kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use new restricted liveness probe endpoint

Browse Source 
The `--health-port` option is deprecated and `--http-endpoint` the new
option to use. Since `--http-endpoint` additionally exposes metrics, the
liveness probe is limited to only listen on localhost by default. With
this only processes on the host network, like kubelet, can call the
endpoint. Regular pods can no longer access the liveness probe via the
node IP address.

Signed-off-by: Tobi Nehrlich <tobi.nehrlich@amazee.io>
This commit is contained in:
Tobi Nehrlich 2024-03-28 10:42:54 +01:00
parent 0a235fb0f0
commit 0920a991f9
No known key found for this signature in database
5 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/README.md
View File

@ -69,6 +69,8 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
| `controller.runOnControlPlane` | run controller on control plane node |`false` | | `controller.runOnControlPlane` | run controller on control plane node |`false` |
| `controller.dnsPolicy` | dnsPolicy of controller driver, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` | `ClusterFirstWithHostNet` | | `controller.dnsPolicy` | dnsPolicy of controller driver, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` | `ClusterFirstWithHostNet` |
| `controller.defaultOnDeletePolicy` | default policy for deleting subdirectory when deleting a volume, available values: `delete`, `retain`, `archive` | `delete` | | `controller.defaultOnDeletePolicy` | default policy for deleting subdirectory when deleting a volume, available values: `delete`, `retain`, `archive` | `delete` |
| `controller.livenessProbe.host ` | the health check host for the liveness probe | `localhost` |
| `controller.livenessProbe.healthPort ` | the health check port for liveness probe | `29652` |
| `controller.logLevel` | controller driver log level |`5` | | `controller.logLevel` | controller driver log level |`5` |
| `controller.workingMountDir` | working directory for provisioner to mount nfs shares temporarily | `/tmp` | | `controller.workingMountDir` | working directory for provisioner to mount nfs shares temporarily | `/tmp` |
| `controller.affinity` | controller pod affinity | `{}` | | `controller.affinity` | controller pod affinity | `{}` |
@ -88,6 +90,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
| `node.dnsPolicy` | dnsPolicy of driver node daemonset, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` |`ClusterFirstWithHostNet` | `node.dnsPolicy` | dnsPolicy of driver node daemonset, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` |`ClusterFirstWithHostNet`
| `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1` | `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1`
| `node.logLevel` | node driver log level |`5` | | `node.logLevel` | node driver log level |`5` |
| `node.livenessProbe.host ` | the health check host for the liveness probe | `localhost` |
| `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` |
| `node.affinity` | node pod affinity | {} | | `node.affinity` | node pod affinity | {} |
| `node.nodeSelector` | node pod node selector | `{}` | | `node.nodeSelector` | node pod node selector | `{}` |

BIN
charts/latest/csi-driver-nfs-v0.0.0.tgz
View File

Binary file not shown.

9
charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -100,7 +100,7 @@ spec:
args: args:
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
- --probe-timeout=3s - --probe-timeout=3s
- --health-port={{ .Values.controller.livenessProbe.healthPort }} - --http-endpoint={{ .Values.controller.livenessProbe.host }}:{{ .Values.controller.livenessProbe.healthPort }}
- --v=2 - --v=2
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
volumeMounts: volumeMounts:
@ -137,15 +137,12 @@ spec:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: CSI_ENDPOINT - name: CSI_ENDPOINT
value: unix:///csi/csi.sock value: unix:///csi/csi.sock
ports:
- containerPort: {{ .Values.controller.livenessProbe.healthPort }}
name: healthz
protocol: TCP
livenessProbe: livenessProbe:
failureThreshold: 5 failureThreshold: 5
httpGet: httpGet:
host: {{ .Values.controller.livenessProbe.host }}
path: /healthz path: /healthz
port: healthz port: {{ .Values.controller.livenessProbe.healthPort }}
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 10 timeoutSeconds: 10
periodSeconds: 30 periodSeconds: 30

9
charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -52,7 +52,7 @@ spec:
args: args:
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
- --probe-timeout=3s - --probe-timeout=3s
- --health-port={{ .Values.node.livenessProbe.healthPort }} - --http-endpoint={{ .Values.node.livenessProbe.host }}:{{ .Values.node.livenessProbe.healthPort }}
- --v=2 - --v=2
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
volumeMounts: volumeMounts:
@ -118,15 +118,12 @@ spec:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: CSI_ENDPOINT - name: CSI_ENDPOINT
value: unix:///csi/csi.sock value: unix:///csi/csi.sock
ports:
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
name: healthz
protocol: TCP
livenessProbe: livenessProbe:
failureThreshold: 5 failureThreshold: 5
httpGet: httpGet:
host: {{ .Values.node.livenessProbe.host }}
path: /healthz path: /healthz
port: healthz port: {{ .Values.node.livenessProbe.healthPort }}
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 10 timeoutSeconds: 10
periodSeconds: 30 periodSeconds: 30

2
charts/latest/csi-driver-nfs/values.yaml
View File

@ -53,6 +53,7 @@ controller:
runOnMaster: false runOnMaster: false
runOnControlPlane: false runOnControlPlane: false
livenessProbe: livenessProbe:
host: localhost
healthPort: 29652 healthPort: 29652
logLevel: 5 logLevel: 5
workingMountDir: /tmp workingMountDir: /tmp
@ -103,6 +104,7 @@ node:
maxUnavailable: 1 maxUnavailable: 1
logLevel: 5 logLevel: 5
livenessProbe: livenessProbe:
host: localhost
healthPort: 29653 healthPort: 29653
affinity: {} affinity: {}
nodeSelector: {} nodeSelector: {}