diff --git a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
index e01b36b1dc5ac9f8a357ad82a42686473b66210f..0d4144141badca7e967fcfdb0a8513b797263d0b 100644
--- a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
+++ b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
@@ -4,15 +4,15 @@ external_vsphere_insecure: "true"
external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id"
external_vsphere_version: "7.0u1"
-vsphere_syncer_image_tag: "v2.5.1"
-vsphere_csi_attacher_image_tag: "v3.4.0"
-vsphere_csi_controller: "v2.5.1"
-vsphere_csi_liveness_probe_image_tag: "v2.6.0"
-vsphere_csi_provisioner_image_tag: "v3.1.0"
-vsphere_csi_snapshotter_image_tag: "v5.0.1"
-vsphere_csi_node_driver_registrar_image_tag: "v2.5.0"
-vsphere_csi_driver_image_tag: "v2.5.1"
-vsphere_csi_resizer_tag: "v1.4.0"
+vsphere_syncer_image_tag: "v3.1.0"
+vsphere_csi_attacher_image_tag: "v4.3.0"
+vsphere_csi_controller: "v3.1.0"
+vsphere_csi_liveness_probe_image_tag: "v2.10.0"
+vsphere_csi_provisioner_image_tag: "v3.5.0"
+vsphere_csi_snapshotter_image_tag: "v6.2.2"
+vsphere_csi_node_driver_registrar_image_tag: "v2.8.0"
+vsphere_csi_driver_image_tag: "v3.1.0"
+vsphere_csi_resizer_tag: "v1.8.0"
# Set to kube-system for backward compatibility, should be change to vmware-system-csi on the long run
vsphere_csi_namespace: "kube-system"
diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2
index d7ee521ebed5c854e55d710be6a6b5788ea6378b..fb52d107e47d87812249f2005be37b01f9e43cdd 100644
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2
@@ -1,22 +1,29 @@
apiVersion: v1
data:
- "csi-migration": "false"
{% if external_vsphere_version >= "7.0" %}
"csi-auth-check": "true"
{% else %}
"csi-auth-check": "false"
{% endif %}
+ "csi-auth-check": "true"
"online-volume-extend": "true"
"trigger-csi-fullsync": "false"
"async-query-volume": "true"
+ "block-volume-snapshot": "true"
+ "csi-windows-support": "false"
+ "list-volumes": "true"
+ "pv-to-backingdiskobjectid-mapping": "false"
+ "cnsmgr-suspend-create-volume": "true"
+ "topology-preferential-datastores": "true"
+ "max-pvscsi-targets-per-vm": "true"
+ "multi-vcenter-csi-topology": "true"
+ "csi-internal-generated-cluster-id": "true"
+ "listview-tasks": "true"
+{% if vsphere_csi_controller is version('v2.7.0', '>=') %}
"improved-csi-idempotency": "true"
"improved-volume-topology": "true"
- "block-volume-snapshot": "{{ vsphere_csi_block_volume_snapshot }}"
- "csi-windows-support": "false"
-{% if vsphere_csi_controller is version('v2.5.0', '>=') %}
"use-csinode-id": "true"
- "pv-to-backingdiskobjectid-mapping": "false"
- "cnsmgr-suspend-create-volume": "false"
+ "list-volumes": "false"
{% endif %}
kind: ConfigMap
metadata:
diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2
index 8bda5145a5b3476c013e92472d494ad21f0e9c6e..dd009d8f74a55635a26d7823bd289dda83782288 100644
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2
@@ -19,6 +19,7 @@ spec:
app: vsphere-csi-controller
role: vsphere-csi
spec:
+ priorityClassName: system-cluster-critical # Guarantees scheduling for critical system pods
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -60,6 +61,9 @@ spec:
- "--timeout=300s"
- "--csi-address=$(ADDRESS)"
- "--leader-election"
+ - "--leader-election-lease-duration=120s"
+ - "--leader-election-renew-deadline=60s"
+ - "--leader-election-retry-period=30s"
- "--kube-api-qps=100"
- "--kube-api-burst=100"
{% if vsphere_csi_attacher_resources | length > 0 %}
@@ -83,6 +87,9 @@ spec:
- "--kube-api-qps=100"
- "--kube-api-burst=100"
- "--leader-election"
+ - "--leader-election-lease-duration=120s"
+ - "--leader-election-renew-deadline=60s"
+ - "--leader-election-retry-period=30s"
{% if vsphere_csi_resizer_resources | length > 0 %}
resources:
{{ vsphere_csi_resizer_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
@@ -99,8 +106,6 @@ spec:
args:
- "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
- "--fss-namespace={{ vsphere_csi_namespace }}"
- - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
- - "--use-gocsi=false"
{% if vsphere_csi_resources | length > 0 %}
resources:
{{ vsphere_csi_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
@@ -131,6 +136,10 @@ spec:
readOnly: true
- mountPath: {{ csi_endpoint }}
name: socket-dir
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
ports:
- name: healthz
containerPort: 9808
@@ -142,9 +151,9 @@ spec:
httpGet:
path: /healthz
port: healthz
- initialDelaySeconds: 10
- timeoutSeconds: 3
- periodSeconds: 5
+ initialDelaySeconds: 30
+ timeoutSeconds: 10
+ periodSeconds: 180
failureThreshold: 3
- name: liveness-probe
image: {{ kube_image_repo }}/sig-storage/livenessprobe:{{ vsphere_csi_liveness_probe_image_tag }}
@@ -165,10 +174,16 @@ spec:
image: {{ gcr_image_repo }}/cloud-provider-vsphere/csi/release/syncer:{{ vsphere_syncer_image_tag }}
args:
- "--leader-election"
+ - "--leader-election-lease-duration=30s"
+ - "--leader-election-renew-deadline=20s"
+ - "--leader-election-retry-period=10s"
- "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
- "--fss-namespace={{ vsphere_csi_namespace }}"
- - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
ports:
- containerPort: 2113
name: prometheus
@@ -200,10 +215,13 @@ spec:
- "--v=4"
- "--timeout=300s"
- "--csi-address=$(ADDRESS)"
-{% if vsphere_csi_controller is version('v2.2.0', '>=') %}
- "--kube-api-qps=100"
- "--kube-api-burst=100"
-{% endif %}
+ - "--leader-election"
+ - "--leader-election-lease-duration=120s"
+ - "--leader-election-renew-deadline=60s"
+ - "--leader-election-retry-period=30s"
+ - "--default-fstype=ext4"
- "--leader-election"
- "--default-fstype=ext4"
# needed only for topology aware setup
@@ -213,13 +231,6 @@ spec:
resources:
{{ vsphere_csi_provisioner_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
{% endif %}
- env:
- - name: ADDRESS
- value: /csi/csi.sock
- volumeMounts:
- - mountPath: /csi
- name: socket-dir
-{% if vsphere_csi_controller is version('v2.5.0', '>=') %}
- name: csi-snapshotter
image: {{ kube_image_repo }}/sig-storage/csi-snapshotter:{{ vsphere_csi_snapshotter_image_tag }}
args:
@@ -229,13 +240,15 @@ spec:
- "--timeout=300s"
- "--csi-address=$(ADDRESS)"
- "--leader-election"
+ - "--leader-election-lease-duration=120s"
+ - "--leader-election-renew-deadline=60s"
+ - "--leader-election-retry-period=30s"
env:
- name: ADDRESS
value: /csi/csi.sock
volumeMounts:
- mountPath: /csi
name: socket-dir
-{% endif %}
volumes:
- name: vsphere-config-volume
secret:
diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2
index fd614f9a41f3fb699c1ce4ec48004c1f55dd0c11..013d3dc3f6abe40c97e453671162ec7f70e5c454 100644
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2
@@ -10,8 +10,11 @@ metadata:
name: vsphere-csi-controller-role
rules:
- apiGroups: [""]
- resources: ["nodes", "pods", "configmaps"]
+ resources: ["nodes", "pods"]
verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch", "create"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2
index eedacf69536ebfaed2f68beb05b0230a3431c5b7..e110ee300dd9e11ae6420f7af0f87385c1a94c76 100644
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2
@@ -17,6 +17,7 @@ spec:
app: vsphere-csi-node
role: vsphere-csi
spec:
+ priorityClassName: system-node-critical
nodeSelector:
kubernetes.io/os: linux
{% if vsphere_csi_node_affinity %}
@@ -66,8 +67,6 @@ spec:
args:
- "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
- "--fss-namespace={{ vsphere_csi_namespace }}"
- - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
- - "--use-gocsi=false"
imagePullPolicy: "Always"
{% if vsphere_csi_driver_resources | length > 0 %}
resources:
@@ -92,6 +91,8 @@ spec:
value: "true"
- name: LOGGER_LEVEL
value: "PRODUCTION" # Options: DEVELOPMENT, PRODUCTION
+ - name: GODEBUG
+ value: x509sha1=1
- name: NODEGETINFO_WATCH_TIMEOUT_MINUTES
value: "1"
securityContext: