From db696785d590678d609d46e41cc4be46ef969d0e Mon Sep 17 00:00:00 2001
From: Samuel Liu <liupeng0518@gmail.com>
Date: Tue, 20 Jun 2023 02:44:21 +0800
Subject: [PATCH] update local path provisioner version and remove psp (#10054)
* update local_path_provisioner_version
* remove psp and update cm
---
README.md | 2 +-
.../sample/group_vars/k8s_cluster/addons.yml | 2 +-
roles/download/defaults/main.yml | 2 +-
.../local_path_provisioner/tasks/main.yml | 11 ---
.../templates/local-path-storage-cm.yml.j2 | 72 +++++++------------
.../templates/local-path-storage-cr.yml.j2 | 24 +++----
.../local-path-storage-psp-cr.yml.j2 | 15 ----
.../local-path-storage-psp-rb.yml.j2 | 14 ----
.../templates/local-path-storage-psp.yml.j2 | 43 -----------
tests/files/packet_almalinux8-calico.yml | 1 +
10 files changed, 40 insertions(+), 146 deletions(-)
delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
diff --git a/README.md b/README.md
index 694a7681c..c39f3b25e 100644
--- a/README.md
+++ b/README.md
@@ -192,7 +192,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
- [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
- [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
- - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.23
+ - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
- [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0
## Container Runtime Notes
diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml
index 7f27ab2f8..cb7868846 100644
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -29,7 +29,7 @@ local_path_provisioner_enabled: false
# local_path_provisioner_claim_root: /opt/local-path-provisioner/
# local_path_provisioner_debug: false
# local_path_provisioner_image_repo: "rancher/local-path-provisioner"
-# local_path_provisioner_image_tag: "v0.0.23"
+# local_path_provisioner_image_tag: "v0.0.24"
# local_path_provisioner_helper_image_repo: "busybox"
# local_path_provisioner_helper_image_tag: "latest"
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 8aa992506..063a98ddf 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -1097,7 +1097,7 @@ cephfs_provisioner_image_tag: "{{ cephfs_provisioner_version }}"
rbd_provisioner_version: "v2.1.1-k8s1.11"
rbd_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/rbd-provisioner"
rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}"
-local_path_provisioner_version: "v0.0.23"
+local_path_provisioner_version: "v0.0.24"
local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}"
ingress_nginx_version: "v1.8.0"
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
index 4cf26d81d..71036ca9d 100644
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
@@ -25,17 +25,6 @@
- { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
- { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
- { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
- local_path_provisioner_templates_for_psp_not_system_ns:
- - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
- - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
- - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
-
-- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
- set_fact:
- local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
- when:
- - podsecuritypolicy_enabled
- - local_path_provisioner_namespace != "kube-system"
- name: Local Path Provisioner | Create manifests
template:
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
index 857431212..df4512441 100644
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
@@ -6,54 +6,30 @@ metadata:
namespace: {{ local_path_provisioner_namespace }}
data:
config.json: |-
- {
- "nodePathMap":[
- {
- "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
- "paths":["{{ local_path_provisioner_claim_root }}"]
- }
- ]
- }
+ {
+ "nodePathMap":[
+ {
+ "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
+ "paths":["{{ local_path_provisioner_claim_root }}"]
+ }
+ ]
+ }
setup: |-
- #!/bin/sh
- while getopts "m:s:p:" opt
- do
- case $opt in
- p)
- absolutePath=$OPTARG
- ;;
- s)
- sizeInBytes=$OPTARG
- ;;
- m)
- volMode=$OPTARG
- ;;
- esac
- done
- mkdir -m 0777 -p ${absolutePath}
+ #!/bin/sh
+ set -eu
+ mkdir -m 0777 -p "$VOL_DIR"
teardown: |-
- #!/bin/sh
- while getopts "m:s:p:" opt
- do
- case $opt in
- p)
- absolutePath=$OPTARG
- ;;
- s)
- sizeInBytes=$OPTARG
- ;;
- m)
- volMode=$OPTARG
- ;;
- esac
- done
- rm -rf ${absolutePath}
+ #!/bin/sh
+ set -eu
+ rm -rf "$VOL_DIR"
helperPod.yaml: |-
- apiVersion: v1
- kind: Pod
- metadata:
- name: helper-pod
- spec:
- containers:
- - name: helper-pod
- image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %}
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: helper-pod
+ spec:
+ containers:
+ - name: helper-pod
+ image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %}
+ imagePullPolicy: IfNotPresent
+
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
index c97511ab1..299db6eba 100644
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
@@ -4,15 +4,15 @@ kind: ClusterRole
metadata:
name: local-path-provisioner-role
rules:
- - apiGroups: [""]
- resources: ["nodes", "persistentvolumeclaims", "configmaps"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["endpoints", "persistentvolumes", "pods"]
- verbs: ["*"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
+ - apiGroups: [ "" ]
+ resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
+ verbs: [ "get", "list", "watch" ]
+ - apiGroups: [ "" ]
+ resources: [ "endpoints", "persistentvolumes", "pods" ]
+ verbs: [ "*" ]
+ - apiGroups: [ "" ]
+ resources: [ "events" ]
+ verbs: [ "create", "patch" ]
+ - apiGroups: [ "storage.k8s.io" ]
+ resources: [ "storageclasses" ]
+ verbs: [ "get", "list", "watch" ]
\ No newline at end of file
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
deleted file mode 100644
index 65a71f574..000000000
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
+++ /dev/null
@@ -1,15 +0,0 @@
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:local-path-provisioner
- namespace: {{ local_path_provisioner_namespace }}
-rules:
- - apiGroups:
- - policy
- resourceNames:
- - local-path-provisioner
- resources:
- - podsecuritypolicies
- verbs:
- - use
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
deleted file mode 100644
index c7e6d2167..000000000
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
+++ /dev/null
@@ -1,14 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:local-path-provisioner
- namespace: {{ local_path_provisioner_namespace }}
-subjects:
- - kind: ServiceAccount
- name: local-path-provisioner-service-account
- namespace: {{ local_path_provisioner_namespace }}
-roleRef:
- kind: ClusterRole
- name: psp:local-path-provisioner
- apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
deleted file mode 100644
index 55d5adb17..000000000
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
+++ /dev/null
@@ -1,43 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: local-path-provisioner
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- privileged: true
- allowPrivilegeEscalation: true
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'secret'
- - 'downwardAPI'
- - 'hostPath'
- allowedHostPaths:
- - pathPrefix: "{{ local_path_provisioner_claim_root }}"
- readOnly: false
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'RunAsAny'
- readOnlyRootFilesystem: false
diff --git a/tests/files/packet_almalinux8-calico.yml b/tests/files/packet_almalinux8-calico.yml
index 1df4a64e5..63cf8bf64 100644
--- a/tests/files/packet_almalinux8-calico.yml
+++ b/tests/files/packet_almalinux8-calico.yml
@@ -9,6 +9,7 @@ metrics_server_enabled: true
dashboard_namespace: "kube-dashboard"
dashboard_enabled: true
loadbalancer_apiserver_type: haproxy
+local_path_provisioner_enabled: true
# NTP mangement
ntp_enabled: true
--
GitLab