Setting up Block Storage for VPC for unmanaged clusters
The following documentation covers the steps to deploy the Block Storage for VPC driver on unmanaged OpenShift Container Platform clusters in IBM Cloud. This process is unsupported and any issues with the steps or the driver must be recreated in a Red Hat OpenShift cluster to receive support.
Virtual Private Cloud
Want to use Block Storage for VPC in an IBM Cloud Kubernetes Service or Red Hat OpenShift on IBM Cloud cluster? See Setting up Block Storage for VPC for more information.
Prerequisites
To use the Block Storage for VPC driver, complete the following tasks:
- Create an Red Hat OpenShift on IBM Cloud cluster on VPC infrastructure.
- Label your worker nodes.
- Create your storage secret.
- Create an image pull secret that uses your IAM credentials.
Labeling your worker nodes
Before you can deploy the Block Storage for VPC driver, you must prepare your worker nodes by adding the required labels.
Before you begin, Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
-
Retrieve the following details of your VPC instance. These parameters are used to apply labels to your worker nodes.
<instanceID>- The VPC instance ID. To retrieve this value, runibmcloud is ins.<node-name>- The names of the worker nodes. To retrieve this value, runkubectl get nodes.<region-of-instanceID>and<zone-of-instanceID>- The region and zone that your VPC instance is in. To retrieve these values, runibmcloud is in <instanceID>. Example region value:eu-de. Example zone value:eu-de-1.
-
Copy the following shell script and save it to a file on your local machine called
setup.sh#!/bin/bash function help() { echo "Run the script in the following format..." echo "./setup.sh <node-name> <instanceID> <region-of-instanceID> <zone-of-instanceID>" exit 1 } function apply_labels() { kubectl label nodes $1 "ibm-cloud.kubernetes.io/worker-id"=$2 kubectl label nodes $1 "failure-domain.beta.kubernetes.io/region"=$3 kubectl label nodes $1 "failure-domain.beta.kubernetes.io/zone"=$4 kubectl label nodes $1 "topology.kubernetes.io/region"=$3 kubectl label nodes $1 "topology.kubernetes.io/zone"=$4 } function verify_node() { kubectl get nodes | grep $1 if (( $? == 0 )) then return 0 else return 1 fi } if (( $# < 4 )) then help fi node=$1 instanceID=$2 region=$3 zone=$4 verify_node $node if (( $? == 0 )) then apply_labels $node $instanceID $region $zone else echo "Node " \'$node\' " not found in the cluster, please check the node or passing correct parameters while executing script" help fi -
Label your worker nodes by running the shell script and specifying the parameters that you retrieved earlier. Repeat this step for each worker node in your cluster.
sh setup.sh <node-name> <instanceID> <region-of-instanceID> <zone-of-instanceID>
Retrieving IAM and VPC details
To create the Kubernetes secret that is used in the Block Storage for VPC ConfigMap, you must retrieve your IAM and VPC details.
-
Retrieve the following configuration parameter values. These values are used to create the Kubernetes secret that is required for Block Storage for VPC.
<g2_api_key>- The IAM API key. You can use your existing API key or you can create an API key by running theibmcloud iam api-key-create NAMEcommand.<g2_riaas_endpoint>- The VPC regional endpoint of your VPC cluster in the formathttps://<region>.iaas.cloud.ibm.com. Example:https://eu-de.iaas.cloud.ibm.com. For more information, see VPC endpoints.<g2_resource_group_id>- To retrieve this value, run theibmcloud is vpc <vpc-ID>command and note theResource groupfield.
-
Save the following TOML configuration file to your local machine called
config.toml. Make sure that there are no blank lines between the values and no blank lines at the end of the file.[server] debug_trace = false [vpc] iam_client_id = "bx" iam_client_secret = "bx" g2_token_exchange_endpoint_url = "https://iam.bluemix.net" g2_riaas_endpoint_url = "<g2_riaas_endpoint>" g2_resource_group_id = "<resource_group_id>" g2_api_key = "<IAM_API_key>" provider_type = "g2" -
Enter the values that you retrieved earlier and encode the TOML file to base64. Save the base64 output to use in the Block Storage driver ConfigMap.
cat ./config.toml | base64
Creating the image pull secret in your cluster
Create an image pull secret in your cluster. The secret you create is used to pull the Block Storage for VPC driver images.
-
Review and retrieve the following values for your image pull secret.
<docker-username>- Enter the string:iamapikey.<docker-password>- Enter your IAM API key. For more information about IAM API keys, see Understanding API keys.<docker-email>- Enter the string:iamapikey.
-
Run the following command to create the image pull secret in your cluster. Note that your secret must be named
icr-io-secret.oc create secret docker-registry icr-io-secret --docker-server=icr.io --docker-username=iamapikey --docker-password=-<iam-api-key> --docker-email=iamapikey -n kube-system
Creating the Block Storage for VPC driver deployment
Select the Block Storage for VPC driver ConfigMap that matches the operating system of your worker nodes. When you create the deployment in your cluster, the Block Storage for VPC driver and storage classes are installed.
-
Save one of the following YAML configurations to a file on your local machine called
configmap.yaml. Select the ConfigMap based on your cluster operating system. -
Add the encoded TOML configuration details that you created earlier to the ConfigMap in the
slclient.tomlsecret configuration section. -
Create the ConfigMap in your cluster.
oc create -f configmap.yaml -
Verify that the driver pods are deployed and the status is
Running.oc get pods -n kube-system | grep vpc -
Verify that the
csidriversare created.oc get csidrivers | grep vpcExample output:
NAME ATTACHREQUIRED PODINFOONMOUNT MODES AGE vpc.block.csi.ibm.io true true Persistent 8m26s -
Verify that the storage classes are created.
oc get scExample output
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 8d ibmc-vpc-block-10iops-tier (default) vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-5iops-tier vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-custom vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-general-purpose vpc.block.csi.ibm.io Delete Immediate false 9m ibmc-vpc-block-retain-10iops-tier vpc.block.csi.ibm.io Retain Immediate false 9m ibmc-vpc-block-retain-5iops-tier vpc.block.csi.ibm.io Retain Immediate false 8m59s ibmc-vpc-block-retain-custom vpc.block.csi.ibm.io Retain Immediate false 8m59s ibmc-vpc-block-retain-general-purpose vpc.block.csi.ibm.io Retain Immediate false 8m59s
Deploying a stateful set that uses Block Storage for VPC
After you deploy the Block Storage for VPC driver, you can create deployments that leverage Block Storage for VPC. The following stateful set dynamically provisions Block Storage for VPC volumes by creating PVCs that use ibmc-vpc-block-5iops-tier storage class.
- Save the following YAML configuration as a file on your local machine called
statefulset.yaml.apiVersion: v1 kind: Service metadata: name: nginx labels: app: nginx spec: ports: - port: 80 name: web clusterIP: None selector: app: nginx --- apiVersion: apps/v1 kind: StatefulSet metadata: name: web spec: serviceName: "nginx" replicas: 2 podManagementPolicy: "Parallel" selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx securityContext: privileged: false image: k8s.gcr.io/nginx-slim:0.8 ports: - containerPort: 80 name: web volumeMounts: - name: www mountPath: /usr/share/nginx/html tolerations: - operator: Exists volumeClaimTemplates: - metadata: annotations: volume.beta.kubernetes.io/storage-class: ibmc-vpc-block-5iops-tier name: www spec: accessModes: - ReadWriteOnce # access mode resources: requests: storage: 25Gi # - Create the stateful set in your cluster.
kubectl create -f statefulset.yaml - Verify that the stateful set pods are running.
Example outputkubectl get podsNAME READY STATUS RESTARTS AGE web-0 1/1 Running 0 2m52s web-1 1/1 Running 0 2m52s
Removing the Block Storage for VPC driver
If you no longer want to use the Block Storage for VPC driver in your cluster, you can remove the ConfigMap to remove the driver pods.
Removing the Block Storage for VPC driver from your cluster does not remove the data in your storage volumes. If you want to fully remove your PVs and PVCs, see Cleaning up persistent storage.
- Delete the
ibm-vpc-block-csi-configmapConfigMap from your cluster.oc rm cm ibm-vpc-block-csi-configmap -n kube-system - Verify that the ConfigMap is removed.
oc get cm -n kube-system | grep ibm-vpc-block-csi-configmap
Config map reference
Select one of the following configmaps based on your worker node operating system.
RHEL or CentOS ConfigMap
Save the following ConfigMap YAML as a file on your local machine.
apiVersion: v1
items:
- apiVersion: v1
data:
CSI_ENDPOINT: unix:/csi/csi.sock
IKS_BLOCK_PROVIDER_NAME: iks-vpc
IKS_ENABLED: "False"
SECRET_CONFIG_PATH: /etc/storage_ibmc
VPC_API_GENERATION: "1"
VPC_API_TIMEOUT: 180s
VPC_API_VERSION: "2019-07-02"
VPC_BLOCK_PROVIDER_NAME: vpc
VPC_ENABLED: "True"
VPC_RETRY_ATTEMPT: "10"
VPC_RETRY_INTERVAL: "120"
kind: ConfigMap
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-configmap
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
data:
cluster-config.json: |
{}
kind: ConfigMap
metadata:
annotations:
name: cluster-info
namespace: kube-system
- apiVersion: v1
data:
slclient.toml: # Enter the base64 encoded TOML file that you created earlier
kind: Secret
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
kubernetes.io/cluster-service: "true"
name: storage-secret-store
namespace: kube-system
type: Opaque
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-driver-registrar-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-provisioner-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-role
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-external-attacher-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
name: vpc.block.csi.ibm.io
spec:
attachRequired: true
podInfoOnMount: true
volumeLifecycleModes:
- Persistent
- apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-node
namespace: kube-system
spec:
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REGISTRATION_SOCK)
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REGISTRATION_SOCK
value: /var/lib/kubelet/plugins/vpc.block.csi.ibm.io/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
imagePullPolicy: Always
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /registration/vpc.block.csi.ibm.io /registration/vpc.block.csi.ibm.io-reg.sock
name: csi-driver-registrar
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- args:
- --v=5
- --endpoint=unix:/csi/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
name: iks-vpc-block-node-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits:
cpu: 200m
memory: 250Mi
requests:
cpu: 20m
memory: 50Mi
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: true
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet-data-dir
- mountPath: /csi
name: plugin-dir
- mountPath: /dev
name: device-dir
- mountPath: /etc/udev
name: etcudevpath
- mountPath: /run/udev
name: runudevpath
- mountPath: /lib/udev
name: libudevpath
- mountPath: /sys
name: syspath
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
- args:
- --csi-address=/csi/csi.sock
image: quay.io/k8scsi/livenessprobe:v2.0.0
name: liveness-probe
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
resources:
limits:
cpu: 50m
memory: 50Mi
requests:
cpu: 5m
memory: 10Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
serviceAccountName: ibm-vpc-block-node-sa
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet-data-dir
- hostPath:
path: /var/lib/kubelet/plugins/vpc.block.csi.ibm.io/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /dev
type: Directory
name: device-dir
- hostPath:
path: /etc/udev
type: Directory
name: etcudevpath
- hostPath:
path: /run/udev
type: Directory
name: runudevpath
- hostPath:
path: /lib/udev
type: Directory
name: libudevpath
- hostPath:
path: /sys
type: Directory
name: syspath
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
- apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
serviceName: ibm-vpc-block-service
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
securityContext:
runAsNonRoot: true
runAsUser: 2121
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --timeout=600s
- --feature-gates=Topology=true
env:
- name: ADDRESS
value: /csi/csi.sock
image: quay.io/k8scsi/csi-provisioner:v1.6.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: Always
name: csi-provisioner
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --timeout=900s
image: quay.io/k8scsi/csi-attacher:v2.2.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: Always
name: csi-attacher
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --csi-address=/csi/csi.sock
image: quay.io/k8scsi/livenessprobe:v2.0.0
name: liveness-probe
securityContext:
privileged: false
allowPrivilegeEscalation: false
resources:
limits:
cpu: 50m
memory: 50Mi
requests:
cpu: 5m
memory: 10Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --endpoint=$(CSI_ENDPOINT)
- --lock_enabled=false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: Always
securityContext:
privileged: false
allowPrivilegeEscalation: false
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
name: iks-vpc-block-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 50m
memory: 100Mi
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-controller-sa
volumes:
- emptyDir: {}
name: socket-dir
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
volumeClaimTemplates: []
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.beta.kubernetes.io/is-default-class: "true"
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.3_354
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
kind: List
metadata:
annotations:
version: 2.0.3_354
name: ibm-vpc-block-csi-driver
namespace: kube-system
Ubuntu ConfigMap
Save the following the YAML configuration as a file on your local machine.
apiVersion: v1
items:
- apiVersion: v1
data:
CSI_ENDPOINT: unix:/csi/csi.sock
IKS_BLOCK_PROVIDER_NAME: iks-vpc
IKS_ENABLED: "False"
SECRET_CONFIG_PATH: /etc/storage_ibmc
VPC_API_GENERATION: "1"
VPC_API_TIMEOUT: 180s
VPC_API_VERSION: "2019-07-02"
VPC_BLOCK_PROVIDER_NAME: vpc
VPC_ENABLED: "True"
VPC_RETRY_ATTEMPT: "10"
VPC_RETRY_INTERVAL: "120"
kind: ConfigMap
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-configmap
namespace: kube-system
- apiVersion: v1
data:
cluster-config.json: |
{}
kind: ConfigMap
metadata:
annotations:
name: cluster-info
namespace: kube-system
- apiVersion: v1
data:
slclient.toml: # Enter the base64 encoded TOML file that you created earlier.
kind: Secret
metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
kubernetes.io/cluster-service: "true"
name: storage-secret-store
namespace: kube-system
type: Opaque
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-driver-registrar-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-driver-registrar-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-node-sa
namespace: kube-system
- apiVersion: v1
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: icr-io-secret
kind: ServiceAccount
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-provisioner-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-provisioner-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-role
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: vpc-block-external-attacher-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vpc-block-external-attacher-role
subjects:
- kind: ServiceAccount
name: ibm-vpc-block-controller-sa
namespace: kube-system
- apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-node
namespace: kube-system
spec:
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REGISTRATION_SOCK)
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REGISTRATION_SOCK
value: /var/lib/kubelet/csi-plugins/vpc.block.csi.ibm.io/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /registration/vpc.block.csi.ibm.io /registration/vpc.block.csi.ibm.io-reg.sock
name: csi-driver-registrar
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: false
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- args:
- --v=5
- --endpoint=unix:/csi/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
imagePullPolicy: IfNotPresent
name: iks-vpc-block-node-driver
securityContext:
runAsNonRoot: false
runAsUser: 0
privileged: true
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet-data-dir
- mountPath: /csi
name: plugin-dir
- mountPath: /dev
name: device-dir
- mountPath: /etc/udev
name: etcudevpath
- mountPath: /run/udev
name: runudevpath
- mountPath: /lib/udev
name: libudevpath
- mountPath: /sys
name: syspath
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-node-sa
volumes:
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet-data-dir
- hostPath:
path: /var/lib/kubelet/csi-plugins/vpc.block.csi.ibm.io/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /dev
type: Directory
name: device-dir
- hostPath:
path: /etc/udev
type: Directory
name: etcudevpath
- hostPath:
path: /run/udev
type: Directory
name: runudevpath
- hostPath:
path: /lib/udev
type: Directory
name: libudevpath
- hostPath:
path: /sys
type: Directory
name: syspath
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
- apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
name: ibm-vpc-block-csi-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: ibm-vpc-block-csi-driver
serviceName: ibm-vpc-block-service
template:
metadata:
labels:
app: ibm-vpc-block-csi-driver
spec:
securityContext:
runAsNonRoot: true
runAsUser: 2121
containers:
- args:
- --v=5
- --csi-address=$(ADDRESS)
- --timeout=600s
- --feature-gates=Topology=true
env:
- name: ADDRESS
value: /csi/csi.sock
image: quay.io/k8scsi/csi-provisioner:v1.3.1
securityContext:
privileged: false
allowPrivilegeEscalation: false
name: csi-provisioner
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --timeout=900s
image: quay.io/k8scsi/csi-attacher:v2.0.0
name: csi-attacher
securityContext:
privileged: false
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /csi
name: socket-dir
- args:
- --v=5
- --endpoint=$(CSI_ENDPOINT)
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: ibm-vpc-block-csi-configmap
image: icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
securityContext:
privileged: false
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
name: iks-vpc-block-driver
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /etc/storage_ibmc
name: customer-auth
readOnly: true
- mountPath: /etc/storage_ibmc/cluster_info
name: cluster-info
readOnly: true
serviceAccountName: ibm-vpc-block-controller-sa
volumes:
- emptyDir: {}
name: socket-dir
- name: customer-auth
secret:
secretName: storage-secret-store
- configMap:
name: cluster-info
name: cluster-info
volumeClaimTemplates: []
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.beta.kubernetes.io/is-default-class: "true"
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Delete
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-10iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 10iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-5iops-tier
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: 5iops-tier
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-custom
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
iops: "400"
profile: custom
region: ""
resourceGroup: ""
sizeIOPSRange: |-
[10-39]GiB:[100-1000]
[40-79]GiB:[100-2000]
[80-99]GiB:[100-4000]
[100-499]GiB:[100-6000]
[500-999]GiB:[100-10000]
[1000-1999]GiB:[100-20000]
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
- apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
version: 2.0.2_285
labels:
addonmanager.kubernetes.io/mode: Reconcile
app: ibm-vpc-block-csi-driver
razee/force-apply: "true"
name: ibmc-vpc-block-retain-general-purpose
parameters:
billingType: hourly
classVersion: "1"
csi.storage.k8s.io/fstype: ext4
encrypted: "false"
encryptionKey: ""
profile: general-purpose
region: ""
resourceGroup: ""
sizeRange: '[10-2000]GiB'
tags: ""
zone: ""
provisioner: vpc.block.csi.ibm.io
reclaimPolicy: Retain
kind: List
metadata:
annotations:
version: 2.0.2_285
name: ibm-vpc-block-csi-driver
namespace: kube-system