diff --git a/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2 b/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2
index 9413376869ae3111ca4106959ff199da325de76f..2fa18f4618e79755fb6e99e7aed139b82bd06201 100644
--- a/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2
+++ b/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2
@@ -15,7 +15,6 @@ metadata:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- # rename if there are conflicts
name: snapshot-controller-runner
rules:
- apiGroups: [""]
@@ -24,9 +23,6 @@ rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
@@ -35,13 +31,37 @@ rules:
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete"]
+ verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
- verbs: ["update"]
+ verbs: ["update", "patch"]
+
+ - apiGroups: ["groupsnapshot.storage.k8s.io"]
+ resources: ["volumegroupsnapshotclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["groupsnapshot.storage.k8s.io"]
+ resources: ["volumegroupsnapshotcontents"]
+ verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ - apiGroups: ["groupsnapshot.storage.k8s.io"]
+ resources: ["volumegroupsnapshotcontents/status"]
+ verbs: ["patch"]
+ - apiGroups: ["groupsnapshot.storage.k8s.io"]
+ resources: ["volumegroupsnapshots"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["groupsnapshot.storage.k8s.io"]
+ resources: ["volumegroupsnapshots/status"]
+ verbs: ["update", "patch"]
+
+ # Enable this RBAC rule only when using distributed snapshotting, i.e. when the enable-distributed-snapshotting flag is set to true
+ # - apiGroups: [""]
+ # resources: ["nodes"]
+ # verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
@@ -54,7 +74,6 @@ subjects:
namespace: {{ snapshot_controller_namespace }}
roleRef:
kind: ClusterRole
- # change the name also here if the ClusterRole gets renamed
name: snapshot-controller-runner
apiGroup: rbac.authorization.k8s.io
@@ -62,12 +81,12 @@ roleRef:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- namespace: {{ snapshot_controller_namespace }}
name: snapshot-controller-leaderelection
+ namespace: {{ snapshot_controller_namespace }}
rules:
-- apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: RoleBinding
diff --git a/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2 b/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2
index d17ffb368b43879842cf756cd8fbdbadeacab8af..a27e56fa9b25c10ab29d54b5ac25033df008597c 100644
--- a/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2
+++ b/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2
@@ -15,11 +15,12 @@ spec:
replicas: {{ snapshot_controller_replicas }}
selector:
matchLabels:
- app: snapshot-controller
- # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable
- # in #504 the snapshot-controller will exit after around 7.5 seconds if it
- # can't find the v1 CRDs so this value should be greater than that
- minReadySeconds: 15
+ app.kubernetes.io/name: snapshot-controller
+ # The snapshot controller won't be marked as ready if the v1 CRDs are unavailable.
+ # The flag --retry-crd-interval-max is used to determine how long the controller
+ # will wait for the CRDs to become available before exiting. The default is 30 seconds
+ # so minReadySeconds should be set slightly higher than the flag value.
+ minReadySeconds: 35
strategy:
rollingUpdate:
maxSurge: 0
@@ -28,13 +29,13 @@ spec:
template:
metadata:
labels:
- app: snapshot-controller
+ app.kubernetes.io/name: snapshot-controller
spec:
- serviceAccount: snapshot-controller
+ serviceAccountName: snapshot-controller
containers:
- name: snapshot-controller
image: {{ snapshot_controller_image_repo }}:{{ snapshot_controller_image_tag }}
+ imagePullPolicy: {{ k8s_image_pull_policy }}
args:
- "--v=5"
- - "--leader-election=false"
- imagePullPolicy: {{ k8s_image_pull_policy }}
+ - "--leader-election={{ 'true' if snapshot_controller_replicas > 1 else 'false' }}"
diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml
index ca71a7b4e0477fb6613f3cb09149cba67c6623e0..ab954f4917e34da76771716e89c121e1d6bcc8ef 100644
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@@ -358,9 +358,9 @@ csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
csi_livenessprobe_image_tag: "v2.5.0"
snapshot_controller_supported_versions:
- v1.29: "v6.3.3"
- v1.28: "v4.2.1"
- v1.27: "v4.2.1"
+ v1.29: "v7.0.2"
+ v1.28: "v7.0.2"
+ v1.27: "v7.0.2"
snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"