diff --git a/test/e2e/storage/drivers/csi.go b/test/e2e/storage/drivers/csi.go index 3907edf25e3..8959bdc0e97 100644 --- a/test/e2e/storage/drivers/csi.go +++ b/test/e2e/storage/drivers/csi.go @@ -389,13 +389,16 @@ func InitGcePDCSIDriver() testsuites.TestDriver { SupportedMountOption: sets.NewString("debug", "nouid32"), Capabilities: map[testsuites.Capability]bool{ testsuites.CapPersistence: true, + testsuites.CapBlock: true, testsuites.CapFsGroup: true, testsuites.CapExec: true, testsuites.CapMultiPODs: true, // GCE supports volume limits, but the test creates large // number of volumes and times out test suites. - testsuites.CapVolumeLimits: false, - testsuites.CapTopology: true, + testsuites.CapVolumeLimits: false, + testsuites.CapTopology: true, + testsuites.CapControllerExpansion: true, + testsuites.CapNodeExpansion: true, }, RequiredAccessModes: []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce}, TopologyKeys: []string{GCEPDCSIZoneTopologyKey}, diff --git a/test/e2e/testing-manifests/storage-csi/gce-pd/controller_ss.yaml b/test/e2e/testing-manifests/storage-csi/gce-pd/controller_ss.yaml index e4f21d14056..9a042f84b79 100644 --- a/test/e2e/testing-manifests/storage-csi/gce-pd/controller_ss.yaml +++ b/test/e2e/testing-manifests/storage-csi/gce-pd/controller_ss.yaml @@ -13,11 +13,10 @@ spec: labels: app: gcp-compute-persistent-disk-csi-driver spec: - serviceAccountName: csi-controller-sa + serviceAccountName: csi-gce-pd-controller-sa containers: - name: csi-provisioner - # TODO: replace with official 1.4.0 release when ready - image: quay.io/k8scsi/csi-provisioner:v1.4.0-rc1 + image: gcr.io/gke-release/csi-provisioner:v1.4.0-gke.0 args: - "--v=5" - "--csi-address=/csi/csi.sock" @@ -26,7 +25,15 @@ spec: - name: socket-dir mountPath: /csi - name: csi-attacher - image: gcr.io/gke-release/csi-attacher:v1.2.0-gke.0 + image: gcr.io/gke-release/csi-attacher:v2.0.0-gke.0 + args: + - "--v=5" + - "--csi-address=/csi/csi.sock" + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: csi-resizer + image: gcr.io/gke-release/csi-resizer:v0.3.0-gke.0 args: - "--v=5" - "--csi-address=/csi/csi.sock" @@ -34,7 +41,7 @@ spec: - name: socket-dir mountPath: /csi - name: gce-pd-driver - image: gcr.io/gke-release/gcp-compute-persistent-disk-csi-driver:v0.5.2-gke.0 + image: gcr.io/gke-release/gcp-compute-persistent-disk-csi-driver:v0.6.0-gke.0 args: - "--v=5" - "--endpoint=unix:/csi/csi.sock" diff --git a/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml b/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml index f9918530634..53a07f34b69 100644 --- a/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml +++ b/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml @@ -1,64 +1,117 @@ +##### Controller Service Account, Roles, Rolebindings apiVersion: v1 kind: ServiceAccount metadata: - name: csi-controller-sa + name: csi-gce-pd-controller-sa + +--- +# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-controller-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-gce-pd-controller-sa +roleRef: + kind: ClusterRole + name: csi-gce-pd-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- +# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-controller-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-gce-pd-controller-sa +roleRef: + kind: ClusterRole + name: csi-gce-pd-attacher-role + apiGroup: rbac.authorization.k8s.io + +--- + +# Resizer must be able to work with PVCs, PVs, SCs. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-resizer-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-controller-attacher-role + name: csi-gce-pd-resizer-binding subjects: - kind: ServiceAccount - name: csi-controller-sa - namespace: default + name: csi-gce-pd-controller-sa roleRef: kind: ClusterRole - name: external-attacher-runner + name: csi-gce-pd-resizer-role apiGroup: rbac.authorization.k8s.io ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-controller-attacher-role-cfg - namespace: default -subjects: - - kind: ServiceAccount - name: csi-controller-sa - namespace: default -roleRef: - kind: Role - name: external-attacher-cfg - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-controller-provisioner-role -subjects: - - kind: ServiceAccount - name: csi-controller-sa - namespace: default -roleRef: - kind: ClusterRole - name: external-provisioner-runner - apiGroup: rbac.authorization.k8s.io - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-controller-provisioner-role-cfg - namespace: default -subjects: - - kind: ServiceAccount - name: csi-controller-sa - namespace: default -roleRef: - kind: Role - name: external-provisioner-cfg - --- # priviledged Pod Security Policy, previously defined via PrivilegedTestPSPClusterRoleBinding() kind: ClusterRoleBinding @@ -67,7 +120,7 @@ metadata: name: psp-csi-controller-driver-registrar-role subjects: - kind: ServiceAccount - name: csi-controller-sa + name: csi-gce-pd-controller-sa namespace: default roleRef: kind: ClusterRole diff --git a/test/e2e/testing-manifests/storage-csi/gce-pd/node_ds.yaml b/test/e2e/testing-manifests/storage-csi/gce-pd/node_ds.yaml index 3737273583e..333af5cbbae 100644 --- a/test/e2e/testing-manifests/storage-csi/gce-pd/node_ds.yaml +++ b/test/e2e/testing-manifests/storage-csi/gce-pd/node_ds.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: csi-driver-registrar - image: gcr.io/gke-release/csi-node-driver-registrar:v1.1.0-gke.0 + image: gcr.io/gke-release/csi-node-driver-registrar:v1.2.0-gke.0 args: - "--v=5" - "--csi-address=/csi/csi.sock" @@ -35,7 +35,7 @@ spec: - name: gce-pd-driver securityContext: privileged: true - image: gcr.io/gke-release/gcp-compute-persistent-disk-csi-driver:v0.5.2-gke.0 + image: gcr.io/gke-release/gcp-compute-persistent-disk-csi-driver:v0.6.0-gke.0 args: - "--v=5" - "--endpoint=unix:/csi/csi.sock"