From 2e2058d559909c50cd4530dc08b5a30233f61bfa Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Fri, 29 Mar 2019 16:47:27 -0400 Subject: [PATCH] update README, examples and RBAC to include leader election --- README.md | 7 +++++ .../kubernetes/rbac-external-provisioner.yaml | 5 +++- deploy/kubernetes/rbac.yaml | 27 +++++++++++++++++++ deploy/kubernetes/setup-csi-snapshotter.yaml | 1 + 4 files changed, 39 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d4ca0d4..5abfeb10 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,13 @@ It is necessary to create a new service account and give it enough privileges to for i in $(find deploy/kubernetes -name '*.yaml'); do kubectl create -f $i; done ``` +### Running with Leader Election + +If you want to run external-snapshotter with higher availability, you can enable resource based leader election. To enable this, set the following flags: +```bash +--leader-election=true +``` + ## Testing Running Unit Tests: diff --git a/deploy/kubernetes/rbac-external-provisioner.yaml b/deploy/kubernetes/rbac-external-provisioner.yaml index 65bd2e42..e4c84f61 100644 --- a/deploy/kubernetes/rbac-external-provisioner.yaml +++ b/deploy/kubernetes/rbac-external-provisioner.yaml @@ -59,7 +59,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- -# Provisioner must be able to work with endpoints in current namespace +# Provisioner must be able to work with endpoints and leases in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -71,6 +71,9 @@ rules: - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch", "list", "delete", "update", "create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding diff --git a/deploy/kubernetes/rbac.yaml b/deploy/kubernetes/rbac.yaml index 7bfdb81b..3cda5487 100644 --- a/deploy/kubernetes/rbac.yaml +++ b/deploy/kubernetes/rbac.yaml @@ -63,3 +63,30 @@ roleRef: # change the name also here if the ClusterRole gets renamed name: external-snapshotter-runner apiGroup: rbac.authorization.k8s.io + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: default # TODO: replace with the namespace you want for your sidecar + name: external-snapshotter-leaderelection +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-snapshotter-leaderelection + namespace: default # TODO: replace with the namespace you want for your sidecar +subjects: + - kind: ServiceAccount + name: csi-snapshotter + namespace: default # TODO: replace with the namespace you want for your sidecar +roleRef: + kind: Role + name: external-snapshotter-leaderelection + apiGroup: rbac.authorization.k8s.io + diff --git a/deploy/kubernetes/setup-csi-snapshotter.yaml b/deploy/kubernetes/setup-csi-snapshotter.yaml index 8866749a..d3b9e4ad 100644 --- a/deploy/kubernetes/setup-csi-snapshotter.yaml +++ b/deploy/kubernetes/setup-csi-snapshotter.yaml @@ -89,6 +89,7 @@ spec: args: - "--csi-address=$(ADDRESS)" - "--connection-timeout=15s" + - "--leader-election=false" env: - name: ADDRESS value: /csi/csi.sock