) res, _ := exec.Command("sh", "-c", cmd).Output() - return strings.Contains(string(res), WekaModule) + return strings.Contains(string(res), WekaKernelModuleName) } func NodePublishVolumeError(errorCode codes.Code, errorMessage string) (*csi.NodePublishVolumeResponse, error) { @@ -144,6 +144,10 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis targetPath, fsType, deviceId, readOnly, volume.GetId(), attrib, mountFlags) mountPoint, err, unmount := volume.Mount(ns.mounter, false) + if err != nil { + unmount() + return NodePublishVolumeError(codes.Internal, "Failed to mount a parent filesystem, check Authentication: "+err.Error()) + } ok, err := volume.Exists(mountPoint) if err != nil { return NodePublishVolumeError(codes.Internal, err.Error()) @@ -197,7 +201,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis return NodePublishVolumeError(codes.Internal, fmt.Sprintf("failed to Mount device: %s at %s: %s", fullPath, targetPath, errList.String())) } - // Not doing unmount, NodePublish should do unmount but only when it unmounts bind succesffully + // Not doing unmount, NodePublish should do unmount but only when it unmounts bind successfully glog.Infof("Successfully published volume %s", volume.GetId()) return &csi.NodePublishVolumeResponse{}, nil } diff --git a/pkg/wekafs/server.go b/pkg/wekafs/server.go index ca4a51be..2440a12e 100644 --- a/pkg/wekafs/server.go +++ b/pkg/wekafs/server.go @@ -79,14 +79,14 @@ func (s *nonBlockingGRPCServer) serve(endpoint string, ids csi.IdentityServer, c if proto == "unix" { addr = "/" + addr - if err := os.Remove(addr); err != nil && !os.IsNotExist(err) { //nolint: vetshadow - glog.Fatalf("Failed to remove %s, error: %s", addr, err.Error()) + if err := os.Remove(addr); err != nil && !os.IsNotExist(err) { + Die(fmt.Sprintf("Failed to remove %s, error: %s", addr, err.Error())) } } listener, err := net.Listen(proto, addr) if err != nil { - glog.Fatalf("Failed to listen: %v", err) + Die(fmt.Sprintf("Failed to listen: %v", err.Error())) } opts := []grpc.ServerOption{ @@ -96,22 +96,27 @@ func (s *nonBlockingGRPCServer) serve(endpoint string, ids csi.IdentityServer, c s.server = server if ids != nil { + glog.V(5).Infoln("Registering GRPC IdentityServer") csi.RegisterIdentityServer(server, ids) } if s.csiMmode == CsiModeController || s.csiMmode == CsiModeAll { if cs != nil { + glog.V(5).Infoln("Registering GRPC ControllerServer") csi.RegisterControllerServer(server, cs) } } if s.csiMmode == CsiModeNode || s.csiMmode == CsiModeAll { if ns != nil { + glog.V(5).Infoln("Registering GRPC NodeServer") csi.RegisterNodeServer(server, ns) } } glog.Infof("Listening for connections on address: %#v", listener.Addr()) - server.Serve(listener) + if err := server.Serve(listener); err != nil { + Die(err.Error()) + } } diff --git a/pkg/wekafs/wekafs.go b/pkg/wekafs/wekafs.go index 122ce86e..e12224ca 100644 --- a/pkg/wekafs/wekafs.go +++ b/pkg/wekafs/wekafs.go @@ -47,7 +47,8 @@ type wekaFsDriver struct { debugPath string dynamicVolPath string - csiMode CsiPluginMode + csiMode CsiPluginMode + selinuxSupport bool } type VolumeType string @@ -120,6 +121,12 @@ func (api *apiStore) fromParams(Username, Password, Organization, Scheme string, return api.getByHash(hash), nil } api.apis[hash] = newClient + if !newClient.SupportsAuthenticatedMounts() && Organization != apiclient.RootOrganizationName { + return nil, errors.New(fmt.Sprintf( + "Using Organization %s is not supported on Weka cluster \"%s\".\n"+ + "To support organization other than Root please upgrade to version %s or higher", + Organization, newClient.ClusterName, apiclient.MinimumSupportedWekaVersions.MountFilesystemsUsingAuthToken)) + } return newClient, nil } @@ -183,7 +190,9 @@ func NewApiStore() *apiStore { return s } -func NewWekaFsDriver(driverName, nodeID, endpoint string, maxVolumesPerNode int64, version string, debugPath string, dynmamicVolPath string, csiMode CsiPluginMode) (*wekaFsDriver, error) { +func NewWekaFsDriver( + driverName, nodeID, endpoint string, maxVolumesPerNode int64, version string, debugPath string, + dynmamicVolPath string, csiMode CsiPluginMode, selinuxSupport bool) (*wekaFsDriver, error) { if driverName == "" { return nil, errors.New("no driver name provided") } @@ -214,14 +223,14 @@ func NewWekaFsDriver(driverName, nodeID, endpoint string, maxVolumesPerNode int6 dynamicVolPath: dynmamicVolPath, csiMode: csiMode, // either "controller", "node", "all" api: NewApiStore(), + selinuxSupport: selinuxSupport, }, nil } func (driver *wekaFsDriver) Run() { // Create GRPC servers - mounter := &wekaMounter{mountMap: mountsMap{}, debugPath: driver.debugPath} + mounter := &wekaMounter{mountMap: mountsMap{}, debugPath: driver.debugPath, selinuxSupport: driver.selinuxSupport} gc := initDirVolumeGc(mounter) - // identity server runs always glog.Info("Loading IdentityServer") driver.ids = NewIdentityServer(driver.name, driver.version) diff --git a/release.sh b/release.sh index 5ece7e93..0b425cb6 100755 --- a/release.sh +++ b/release.sh @@ -187,18 +187,18 @@ check_settings() { if ! git_check_repo_clean ; then [[ $GIT_BRANCH_NAME == master ]] && log_fatal "Performing release on master with dirty repo is not allowed!" - [[ $BUILD_MODE == beta ]] || [[ $BUILD_MODE == release ]] && log_fatal "Cannot perform release with dirty repository" + [[ $BUILD_MODE =~ beta ]] || [[ $BUILD_MODE == release ]] && log_fatal "Cannot perform release with dirty repository" [[ -z ${ALLOW_DIRTY} ]] && log_fatal "Cannot proceed, repository is dirty!" log_message WARNING "Allowing Dirty repository" fi if [[ $NO_TESTS ]]; then - [[ $BUILD_MODE == beta ]] || [[ $BUILD_MODE == release ]] && log_fatal "Release without tests is not allowed" + [[ $BUILD_MODE =~ beta ]] || [[ $BUILD_MODE == release ]] && log_fatal "Release without tests is not allowed" fi [[ $BUILD_MODE == local ]] && log_message WARNING "Deploying a LOCAL build only" [[ $BUILD_MODE == dev ]] && log_message WARNING "Deploying a DEV build, which will not be officially published" - [[ $BUILD_MODE == beta ]] && log_message NOTICE "Deploying a BETA build, which will not be officially published" + [[ $BUILD_MODE =~ beta ]] && log_message NOTICE "Deploying a BETA build, which will not be officially published" [[ $BUILD_MODE == release ]] && log_message NOTICE "Performing an official release!" VERSION_STRING="${VERSION_STRING/#v/}" @@ -234,8 +234,8 @@ dev Also triggered automatically if BUILDKITE_BRANCH='dev' To be used for further testing on Kubernetes. In this mode, on top of local - Docker image will be pushed to repository, so it could be installed on remote server -beta To be used for releasing a Beta version for a customer. In this mode, on top of dev: - - A '-beta' suffix will be added to version string +beta* To be used for releasing a Beta version for a customer. In this mode, on top of dev: + - A '-beta*' suffix will be added to version string - A Helm chart will is pushed S3 repository release Also triggered automatically if BUILDKITE_BRANCH='ga' @@ -273,7 +273,7 @@ handle_envvars() { VERSION_STRING="${VERSION_STRING:-$(git_calc_next_tag)}" if [[ -z $EXPLICIT_VERSION ]]; then [[ $BUILD_MODE == dev ]] && VERSION_STRING+="-dev" - [[ $BUILD_MODE == beta ]] && VERSION_STRING+="-beta" + [[ $BUILD_MODE =~ beta ]] && VERSION_STRING+="-$BUILD_MODE" git_check_repo_clean || VERSION_STRING+="-dirty" fi @@ -312,8 +312,8 @@ main() { BUILD_MODE=dev shift ;; - beta) - BUILD_MODE=beta + beta*) + BUILD_MODE="$1" shift ;; release) @@ -358,7 +358,7 @@ main() { helm-docs -c deploy/helm -o ../../../README.md -t ../../README.md.gotmpl -s file git_commit_manifests git_push_tag v"$VERSION_STRING" - [[ $BUILD_MODE == beta ]] && log_message NOTICE "Done building Beta build $VERSION_STRING" && exit 0 + [[ $BUILD_MODE =~ beta ]] && log_message NOTICE "Done building Beta build $VERSION_STRING" && exit 0 helm_update_registry log_message NOTICE "All done!" } diff --git a/selinux/README.md b/selinux/README.md new file mode 100644 index 00000000..0197259c --- /dev/null +++ b/selinux/README.md @@ -0,0 +1,142 @@ +# CSI WekaFS SELinux Support + +## General Information +When installing Weka CSI plugin on SELinux-enabled Kubernetes cluster, pods might be denied access +to the persistent volumes provisioned on top of Weka filesystem. + +The reason behind this is a lack of permissions for containers to access objects stored on Weka cluster. + +In this directory you can find a custom policy that provides all the necessary security configuration to optionally +enable pod access to WekaFS-based Persistent Volumes, and it should be applied +on each Kubernetes worker node that is intended to service WekaFS-based persistent volumes. + +The provided policy allows processes with `container_t` seclabel to access objects having `wekafs_t` label (which is set for all files and directories of mounted CSI volumes). + +The policy comes both as a Type Enforcement file, and as a precompiled policy package. +In order to use Weka CSI Plugin with SELinux enforcement, the following steps must be performed: + +## Custom SELinux Policy Installation +1. Distribute the SELinux policy package to all Kubernetes nodes, by using either one of those options: + * Clone Weka CSI Plugin Github repository, by issuing + ```shell + git clone https://github.com/weka/csi-wekafs.git + ``` + * Copy the content of `selinux` directory directly to Kubernetes nodes +2. Apply the policy package directly by issuing: + ```shell + $ semodule -i csi-wekafs.pp + ``` + Check that the policy was applied correctly: + ```shell + $ getsebool -a | grep wekafs + container_use_wekafs --> off + ``` + If the output matches mentioned above, skip to step 4. Otherwise, proceed to step 3 to build the policy from sources. +3. In certain circumstances (e.g. different Kernel version or Linux distribution), + the pre-compiled policy installation could fail. In this case, the policy must be built + and installed from source by following the procedure below. + ```shell + $ checkmodule -M -m -o csi-wekafs.mod csi-wekafs.te + $ semodule_package -o csi-wekafs.pp -m csi-wekafs.mod + $ make -f /usr/share/selinux/devel/Makefile csi-wekafs.pp + $ semodule -i csi-wekafs.pp + ``` + > **NOTE**: for this purpose, `policycoreutils-devel` package + > (or its alternative in case of Linux distribution different from RedHat family) is required + + Check that the policy was applied correctly: + ```shell + $ getsebool -a | grep wekafs + container_use_wekafs --> off + ``` + +4. The policy provides a boolean setting which allows on-demand enablement of relevant permissions. + To enable WekaFS CSI volumes access from pods, perform the command + ```shell + $ setsebool container_use_wekafs=on + ``` + To disable access, perform the command + ```shell + $ setsebool container_use_wekafs=off + ``` + The configuration changes are applied immediately. + +## CSI Plugin Installation and Configuration +1. Weka CSI Plugin must be installed in a SELinux-compatible mode to correctly label volumes. + This can be done by setting the `selinuxSupport` value to either `"enforced"` or `"mixed"`, either via editing values.yaml or by passing the parameter directly in Helm installation command, e.g. + ```shell + $ helm install --upgrade csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace --set selinuxSupport=enforced + ``` + > **NOTE:** `enforced` and `mixed` modes are supported for CSI SELinux support. + > * When `selinuxSupport` is set to `enforced`, only SELinux-enabled CSI plugin node components will be installed + > * When `selinuxSupport` is set to `mixed`, both non-SELinux and SELinux-enabled components will be installed + > * When `selinuxSupport` is set to `off`, only non-SELinux CSI plugin node components will be installed. + > + > **NOTE:** Since SELinux status cannot be known from within CSI plugin pod, + > a certain way of distinguishing between SELinux-enabled and non-SELinux nodes needs to be established. + > Binding of relevant CSI node component to node is mutually exclusive and relies on node affinity mechanism by matching host labels. + Hence, the following label must be set on each SELinux-enabled Kubernetes node to ensure the plugin start in compatibility mode: + ```shell + csi.weka.io/selinux_enabled="true" + ``` + > **NOTE:** If another label stating SELinux support is already maintained on nodes, the expected label name may be changed by editing the `selinuxNodeLabel` parameter + > by either modifying it in `values.yaml` or by setting it directly during plugin installation, e.g. + > ```shell + > $ helm install --upgrade csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace --set selinuxSupport=mixed --set selinuxNodeLabel="selinux_enabled" + > ``` + + > **NOTE:** If node label was modified after Weka CSI Plugin node component has already + > deployed on that node, terminate the csi-wekafs-node-XXXX component on the affected node, + > a replacement pod will be scheduled on the node automatically, but with correct SELinux configuration. + +## Checking Plugin Operation & Troubleshooting + +1. Make sure you have configured a valid CSI API [`secret`](../examples/dynamic_api/csi-wekafs-api-secret.yaml),Create a valid Weka CSI Plugin [`storageClass`](../examples/dynamic_api) + > **NOTE**: If using an example `storageClass`, make sure to update endpoints and credentials prior to apply +2. Provision a [`PersistentVolumeClaim`](../examples/dynamic_api/pvc-wekafs-dir-api.yaml) +3. Provision a [`DaemonSet`](../examples/dynamic_api/csi-daemonset.app-on-dir-api.yaml), in order to be able access of all pods on all nodes +4. Monitor the pod logs using a command below, nothing should be printed in log files: + ```shell + $ kubectl logs -f -lapp=csi-daemonset-app-on-dir-api + ``` + IF the command returns a repeating message like the one below, it seems that the node on which the relevant pod is running is misconfigured: + ```shell + /bin/sh: can't create /data/csi-wekafs-test-api-gldmk.txt: Permission denied + ``` + +5. Obtain node name from the pod: + ```shell + $ kubectl get pod csi-wekafs-test-api-gldmk -o wide + NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES + csi-wekafs-test-api-gldmk 1/1 Running 0 98m 10.244.15.2 don-kube-8 + ``` + +6. Connect to the relevant node and check if Weka CSI SELinux policy is installed and enabled + ```shell + $ getsebool -a | grep wekafs + container_use_wekafs --> on + ``` + * If the output matches example, proceed to next step. + * If no output, policy is not installed, proceed to [Custom SELinux Policy Installation](#Custom SELinux Policy Installation) + * If the policy is off, enable it and check output of the pod again by issuing + ```shell + $ setsebool container_use_wekafs=on + ``` +7. Check if the node is labeled with plugin is operating in SELinux-compatible mode by issuing the following command: + ```shell + $ kubectl describe node don-kube-8 | grep csi.weka.io/selinux_enabled + csi.weka.io/selinux_enabled=true + ``` + * If the output is empty, proceed to [CSI Plugin Installation and Configuration](#CSI Plugin Installation and Configuration) + > **NOTE:** If the label was missing and added by you during troubleshooting, the CSI node server component must be restarted on the node. + Perform the following command to terminate the relevant pod and another instance will start automatically: + > ```shell + > $ POD=$(kubectl get pod -n csi-wekafs -lcomponent=csi-wekafs-node -o wide | grep -w don-kube-8 | cut -d" " -f1) + > $ kubectl delete pod -n csi-wekafs $POD + >``` + * If the output matches example, proceed to next step +8. Collect CSI node server logs from the matching Kubernetes nodes and contact Weka Customer Success Team: + ```shell + $ POD=$(kubectl get pod -n csi-wekafs -lcomponent=csi-wekafs-node -o wide | grep -w don-kube-8 | cut -d" " -f1) + $ kubectl logs -n csi-wekafs -c wekafs $POD > log.txt + ``` diff --git a/selinux/csi-wekafs.mod b/selinux/csi-wekafs.mod new file mode 100644 index 00000000..4bed5552 Binary files /dev/null and b/selinux/csi-wekafs.mod differ diff --git a/selinux/csi-wekafs.pp b/selinux/csi-wekafs.pp new file mode 100644 index 00000000..a74df66a Binary files /dev/null and b/selinux/csi-wekafs.pp differ diff --git a/selinux/csi-wekafs.te b/selinux/csi-wekafs.te new file mode 100644 index 00000000..75346b52 --- /dev/null +++ b/selinux/csi-wekafs.te @@ -0,0 +1,23 @@ + +module csi-wekafs 1.0; + +type wekafs_t alias { wekafs_filesystem_t wekafs_csi_volume_t }; + +require { + type unlabeled_t; + type container_var_lib_t; + type container_t; + class file { create open getattr setattr read write append rename link unlink ioctl lock }; + class dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }; + attribute spoolfile, file_type, non_security_file_type, non_auth_file_type; +} + +bool container_use_wekafs false; + +typeattribute wekafs_csi_volume_t spoolfile, file_type, non_security_file_type, non_auth_file_type; + +#============= container_t ============== +if (container_use_wekafs) { + allow container_t wekafs_csi_volume_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; + allow container_t wekafs_csi_volume_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }; +} \ No newline at end of file diff --git a/tests/csi-sanity/_docker_run_sanity.sh b/tests/csi-sanity/_docker_run_sanity.sh index 0f70b6c3..68871888 100755 --- a/tests/csi-sanity/_docker_run_sanity.sh +++ b/tests/csi-sanity/_docker_run_sanity.sh @@ -3,6 +3,7 @@ set -e rm -rf /tmp/weka-csi-test/sanity-workspace/ rm -rf /tmp/weka-csi-test/filesystems +rm -rf /tmp/csi-test-staging csi-sanity -csi.stagingdir /tmp/csi-test-staging \ --csi.controllerendpoint /tmp/weka-csi-test/controller.sock \