moolen/ds.yaml

## ds.yaml
# this kubeconfig oiubts to the apiserver via edgecore's metaServer
# metaServer is available via localhost bc the pod runs with hostNetwork=true
# ensure that metaServer is enabled and listens on the node's internal IP (not 127.0.0.1)
apiVersion: v1
kind: ConfigMap
metadata:
  name: csi-kubeconfig
  namespace: kubeedge
data:
  kubeconfig: |
    apiVersion: v1
    kind: Config
    current-context: local
    contexts:
    - name: local
      context:
        cluster: local
        user: local
    clusters:
    - name: local
      cluster:
        server: http://127.0.0.1:10550
    users:
    - name: local
      user:
        token: ${USER_TOKEN_VALUE}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: csi-hostpath-controller
  namespace: kubeedge
spec:
  selector:
    matchLabels:
      app: csi-hostpath-controller
  template:
    metadata:
      labels:
        app: csi-hostpath-controller
    spec:
      serviceAccountName: csi-controller
      hostNetwork: true
      nodeSelector:
        node-role.kubernetes.io/edge: ""
      containers:
        # see docs: https://github.com/kubernetes-csi/external-provisioner#deployment-on-each-node
        - name: csi-provisioner
          image: k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0
          imagePullPolicy: IfNotPresent
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          args:
            - -v=5
            - --csi-address=/csi/csi.sock
            - --timeout=15s
            - --node-deployment
            - --node-deployment-immediate-binding=false
            - --strict-topology
            - --immediate-topology=false
            - --kubeconfig=/etc/kubeconfig/kubeconfig
          volumeMounts:
            - mountPath: /csi
              name: csi-socket-dir
            - mountPath: /etc/kubeconfig
              name: kubeconfig

        # docs: https://github.com/kubernetes-csi/external-attacher
        - name: csi-attacher
          image: k8s.gcr.io/sig-storage/csi-attacher:v3.4.0
          imagePullPolicy: IfNotPresent
          args:
            - --v=5
            - --csi-address=/csi/csi.sock
            - --kubeconfig=/etc/kubeconfig/kubeconfig
          volumeMounts:
          - mountPath: /csi
            name: csi-socket-dir
          - mountPath: /etc/kubeconfig
            name: kubeconfig

        # docs: https://github.com/kubernetes-csi/node-driver-registrar
        - name: node-driver-registrar
          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
          args:
          - --v=5
          - --csi-address=/csi/csi.sock
          - --kubelet-registration-path=/var/lib/edged/plugins/csi-hostpath/csi.sock
          env:
          - name: KUBE_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                - /bin/sh
                - -c
                - rm -rf /registration/csi-hostpath /registration/csi-hostpath-reg.sock
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /csi
            name: csi-socket-dir
          - mountPath: /registration
            name: registration-dir

        # this one is just for demo purposes
        # replace it with what you need
        # docs: https://github.com/kubernetes-csi/csi-driver-host-path
        - name: csi-hostpath-driver
          image: k8s.gcr.io/sig-storage/hostpathplugin:v1.7.3
          imagePullPolicy: IfNotPresent
          args:
          - --drivername=csi-hostpath
          - --v=5
          - --nodeid=$(KUBE_NODE_NAME)
          - --statedir=/csi-state-dir
          - --endpoint=unix:///csi/csi.sock
          env:
          - name: KUBE_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              add:
              - SYS_ADMIN
            privileged: true
          volumeMounts:
          - mountPath: /csi
            name: csi-socket-dir
          - mountPath: /var/lib/edged/plugins
            mountPropagation: Bidirectional
            name: plugins-dir
          - mountPath: /var/lib/edged/pods
            mountPropagation: Bidirectional
            name: mountpoint-dir
          - mountPath: /csi-state-dir
            name: csi-state-dir

      volumes:
        - hostPath:
            path: /var/lib/edged/plugins/csi-hostpath
            type: DirectoryOrCreate
          name: csi-socket-dir
        - hostPath:
            path: /var/lib/edged/plugins_registry
            type: DirectoryOrCreate
          name: registration-dir
        - hostPath:
            path: /var/lib/edged/plugins
            type: DirectoryOrCreate
          name: plugins-dir
        - hostPath:
            path: /var/lib/edged/pods
            type: DirectoryOrCreate
          name: mountpoint-dir
        - hostPath:
            path: /var/lib/csi-hostpath-state
            type: DirectoryOrCreate
          name: csi-state-dir
        - hostPath:
            path: /var/lib/kubeedge
            type: DirectoryOrCreate
          name: kubeedge-socket-dir
        - name: kubeconfig
          configMap:
            name: csi-kubeconfig

## rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: csi-controller
  namespace: kubeedge
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: external-controller-runner
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots"]
    verbs: ["get", "list"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["get", "list"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csinodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["volumeattachments"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
 ---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-role
subjects:
  - kind: ServiceAccount
    name: csi-controller
    namespace: kubeedge
roleRef:
  kind: ClusterRole
  name: external-controller-runner
  apiGroup: rbac.authorization.k8s.io

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: kubeedge
  name: external-controller-cfg
rules:
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["get", "watch", "list", "delete", "update", "create"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-role-cfg
  namespace: kubeedge
subjects:
  - kind: ServiceAccount
    name: csi-controller
    namespace: kubeedge
roleRef:
  kind: Role
  name: external-controller-cfg
  apiGroup: rbac.authorization.k8s.io
	# this kubeconfig oiubts to the apiserver via edgecore's metaServer
	# metaServer is available via localhost bc the pod runs with hostNetwork=true
	# ensure that metaServer is enabled and listens on the node's internal IP (not 127.0.0.1)
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: csi-kubeconfig
	namespace: kubeedge
	data:
	kubeconfig: \|
	apiVersion: v1
	kind: Config
	current-context: local
	contexts:
	- name: local
	context:
	cluster: local
	user: local
	clusters:
	- name: local
	cluster:
	server: http://127.0.0.1:10550
	users:
	- name: local
	user:
	token: ${USER_TOKEN_VALUE}
	---
	kind: DaemonSet
	apiVersion: apps/v1
	metadata:
	name: csi-hostpath-controller
	namespace: kubeedge
	spec:
	selector:
	matchLabels:
	app: csi-hostpath-controller
	template:
	metadata:
	labels:
	app: csi-hostpath-controller
	spec:
	serviceAccountName: csi-controller
	hostNetwork: true
	nodeSelector:
	node-role.kubernetes.io/edge: ""
	containers:
	# see docs: https://github.com/kubernetes-csi/external-provisioner#deployment-on-each-node
	- name: csi-provisioner
	image: k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0
	imagePullPolicy: IfNotPresent
	env:
	- name: NODE_NAME
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: spec.nodeName
	args:
	- -v=5
	- --csi-address=/csi/csi.sock
	- --timeout=15s
	- --node-deployment
	- --node-deployment-immediate-binding=false
	- --strict-topology
	- --immediate-topology=false
	- --kubeconfig=/etc/kubeconfig/kubeconfig
	volumeMounts:
	- mountPath: /csi
	name: csi-socket-dir
	- mountPath: /etc/kubeconfig
	name: kubeconfig

	# docs: https://github.com/kubernetes-csi/external-attacher
	- name: csi-attacher
	image: k8s.gcr.io/sig-storage/csi-attacher:v3.4.0
	imagePullPolicy: IfNotPresent
	args:
	- --v=5
	- --csi-address=/csi/csi.sock
	- --kubeconfig=/etc/kubeconfig/kubeconfig
	volumeMounts:
	- mountPath: /csi
	name: csi-socket-dir
	- mountPath: /etc/kubeconfig
	name: kubeconfig

	# docs: https://github.com/kubernetes-csi/node-driver-registrar
	- name: node-driver-registrar
	image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
	args:
	- --v=5
	- --csi-address=/csi/csi.sock
	- --kubelet-registration-path=/var/lib/edged/plugins/csi-hostpath/csi.sock
	env:
	- name: KUBE_NODE_NAME
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: spec.nodeName
	imagePullPolicy: IfNotPresent
	lifecycle:
	preStop:
	exec:
	command:
	- /bin/sh
	- -c
	- rm -rf /registration/csi-hostpath /registration/csi-hostpath-reg.sock
	securityContext:
	privileged: true
	volumeMounts:
	- mountPath: /csi
	name: csi-socket-dir
	- mountPath: /registration
	name: registration-dir

	# this one is just for demo purposes
	# replace it with what you need
	# docs: https://github.com/kubernetes-csi/csi-driver-host-path
	- name: csi-hostpath-driver
	image: k8s.gcr.io/sig-storage/hostpathplugin:v1.7.3
	imagePullPolicy: IfNotPresent
	args:
	- --drivername=csi-hostpath
	- --v=5
	- --nodeid=$(KUBE_NODE_NAME)
	- --statedir=/csi-state-dir
	- --endpoint=unix:///csi/csi.sock
	env:
	- name: KUBE_NODE_NAME
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: spec.nodeName
	securityContext:
	allowPrivilegeEscalation: true
	capabilities:
	add:
	- SYS_ADMIN
	privileged: true
	volumeMounts:
	- mountPath: /csi
	name: csi-socket-dir
	- mountPath: /var/lib/edged/plugins
	mountPropagation: Bidirectional
	name: plugins-dir
	- mountPath: /var/lib/edged/pods
	mountPropagation: Bidirectional
	name: mountpoint-dir
	- mountPath: /csi-state-dir
	name: csi-state-dir

	volumes:
	- hostPath:
	path: /var/lib/edged/plugins/csi-hostpath
	type: DirectoryOrCreate
	name: csi-socket-dir
	- hostPath:
	path: /var/lib/edged/plugins_registry
	type: DirectoryOrCreate
	name: registration-dir
	- hostPath:
	path: /var/lib/edged/plugins
	type: DirectoryOrCreate
	name: plugins-dir
	- hostPath:
	path: /var/lib/edged/pods
	type: DirectoryOrCreate
	name: mountpoint-dir
	- hostPath:
	path: /var/lib/csi-hostpath-state
	type: DirectoryOrCreate
	name: csi-state-dir
	- hostPath:
	path: /var/lib/kubeedge
	type: DirectoryOrCreate
	name: kubeedge-socket-dir
	- name: kubeconfig
	configMap:
	name: csi-kubeconfig
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: csi-controller
	namespace: kubeedge
	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: external-controller-runner
	rules:
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["get", "list"]
	- apiGroups: [""]
	resources: ["persistentvolumes"]
	verbs: ["get", "list", "watch", "create", "delete", "update"]
	- apiGroups: [""]
	resources: ["persistentvolumeclaims"]
	verbs: ["get", "list", "watch", "update"]
	- apiGroups: ["storage.k8s.io"]
	resources: ["storageclasses"]
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources: ["events"]
	verbs: ["list", "watch", "create", "update", "patch"]
	- apiGroups: ["snapshot.storage.k8s.io"]
	resources: ["volumesnapshots"]
	verbs: ["get", "list"]
	- apiGroups: ["snapshot.storage.k8s.io"]
	resources: ["volumesnapshotcontents"]
	verbs: ["get", "list"]
	- apiGroups: ["storage.k8s.io"]
	resources: ["csinodes"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["storage.k8s.io"]
	resources: ["volumeattachments"]
	verbs: ["get", "list", "watch", "update"]
	- apiGroups: [""]
	resources: ["nodes"]
	verbs: ["get", "list", "watch"]
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: csi-controller-role
	subjects:
	- kind: ServiceAccount
	name: csi-controller
	namespace: kubeedge
	roleRef:
	kind: ClusterRole
	name: external-controller-runner
	apiGroup: rbac.authorization.k8s.io

	---
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	namespace: kubeedge
	name: external-controller-cfg
	rules:
	- apiGroups: [""]
	resources: ["endpoints"]
	verbs: ["get", "watch", "list", "delete", "update", "create"]
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["get", "watch", "list", "delete", "update", "create"]
	- apiGroups: ["coordination.k8s.io"]
	resources: ["leases"]
	verbs: ["get", "watch", "list", "delete", "update", "create"]

	---
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: csi-controller-role-cfg
	namespace: kubeedge
	subjects:
	- kind: ServiceAccount
	name: csi-controller
	namespace: kubeedge
	roleRef:
	kind: Role
	name: external-controller-cfg
	apiGroup: rbac.authorization.k8s.io