为非受管集群设置 Block Storage for VPC
以下文档涵盖在 IBM Cloud中的非受管 OpenShift Container Platform 集群上部署 Block Storage for VPC 驱动程序的步骤。 此过程不受支持,必须在 Red Hat OpenShift 集群中重新创建步骤或驱动程序的任何问题以获得支持。
虚拟私有云
要在 IBM Cloud Kubernetes Service 或 Red Hat OpenShift on IBM Cloud 集群中使用 Block Storage for VPC 吗? 请参阅 设置 Block Storage for VPC 以获取更多信息。
先决条件
要使用 Block Storage for VPC 驱动程序,请完成以下任务:
- 在 VPC 基础结构上创建 Red Hat OpenShift on IBM Cloud 集群。
- 标注工作程序节点。
- 创建存储密钥。
- 创建使用 IAM 凭证的映像拉取私钥。
标记工作程序节点
必须先通过添加所需标签来准备工作程序节点,然后才能部署 Block Storage for VPC 驱动程序。
开始之前,"登录您的账户。 如果适用,请将相应的资源组设定为目标。 设置集群的上下文。
-
检索 VPC 实例的以下详细信息。 这些参数用于将标签应用于工作程序节点。
<instanceID>
-VPC 实例标识。 要检索此值,请运行ibmcloud is ins
。<node-name>
- 工作节点的名称。 要检索此值,请运行kubectl get nodes
。<region-of-instanceID>
和<zone-of-instanceID>
-VPC 实例所在的区域和区域。 要检索这些值,请运行ibmcloud is in <instanceID>
。 示例区域值:'eu-de
. 区值示例:'eu-de-1
.
-
复制以下 shell 脚本并将其保存到本地机器上名为
setup.sh
的文件中#!/bin/bash function help() { echo "Run the script in the following format..." echo "./setup.sh <node-name> <instanceID> <region-of-instanceID> <zone-of-instanceID>" exit 1 } function apply_labels() { kubectl label nodes $1 "ibm-cloud.kubernetes.io/worker-id"=$2 kubectl label nodes $1 "failure-domain.beta.kubernetes.io/region"=$3 kubectl label nodes $1 "failure-domain.beta.kubernetes.io/zone"=$4 kubectl label nodes $1 "topology.kubernetes.io/region"=$3 kubectl label nodes $1 "topology.kubernetes.io/zone"=$4 } function verify_node() { kubectl get nodes | grep $1 if (( $? == 0 )) then return 0 else return 1 fi } if (( $# < 4 )) then help fi node=$1 instanceID=$2 region=$3 zone=$4 verify_node $node if (( $? == 0 )) then apply_labels $node $instanceID $region $zone else echo "Node " \'$node\' " not found in the cluster, please check the node or passing correct parameters while executing script" help fi
-
通过运行 shell 脚本并指定先前检索的参数来标注工作程序节点。 对集群中的每个工作程序节点重复此步骤。
sh setup.sh <node-name> <instanceID> <region-of-instanceID> <zone-of-instanceID>
检索 IAM 和 VPC 详细信息
To create the Kubernetes secret that is used in the Block Storage for VPC ConfigMap, you must retrieve your IAM and VPC details.
-
检索以下配置参数值。 这些值用于创建 Block Storage for VPC所需的 Kubernetes 私钥。
<g2_api_key>
- IAM API 密钥。 您可以使用现有的 API 密钥,也可以通过运行 "ibmcloud iam api-key-create NAME
命令创建一个 API 密钥。<g2_riaas_endpoint>
-VPC 集群的 VPC 区域端点,格式为https://<region>.iaas.cloud.ibm.com
。 示例:https://eu-de.iaas.cloud.ibm.com
。 有关更多信息,请参阅 VPC 端点。<g2_resource_group_id>
-要检索此值,请运行ibmcloud is vpc <vpc-ID>
命令并记下Resource group
字段。
-
将以下 TOML 配置文件保存到名为
config.toml
的本地机器。 确保值之间没有空白行,并且文件末尾没有空白行。[server] debug_trace = false [vpc] iam_client_id = "bx" iam_client_secret = "bx" g2_token_exchange_endpoint_url = "https://iam.bluemix.net" g2_riaas_endpoint_url = "<g2_riaas_endpoint>" g2_resource_group_id = "<resource_group_id>" g2_api_key = "<IAM_API_key>" provider_type = "g2"
-
输入先前检索的值,并将 TOML 文件编码为 base64。 保存要在 Block Storage 驱动程序 ConfigMap中使用的 base64 输出。
cat ./config.toml | base64
在集群中创建映像拉取私钥
在集群中创建映像拉取私钥。 您创建的私钥用于拉取 Block Storage for VPC 驱动程序映像。
-
查看并检索映像拉取私钥的以下值。
<docker-username>
-输入字符串:iamapikey
。<docker-password>
- 输入您的 IAM API 密钥。 有关 IAM API 密钥的更多信息,请参阅 了解 API 密钥。<docker-email>
-输入字符串:iamapikey
。
-
运行以下命令以在集群中创建映像拉取私钥。 请注意,您的私钥必须命名为
icr-io-secret
。oc create secret docker-registry icr-io-secret --docker-server=icr.io --docker-username=iamapikey --docker-password=-<iam-api-key> --docker-email=iamapikey -n kube-system
创建 Block Storage for VPC 驱动程序部署
选择与工作程序节点的操作系统匹配的 Block Storage for VPC 驱动程序 ConfigMap。 在集群中创建部署时,将安装 Block Storage for VPC 驱动程序和存储类。
-
将下列其中一个 YAML 配置保存到本地机器上名为
configmap.yaml
的文件中。 根据集群操作系统选择 ConfigMap。 -
将先前创建的编码 TOML 配置详细信息添加到
slclient.toml
私钥配置部分中的 ConfigMap。 -
在集群中创建ConfigMap。
oc create -f configmap.yaml
-
验证是否已部署驱动程序 pod,并且状态为
Running
。oc get pods -n kube-system | grep vpc
-
验证是否创建了 "
csidrivers
。oc get csidrivers | grep vpc
示例输出:
NAME ATTACHREQUIRED PODINFOONMOUNT MODES AGE vpc.block.csi.ibm.io true true Persistent 8m26s
-
确认已创建存储类。
oc get sc
示例输出
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 8d ibmc-vpc-block-10iops-tier (default) vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-5iops-tier vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-custom vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-general-purpose vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-retain-10iops-tier vpc.block.csi.ibm.io Retain Immediate false 9m ibmc-vpc-block-retain-5iops-tier vpc.block.csi.ibm.io Retain Immediate false 8m59s ibmc-vpc-block-retain-custom vpc.block.csi.ibm.io Retain Immediate false 8m59s ibmc-vpc-block-retain-general-purpose vpc.block.csi.ibm.io Retain Immediate false 8m59s
-
部署使用 Block Storage for VPC 的有状态集。
部署使用 Block Storage for VPC 的有状态集
部署 Block Storage for VPC 驱动程序后,可以创建利用 Block Storage for VPC的部署。 以下有状态集通过创建使用 ibmc-vpc-block-5iops-tier
存储类的 PVC 来动态供应 Block Storage for VPC 卷。
- 将以下 YAML 配置另存为本地机器上名为
statefulset.yaml
的文件。apiVersion: v1 kind: Service metadata: name: nginx labels: app: nginx spec: ports: - port: 80 name: web clusterIP: None selector: app: nginx --- apiVersion: apps/v1 kind: StatefulSet metadata: name: web spec: serviceName: "nginx" replicas: 2 podManagementPolicy: "Parallel" selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx securityContext: privileged: false image: k8s.gcr.io/nginx-slim:0.8 ports: - containerPort: 80 name: web volumeMounts: - name: www mountPath: /usr/share/nginx/html tolerations: - operator: Exists volumeClaimTemplates: - metadata: annotations: volume.beta.kubernetes.io/storage-class: ibmc-vpc-block-5iops-tier name: www spec: accessModes: - ReadWriteOnce # access mode resources: requests: storage: 25Gi #
- 在集群中创建有状态集。
kubectl create -f statefulset.yaml
- 验证有状态设置 pod 是否正在运行。
示例输出kubectl get pods
NAME READY STATUS RESTARTS AGE web-0 1/1 Running 0 2m52s web-1 1/1 Running 0 2m52s
除去 Block Storage for VPC 驱动程序
如果不再希望在集群中使用 Block Storage for VPC 驱动程序,那么可以除去 ConfigMap 以除去驱动程序 pod。
从集群中除去 Block Storage for VPC 驱动程序不会除去存储卷中的数据。 如果要完全除去 PV 和 PVC,请参阅 清除持久存储器。
- 从集群中删除
ibm-vpc-block-csi-configmap
ConfigMap。oc rm cm ibm-vpc-block-csi-configmap -n kube-system
- 验证ConfigMap是否已删除。
oc get cm -n kube-system | grep ibm-vpc-block-csi-configmap
配置映射参考
根据工作程序节点操作系统,选择下列其中一个配置映射。
RHEL 或 CentOS ConfigMap
将以下 ConfigMap YAML 另存为本地计算机上的文件。
apiVersion: v1
items:
- apiVersion: v1
data:
CSI_ENDPOINT: unix:/csi/csi.sock
IKS_BLOCK_PROVIDER_NAME: iks-vpc
IKS_ENABLED: "False"
SECRET_CONFIG_PATH: /etc/storage_ibmc
VPC_API_GENERATION: "1"
VPC_API_TIMEOUT: 180s
VPC_API_VERSION: "2019-07-02"
VPC_BLOCK_PROVIDER_NAME: vpc
VPC_ENABLED: "True"
VPC_RETRY_ATTEMPT: "10"
VPC_RETRY_INTERVAL: "120"
kind: ConfigMap
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-configmap
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
data:
cluster-config.json: |
{}
kind: ConfigMap
metadata:
annotations:
name: cluster-info
namespace: kube-system
- apiVersion: v1
data:
slclient.toml: # Enter the base64 encoded TOML file that you created earlier
kind: Secret
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
kubernetes.io/cluster-service: "true"
name: storage-secret-store
namespace: kube-system
type: Opaque
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-driver-registrar-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-provisioner-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-role
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-external-attacher-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
name: vpc.block.csi.ibm.io
spec:
attachRequired: true
podInfoOnMount: true
volumeLifecycleModes:
- Persistent
- apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-node
namespace: kube-system
spec:
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REGISTRATION_SOCK)
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REGISTRATION_SOCK
value: /var/lib/kubelet/plugins/vpc.block.csi.ibm.io/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
imagePullPolicy: Always
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /registration/vpc.block.csi.ibm.io /registration/vpc.block.csi.ibm.io-reg.sock
name: csi-driver-registrar
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- args:
- --v=5
- --endpoint=unix:/csi/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
name: iks-vpc-block-node-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits:
cpu: 200m
memory: 250Mi
requests:
cpu: 20m
memory: 50Mi
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: true
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet-data-dir
- mountPath: /csi
name: plugin-dir
- mountPath: /dev
name: device-dir
- mountPath: /etc/udev
name: etcudevpath
- mountPath: /run/udev
name: runudevpath
- mountPath: /lib/udev
name: libudevpath
- mountPath: /sys
name: syspath
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
- args:
- --csi-address=/csi/csi.sock
image: quay.io/k8scsi/livenessprobe:v2.0.0
name: liveness-probe
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
resources:
limits:
cpu: 50m
memory: 50Mi
requests:
cpu: 5m
memory: 10Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
serviceAccountName: ibm-vpc-block-node-sa
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet-data-dir
- hostPath:
path: /var/lib/kubelet/plugins/vpc.block.csi.ibm.io/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /dev
type: Directory
name: device-dir
- hostPath:
path: /etc/udev
type: Directory
name: etcudevpath
- hostPath:
path: /run/udev
type: Directory
name: runudevpath
- hostPath:
path: /lib/udev
type: Directory
name: libudevpath
- hostPath:
path: /sys
type: Directory
name: syspath
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
- apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
serviceName: ibm-vpc-block-service
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
securityContext:
runAsNonRoot: true
runAsUser: 2121
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --timeout=600s
- --feature-gates=Topology=true
env:
- name: ADDRESS
value: /csi/csi.sock
image: quay.io/k8scsi/csi-provisioner:v1.6.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: Always
name: csi-provisioner
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --timeout=900s
image: quay.io/k8scsi/csi-attacher:v2.2.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: Always
name: csi-attacher
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --csi-address=/csi/csi.sock
image: quay.io/k8scsi/livenessprobe:v2.0.0
name: liveness-probe
securityContext:
privileged: false
allowPrivilegeEscalation: false
resources:
limits:
cpu: 50m
memory: 50Mi
requests:
cpu: 5m
memory: 10Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --endpoint=$(CSI_ENDPOINT)
- --lock_enabled=false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: Always
securityContext:
privileged: false
allowPrivilegeEscalation: false
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
name: iks-vpc-block-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 50m
memory: 100Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-controller-sa
volumes:
- emptyDir: {}
name: socket-dir
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
volumeClaimTemplates: []
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.beta.kubernetes.io/is-default-class: "true"
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
kind: List
metadata:
annotations:
version: 2.0.3_354
name: ibm-vpc-block-csi-driver
namespace: kube-system
Ubuntu ConfigMap
将以下 YAML 配置另存为本地计算机上的文件。
apiVersion: v1
items:
- apiVersion: v1
data:
CSI_ENDPOINT: unix:/csi/csi.sock
IKS_BLOCK_PROVIDER_NAME: iks-vpc
IKS_ENABLED: "False"
SECRET_CONFIG_PATH: /etc/storage_ibmc
VPC_API_GENERATION: "1"
VPC_API_TIMEOUT: 180s
VPC_API_VERSION: "2019-07-02"
VPC_BLOCK_PROVIDER_NAME: vpc
VPC_ENABLED: "True"
VPC_RETRY_ATTEMPT: "10"
VPC_RETRY_INTERVAL: "120"
kind: ConfigMap
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-configmap
namespace: kube-system
- apiVersion: v1
data:
cluster-config.json: |
{}
kind: ConfigMap
metadata:
annotations:
name: cluster-info
namespace: kube-system
- apiVersion: v1
data:
slclient.toml: # Enter the base64 encoded TOML file that you created earlier.
kind: Secret
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
kubernetes.io/cluster-service: "true"
name: storage-secret-store
namespace: kube-system
type: Opaque
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-driver-registrar-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-provisioner-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-role
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-external-attacher-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-node
namespace: kube-system
spec:
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REGISTRATION_SOCK)
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REGISTRATION_SOCK
value: /var/lib/kubelet/csi-plugins/vpc.block.csi.ibm.io/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /registration/vpc.block.csi.ibm.io /registration/vpc.block.csi.ibm.io-reg.sock
name: csi-driver-registrar
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- args:
- --v=5
- --endpoint=unix:/csi/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: IfNotPresent
name: iks-vpc-block-node-driver
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: true
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet-data-dir
- mountPath: /csi
name: plugin-dir
- mountPath: /dev
name: device-dir
- mountPath: /etc/udev
name: etcudevpath
- mountPath: /run/udev
name: runudevpath
- mountPath: /lib/udev
name: libudevpath
- mountPath: /sys
name: syspath
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-node-sa
volumes:
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet-data-dir
- hostPath:
path: /var/lib/kubelet/csi-plugins/vpc.block.csi.ibm.io/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /dev
type: Directory
name: device-dir
- hostPath:
path: /etc/udev
type: Directory
name: etcudevpath
- hostPath:
path: /run/udev
type: Directory
name: runudevpath
- hostPath:
path: /lib/udev
type: Directory
name: libudevpath
- hostPath:
path: /sys
type: Directory
name: syspath
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
- apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
serviceName: ibm-vpc-block-service
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
securityContext:
runAsNonRoot: true
runAsUser: 2121
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --timeout=600s
- --feature-gates=Topology=true
env:
- name: ADDRESS
value: /csi/csi.sock
image: quay.io/k8scsi/csi-provisioner:v1.3.1
securityContext:
privileged: false
allowPrivilegeEscalation: false
name: csi-provisioner
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --timeout=900s
image: quay.io/k8scsi/csi-attacher:v2.0.0
name: csi-attacher
securityContext:
privileged: false
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --endpoint=$(CSI_ENDPOINT)
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
name: iks-vpc-block-driver
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-controller-sa
volumes:
- emptyDir: {}
name: socket-dir
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
volumeClaimTemplates: []
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.beta.kubernetes.io/is-default-class: "true"
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
kind: List
metadata:
annotations:
version: 2.0.2_285
name: ibm-vpc-block-csi-driver
namespace: kube-system