--- apiVersion: v1 kind: ServiceAccount metadata: name: csi-node-sa namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-node namespace: default rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "update"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-node namespace: default subjects: - kind: ServiceAccount name: csi-node-sa namespace: default roleRef: kind: ClusterRole name: csi-node apiGroup: rbac.authorization.k8s.io --- kind: DaemonSet apiVersion: apps/v1beta2 metadata: name: fsx-csi-node namespace: kube-system spec: selector: matchLabels: app: fsx-csi-node template: metadata: labels: app: fsx-csi-node spec: serviceAccount: csi-node-sa hostNetwork: true containers: - name: fsx-plugin securityContext: privileged: true image: amazon/aws-fsx-csi-driver:latest args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: device-dir mountPath: /dev - name: csi-driver-registrar image: quay.io/k8scsi/driver-registrar:v0.4.2 args: - --csi-address=$(ADDRESS) - --mode=node-register - --driver-requires-attachment=true - --pod-info-mount-version="v1" - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=5 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/fsx.csi.aws.com/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/fsx.csi.aws.com/ type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins/ type: Directory - name: device-dir hostPath: path: /dev type: Directory --- apiVersion: v1 kind: ServiceAccount metadata: name: csi-controller-sa namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-provisioner-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-provisioner-binding subjects: - kind: ServiceAccount name: csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: external-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-attacher-binding subjects: - kind: ServiceAccount name: csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: external-attacher-role apiGroup: rbac.authorization.k8s.io --- kind: StatefulSet apiVersion: apps/v1beta1 metadata: name: fsx-csi-controller namespace: kube-system spec: serviceName: fsx-csi-controller replicas: 1 template: metadata: labels: app: fsx-csi-controller spec: serviceAccount: csi-controller-sa priorityClassName: system-cluster-critical tolerations: - key: CriticalAddonsOnly operator: Exists containers: - name: fsx-plugin image: amazon/aws-fsx-csi-driver:latest args : - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: aws-fsx-secret key: key_id optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: aws-fsx-secret key: access_key optional: true volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:v0.4.2 args: - --provisioner=fsx.csi.aws.com - --csi-address=$(ADDRESS) - --connection-timeout=5m - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v0.4.2 args: - --csi-address=$(ADDRESS) - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ volumes: - name: socket-dir emptyDir: {}