From 9894707b39bf8f82b314b7844adb763693f8a97e Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sun, 16 May 2021 15:32:59 +0300 Subject: [PATCH] add rbac + update image --- README.md | 5 ++++ daemonset.tf | 27 +++++++++++++++++-- rbac.tf | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 12 +++++++++ 4 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 rbac.tf diff --git a/README.md b/README.md index cd2bb3b..c9d4c71 100644 --- a/README.md +++ b/README.md @@ -35,14 +35,19 @@ No modules. | Name | Type | |------|------| +| [kubernetes_cluster_role.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role_binding.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | | [kubernetes_csi_driver.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/csi_driver) | resource | | [kubernetes_daemonset.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/daemonset) | resource | +| [kubernetes_service_account.csi_driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [annotations](#input\_annotations) | Optional annotations to add to EFS CSI driver resources | `map(string)` | `{}` | no | +| [csi\_controller\_tolerations](#input\_csi\_controller\_tolerations) | CSI driver controller tolerations | `list(map(string))` | `[]` | no | +| [log\_level](#input\_log\_level) | The log level for the CSI Driver controller | `number` | `5` | no | | [namespace](#input\_namespace) | Namespace for EFS CSI driver resources | `string` | `"kube-system"` | no | ## Outputs diff --git a/daemonset.tf b/daemonset.tf index 4a6ace4..8bef409 100644 --- a/daemonset.tf +++ b/daemonset.tf @@ -32,12 +32,23 @@ resource "kubernetes_daemonset" "efs" { operator = "Exists" } + dynamic "toleration" { + for_each = var.csi_controller_tolerations + content { + key = lookup(toleration.value, "key", null) + operator = lookup(toleration.value, "operator", null) + effect = lookup(toleration.value, "effect", null) + value = lookup(toleration.value, "value", null) + toleration_seconds = lookup(toleration.value, "toleration_seconds", null) + } + } + container { name = "efs-plugin" - image = "amazon/aws-efs-csi-driver:v1.0.0" + image = "amazon/aws-efs-csi-driver:v1.2.0" image_pull_policy = "IfNotPresent" - args = ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--v=5"] + args = ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--v=${tostring(var.log_level)}"] env { name = "CSI_ENDPOINT" @@ -83,6 +94,18 @@ resource "kubernetes_daemonset" "efs" { failure_threshold = 5 } + readiness_probe { + http_get { + path = "/healthz" + port = "healthz" + } + + initial_delay_seconds = 10 + timeout_seconds = 3 + period_seconds = 2 + failure_threshold = 5 + } + security_context { privileged = true } diff --git a/rbac.tf b/rbac.tf new file mode 100644 index 0000000..4794b19 --- /dev/null +++ b/rbac.tf @@ -0,0 +1,73 @@ +resource "kubernetes_service_account" "csi_driver" { + metadata { + name = local.name + namespace = var.namespace + } + automount_service_account_token = true +} + +resource "kubernetes_cluster_role" "provisioner" { + metadata { + name = "efs-csi-external-provisioner-role" + } + + rule { + api_groups = [""] + resources = ["persistentvolumes"] + verbs = ["get", "list", "watch", "create", "delete"] + } + + rule { + api_groups = [""] + resources = ["persistentvolumeclaims"] + verbs = ["get", "list", "watch", "update"] + } + + rule { + api_groups = ["storage.k8s.io"] + resources = ["storageclasses"] + verbs = ["list", "watch", "create"] + } + + rule { + api_groups = [""] + resources = ["events"] + verbs = ["list", "watch", "create"] + } + + rule { + api_groups = ["storage.k8s.io"] + resources = ["csinodes"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = [""] + resources = ["nodes"] + verbs = ["get", "list", "watch"] + } + + rule { + api_groups = ["coordination.k8s.io"] + resources = ["leases"] + verbs = ["get", "watch", "list", "delete", "update", "create"] + } +} + +resource "kubernetes_cluster_role_binding" "provisioner" { + metadata { + name = "efs-csi-provisioner-binding" + } + + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role.provisioner.metadata[0].name + } + + subject { + kind = "ServiceAccount" + name = kubernetes_service_account.csi_driver.metadata[0].name + namespace = kubernetes_service_account.csi_driver.metadata[0].namespace + } +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 611b310..07605f9 100644 --- a/variables.tf +++ b/variables.tf @@ -8,4 +8,16 @@ variable "annotations" { description = "Optional annotations to add to EFS CSI driver resources" type = map(string) default = {} +} + +variable "csi_controller_tolerations" { + description = "CSI driver controller tolerations" + type = list(map(string)) + default = [] +} + +variable "log_level" { + description = "The log level for the CSI Driver controller" + default = 5 + type = number } \ No newline at end of file