kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml

# All of the individual sidecar RBAC roles get bound
# to this account.
kind: ServiceAccount
apiVersion: v1
metadata:
  name: csi-hostpathplugin-sa
  namespace: default
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: attacher-cluster-role
  name: csi-hostpathplugin-attacher-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-attacher-runner
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: health-monitor-controller-cluster-role
  name: csi-hostpathplugin-health-monitor-controller-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-health-monitor-controller-runner
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: provisioner-cluster-role
  name: csi-hostpathplugin-provisioner-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-provisioner-runner
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: resizer-cluster-role
  name: csi-hostpathplugin-resizer-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-resizer-runner
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: snapshotter-cluster-role
  name: csi-hostpathplugin-snapshotter-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-snapshotter-runner
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: attacher-role
  name: csi-hostpathplugin-attacher-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: external-attacher-cfg
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: health-monitor-controller-role
  name: csi-hostpathplugin-health-monitor-controller-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: external-health-monitor-controller-cfg
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: provisioner-role
  name: csi-hostpathplugin-provisioner-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: external-provisioner-cfg
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: resizer-role
  name: csi-hostpathplugin-resizer-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: external-resizer-cfg
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: snapshotter-role
  name: csi-hostpathplugin-snapshotter-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: external-snapshotter-leaderelection
subjects:
- kind: ServiceAccount
  name: csi-hostpathplugin-sa
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
  name: csi-hostpathplugin
  namespace: default
  labels:
    app.kubernetes.io/instance: hostpath.csi.k8s.io
    app.kubernetes.io/part-of: csi-driver-host-path
    app.kubernetes.io/name: csi-hostpathplugin
    app.kubernetes.io/component: plugin
spec:
  serviceName: "csi-hostpathplugin"
  # One replica only:
  # Host path driver only works when everything runs
  # on a single node.
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: hostpath.csi.k8s.io
      app.kubernetes.io/part-of: csi-driver-host-path
      app.kubernetes.io/name: csi-hostpathplugin
      app.kubernetes.io/component: plugin
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: hostpath.csi.k8s.io
        app.kubernetes.io/part-of: csi-driver-host-path
        app.kubernetes.io/name: csi-hostpathplugin
        app.kubernetes.io/component: plugin
    spec:
      serviceAccountName: csi-hostpathplugin-sa
      containers:
        - name: hostpath
          image: registry.k8s.io/sig-storage/hostpathplugin:v1.15.0
          args:
            - "--drivername=hostpath.csi.k8s.io"
            - "--v=5"
            - "--endpoint=$(CSI_ENDPOINT)"
            - "--nodeid=$(KUBE_NODE_NAME)"
          env:
            - name: CSI_ENDPOINT
              value: unix:///csi/csi.sock
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
          securityContext:
            privileged: true
          ports:
          - containerPort: 9898
            name: healthz
            protocol: TCP
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 2
          volumeMounts:
            - mountPath: /csi
              name: socket-dir
            - mountPath: /var/lib/kubelet/pods
              mountPropagation: Bidirectional
              name: mountpoint-dir
            - mountPath: /var/lib/kubelet/plugins
              mountPropagation: Bidirectional
              name: plugins-dir
            - mountPath: /csi-data-dir
              name: csi-data-dir
            - mountPath: /dev
              name: dev-dir

        - name: csi-external-health-monitor-controller
          image: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1
          args:
            - "--v=5"
            - "--csi-address=$(ADDRESS)"
            - "--leader-election"
          env:
            - name: ADDRESS
              value: /csi/csi.sock
          imagePullPolicy: "IfNotPresent"
          volumeMounts:
            - name: socket-dir
              mountPath: /csi

        - name: node-driver-registrar
          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
          args:
            - --v=5
            - --csi-address=/csi/csi.sock
            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock
          securityContext:
            # This is necessary only for systems with SELinux, where
            # non-privileged sidecar containers cannot access unix domain socket
            # created by privileged CSI driver container.
            privileged: true
          env:
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
          volumeMounts:
          - mountPath: /csi
            name: socket-dir
          - mountPath: /registration
            name: registration-dir
          - mountPath: /csi-data-dir
            name: csi-data-dir

        - name: liveness-probe
          volumeMounts:
          - mountPath: /csi
            name: socket-dir
          image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0
          args:
          - --csi-address=/csi/csi.sock
          - --health-port=9898

        - name: csi-attacher
          image: registry.k8s.io/sig-storage/csi-attacher:v4.7.0
          args:
            - --v=5
            - --csi-address=/csi/csi.sock
          securityContext:
            # This is necessary only for systems with SELinux, where
            # non-privileged sidecar containers cannot access unix domain socket
            # created by privileged CSI driver container.
            privileged: true
          volumeMounts:
          - mountPath: /csi
            name: socket-dir

        - name: csi-provisioner
          image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0
          args:
            - -v=5
            - --csi-address=/csi/csi.sock
            - --feature-gates=Topology=true
            # end csi-provisioner args
          securityContext:
            # This is necessary only for systems with SELinux, where
            # non-privileged sidecar containers cannot access unix domain socket
            # created by privileged CSI driver container.
            privileged: true
          volumeMounts:
            - mountPath: /csi
              name: socket-dir

        - name: csi-resizer
          image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0
          args:
            - -v=5
            - -csi-address=/csi/csi.sock
          securityContext:
            # This is necessary only for systems with SELinux, where
            # non-privileged sidecar containers cannot access unix domain socket
            # created by privileged CSI driver container.
            privileged: true
          volumeMounts:
            - mountPath: /csi
              name: socket-dir

        - name: csi-snapshotter
          image: registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0
          args:
            - -v=5
            - --csi-address=/csi/csi.sock
          securityContext:
            # This is necessary only for systems with SELinux, where
            # non-privileged sidecar containers cannot access unix domain socket
            # created by privileged CSI driver container.
            privileged: true
          volumeMounts:
            - mountPath: /csi
              name: socket-dir

      volumes:
        - hostPath:
            path: /var/lib/kubelet/plugins/csi-hostpath
            type: DirectoryOrCreate
          name: socket-dir
        - hostPath:
            path: /var/lib/kubelet/pods
            type: DirectoryOrCreate
          name: mountpoint-dir
        - hostPath:
            path: /var/lib/kubelet/plugins_registry
            type: Directory
          name: registration-dir
        - hostPath:
            path: /var/lib/kubelet/plugins
            type: Directory
          name: plugins-dir
        - hostPath:
            # 'path' is where PV data is persisted on host.
            # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot
            path: /var/lib/csi-hostpath-data/
            type: DirectoryOrCreate
          name: csi-data-dir
        - hostPath:
            path: /dev
            type: Directory
          name: dev-dir