{{- include "dynatrace-operator.platformRequired" . }} {{ if eq (include "dynatrace-operator.needCSI" .) "true" }} # Copyright 2021 Dynatrace LLC # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: DaemonSet metadata: labels: {{- include "dynatrace-operator.csiLabels" . | nindent 4 }} {{- if .Values.csidriver.labels }} {{- toYaml .Values.csidriver.labels | nindent 4 }} {{- end}} name: dynatrace-oneagent-csi-driver namespace: {{ .Release.Namespace }} spec: revisionHistoryLimit: 10 selector: matchLabels: {{- include "dynatrace-operator.csiSelectorLabels" . | nindent 6 }} template: metadata: annotations: dynatrace.com/inject: "false" kubectl.kubernetes.io/default-container: provisioner cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" {{- if and (eq (default false .Values.apparmor) true) (ne (include "dynatrace-operator.platform" .) "openshift") }} container.apparmor.security.beta.kubernetes.io/driver: runtime/default container.apparmor.security.beta.kubernetes.io/registrar: runtime/default container.apparmor.security.beta.kubernetes.io/liveness-probe: runtime/default {{- end}} {{- if .Values.csidriver.annotations }} {{- toYaml .Values.csidriver.annotations | nindent 8 }} {{- end }} labels: {{- include "dynatrace-operator.csiLabels" . | nindent 8 }} {{- include "dynatrace-operator.csiSelectorLabels" . | nindent 8 }} {{- if .Values.csidriver.labels }} {{- toYaml .Values.csidriver.labels | nindent 8 }} {{- end }} spec: containers: # Used to receive/execute gRPC requests (NodePublishVolume/NodeUnpublishVolume) from kubelet to mount/unmount volumes for a pod # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so. # - Needs access to the filesystem of pods on the node, and mount stuff to it,needs to read/write to it, needs root permissions to do so # - Needs access to a dedicated folder on the node to persist data, needs to read/write to it. - name: server image: {{ include "dynatrace-operator.image" . }} imagePullPolicy: Always args: - csi-server - --endpoint=unix://csi/csi.sock - --node-id=$(KUBE_NODE_NAME) - --health-probe-bind-address=:10080 env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName livenessProbe: failureThreshold: 3 httpGet: path: /livez port: livez scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 ports: - containerPort: 10080 name: livez protocol: TCP resources: {{- if .Values.csidriver.server.resources }} {{- toYaml .Values.csidriver.server.resources | nindent 10 }} {{- end }} securityContext: runAsUser: 0 privileged: true # Needed for mountPropagation allowPrivilegeEscalation: true # Needed for privileged readOnlyRootFilesystem: true runAsNonRoot: false seccompProfile: type: RuntimeDefault seLinuxOptions: level: s0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: plugin-dir - mountPath: {{ include "dynatrace-operator.CSIMountPointDir" . }} mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir mountPropagation: Bidirectional - name: tmp-dir mountPath: /tmp - name: provisioner image: {{ include "dynatrace-operator.image" . }} imagePullPolicy: Always args: - csi-provisioner - --health-probe-bind-address=:10090 env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace {{- if .Values.csidriver.maxUnmountedVolumeAge }} - name: MAX_UNMOUNTED_VOLUME_AGE value: "{{ .Values.csidriver.maxUnmountedVolumeAge}}" {{- end }} livenessProbe: failureThreshold: 3 httpGet: path: /livez port: livez scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 ports: - containerPort: 10090 name: livez protocol: TCP resources: {{- if .Values.csidriver.provisioner.resources }} {{- toYaml .Values.csidriver.provisioner.resources | nindent 10 }} {{- end }} securityContext: runAsUser: 0 privileged: true # Needed for mountPropagation allowPrivilegeEscalation: true # Needed for privileged readOnlyRootFilesystem: true runAsNonRoot: false seccompProfile: type: RuntimeDefault seLinuxOptions: level: s0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /data name: data-dir mountPropagation: Bidirectional - mountPath: /tmp name: tmp-dir # Used to make a gRPC request (GetPluginInfo()) to the driver to get driver name and driver contain # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so. # Used for registering the driver with kubelet # - Needs access to the registration socket, needs to read/write to it, needs root permissions to do so. - name: registrar image: {{ include "dynatrace-operator.image" . }} imagePullPolicy: Always env: - name: DRIVER_REG_SOCK_PATH value: {{ include "dynatrace-operator.CSISocketPath" . }} args: - --csi-address=/csi/csi.sock - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) command: - csi-node-driver-registrar resources: {{- if .Values.csidriver.registrar.resources }} {{- toYaml .Values.csidriver.registrar.resources | nindent 10 }} {{- end }} securityContext: runAsUser: 0 privileged: false readOnlyRootFilesystem: true runAsNonRoot: false seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: plugin-dir - mountPath: /registration name: registration-dir - mountPath: {{ include "dynatrace-operator.CSIPluginDir" . }} name: lockfile-dir # Used to make a gRPC request (Probe()) to the driver to check if its running # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so. - name: liveness-probe image: {{ include "dynatrace-operator.image" . }} imagePullPolicy: Always args: - --csi-address=/csi/csi.sock - --health-port=9898 command: - livenessprobe resources: {{- if .Values.csidriver.livenessprobe.resources }} {{- toYaml .Values.csidriver.livenessprobe.resources | nindent 10 }} {{- end }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File securityContext: runAsUser: 0 privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: false seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /csi name: plugin-dir dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccountName: dynatrace-oneagent-csi-driver terminationGracePeriodSeconds: 30 priorityClassName: {{ include "dynatrace-operator.CSIPriorityClassName" . }} volumes: # This volume is where the registrar registers the plugin with kubelet - name: registration-dir hostPath: path: {{ include "dynatrace-operator.CSIRegistrationDir" . }} type: Directory # This volume is where the socket for kubelet->driver communication is done - name: plugin-dir hostPath: path: {{ include "dynatrace-operator.CSIPluginDir" . }} type: DirectoryOrCreate - name: data-dir hostPath: path: {{ include "dynatrace-operator.CSIDataDir" . }} type: DirectoryOrCreate # This volume is where the driver mounts volumes - name: mountpoint-dir hostPath: path: {{ include "dynatrace-operator.CSIMountPointDir" . }} type: DirectoryOrCreate # Used by the registrar to create its lockfile - name: lockfile-dir emptyDir: {} # A volume for the driver to write temporary files to - name: tmp-dir emptyDir: {} {{- if .Values.customPullSecret }} imagePullSecrets: - name: {{ .Values.customPullSecret }} {{- end }} {{- if .Values.csidriver.nodeSelector }} nodeSelector: {{- toYaml .Values.csidriver.nodeSelector | nindent 8 }} {{- end }} tolerations: {{- if .Values.csidriver.tolerations }} {{- toYaml .Values.csidriver.tolerations | nindent 8 }} {{- end }} - key: kubernetes.io/arch value: arm64 effect: NoSchedule - key: kubernetes.io/arch value: amd64 effect: NoSchedule - key: ToBeDeletedByClusterAutoscaler operator: Exists effect: NoSchedule updateStrategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate {{- end -}}