Repository: aws-samples/eks-workshop-greater-china Branch: master Commit: 05798670c0db Files: 299 Total size: 566.1 KB Directory structure: gitextract_bpmfenia/ ├── .github/ │ └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── china/ │ ├── 2020_EKS_Launch_Workshop/ │ │ ├── README.md │ │ ├── resource/ │ │ │ ├── IRSA/ │ │ │ │ └── iam-pod.yaml │ │ │ ├── alb-ingress-controller/ │ │ │ │ ├── alb-ingress-controller.yaml │ │ │ │ ├── ingress-iam-policy.json │ │ │ │ ├── nginx-alb-ingress.yaml │ │ │ │ └── rbac-role.yaml │ │ │ ├── aws-ebs-csi-driver/ │ │ │ │ ├── aws-ebs-csi-driver/ │ │ │ │ │ ├── .helmignore │ │ │ │ │ ├── Chart.yaml │ │ │ │ │ ├── templates/ │ │ │ │ │ │ ├── NOTES.txt │ │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ │ ├── csidriver.yaml │ │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ │ ├── rbac.yaml │ │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ │ └── statefulset.yaml │ │ │ │ │ └── values.yaml │ │ │ │ ├── deploy/ │ │ │ │ │ └── kubernetes/ │ │ │ │ │ ├── base/ │ │ │ │ │ │ ├── controller.yaml │ │ │ │ │ │ ├── csidriver.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ ├── node.yaml │ │ │ │ │ │ └── rbac.yaml │ │ │ │ │ ├── cluster/ │ │ │ │ │ │ └── crd_snapshotter.yaml │ │ │ │ │ ├── overlays/ │ │ │ │ │ │ ├── alpha/ │ │ │ │ │ │ │ ├── controller_add_resizer.yaml │ │ │ │ │ │ │ ├── controller_add_snapshotter.yaml │ │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ │ ├── rbac_add_resizer.yaml │ │ │ │ │ │ │ ├── rbac_add_snapshot_controller.yaml │ │ │ │ │ │ │ ├── rbac_add_snapshotter.yaml │ │ │ │ │ │ │ └── snapshot_controller.yaml │ │ │ │ │ │ ├── dev/ │ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ │ └── stable/ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ └── secret.yaml │ │ │ │ ├── ebs-csi-iam-policy.json │ │ │ │ ├── examples/ │ │ │ │ │ └── kubernetes/ │ │ │ │ │ ├── block-volume/ │ │ │ │ │ │ ├── README.md │ │ │ │ │ │ └── specs/ │ │ │ │ │ │ ├── pod.yaml │ │ │ │ │ │ ├── raw-claim.yaml │ │ │ │ │ │ └── storageclass.yaml │ │ │ │ │ ├── dynamic-provisioning/ │ │ │ │ │ │ ├── README.md │ │ │ │ │ │ └── specs/ │ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ │ ├── pod.yaml │ │ │ │ │ │ └── storageclass.yaml │ │ │ │ │ ├── resizing/ │ │ │ │ │ │ ├── README.md │ │ │ │ │ │ └── spec/ │ │ │ │ │ │ └── example.yaml │ │ │ │ │ ├── snapshot/ │ │ │ │ │ │ ├── README.md │ │ │ │ │ │ └── specs/ │ │ │ │ │ │ ├── app/ │ │ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ │ │ └── pod.yaml │ │ │ │ │ │ ├── classes/ │ │ │ │ │ │ │ ├── snapshotclass.yaml │ │ │ │ │ │ │ └── storageclass.yaml │ │ │ │ │ │ ├── snapshot/ │ │ │ │ │ │ │ └── snapshot.yaml │ │ │ │ │ │ ├── snapshot-import/ │ │ │ │ │ │ │ ├── volume-snapshot-content.yaml │ │ │ │ │ │ │ └── volume-snapshot.yaml │ │ │ │ │ │ └── snapshot-restore/ │ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ │ └── pod.yaml │ │ │ │ │ ├── static-provisioning/ │ │ │ │ │ │ ├── README.md │ │ │ │ │ │ └── specs/ │ │ │ │ │ │ └── example.yaml │ │ │ │ │ └── storageclass/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ └── example.yaml │ │ │ │ └── updaterole.sh │ │ │ ├── aws-efs-csi-driver/ │ │ │ │ ├── .dockerignore │ │ │ │ ├── .github/ │ │ │ │ │ ├── ISSUE_TEMPLATE/ │ │ │ │ │ │ ├── bug_report.md │ │ │ │ │ │ ├── enhancement-request.md │ │ │ │ │ │ ├── feature_request.md │ │ │ │ │ │ └── support-request.md │ │ │ │ │ ├── PULL_REQUEST_TEMPLATE.md │ │ │ │ │ └── workflows/ │ │ │ │ │ └── container-image.yaml │ │ │ │ ├── .gitignore │ │ │ │ ├── .travis.yml │ │ │ │ ├── deploy/ │ │ │ │ │ └── kubernetes/ │ │ │ │ │ ├── base/ │ │ │ │ │ │ ├── csidriver.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ └── node.yaml │ │ │ │ │ └── overlays/ │ │ │ │ │ └── stable/ │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── examples/ │ │ │ │ └── kubernetes/ │ │ │ │ ├── encryption_in_transit/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ ├── pod.yaml │ │ │ │ │ ├── pv.yaml │ │ │ │ │ └── storageclass.yaml │ │ │ │ ├── multiple_pods/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ ├── pod1.yaml │ │ │ │ │ ├── pod2.yaml │ │ │ │ │ ├── pv.yaml │ │ │ │ │ └── storageclass.yaml │ │ │ │ ├── statefulset/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ └── example.yaml │ │ │ │ ├── static_provisioning/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ ├── pod.yaml │ │ │ │ │ ├── pv.yaml │ │ │ │ │ └── storageclass.yaml │ │ │ │ └── volume_path/ │ │ │ │ ├── README.md │ │ │ │ └── specs/ │ │ │ │ └── example.yaml │ │ │ ├── cluster-autoscaler/ │ │ │ │ ├── cluster_autoscaler.yml │ │ │ │ ├── k8s-asg-policy.json │ │ │ │ └── nginx-to-scaleout.yaml │ │ │ ├── efk/ │ │ │ │ └── fluent-bit.yaml │ │ │ ├── eks-helm-demo/ │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── templates/ │ │ │ │ │ ├── deployment/ │ │ │ │ │ │ ├── crystal.yaml │ │ │ │ │ │ ├── frontend.yaml │ │ │ │ │ │ └── nodejs.yaml │ │ │ │ │ └── service/ │ │ │ │ │ ├── crystal.yaml │ │ │ │ │ ├── frontend.yaml │ │ │ │ │ └── nodejs.yaml │ │ │ │ └── values.yaml │ │ │ ├── healthchecks/ │ │ │ │ ├── liveness-app.yaml │ │ │ │ └── readiness-deployment.yaml │ │ │ ├── hpa/ │ │ │ │ ├── hpa-v2.yaml │ │ │ │ └── php-apache.yaml │ │ │ ├── istio/ │ │ │ │ └── bookinfo/ │ │ │ │ ├── bookinfo-gateway.yaml │ │ │ │ ├── bookinfo.yaml │ │ │ │ ├── destination-rule-all.yaml │ │ │ │ ├── virtual-service-all-v1.yaml │ │ │ │ ├── virtual-service-ratings-test-abort.yaml │ │ │ │ ├── virtual-service-ratings-test-delay.yaml │ │ │ │ ├── virtual-service-reviews-50-v3.yaml │ │ │ │ ├── virtual-service-reviews-test-v2.yaml │ │ │ │ └── virtual-service-reviews-v3.yaml │ │ │ ├── network-policy/ │ │ │ │ ├── calico.yaml │ │ │ │ └── calico_resources/ │ │ │ │ ├── allow-ui-client.yaml │ │ │ │ ├── allow-ui.yaml │ │ │ │ ├── backend-policy.yaml │ │ │ │ ├── backend.yaml │ │ │ │ ├── client.yaml │ │ │ │ ├── default-deny.yaml │ │ │ │ ├── frontend-policy.yaml │ │ │ │ ├── frontend.yaml │ │ │ │ ├── management-ui.yaml │ │ │ │ └── namespace.yaml │ │ │ └── nginx-app/ │ │ │ └── nginx-nlb.yaml │ │ ├── 步骤1-准备实验环境.md │ │ ├── 步骤10-可用性-健康检查.md │ │ ├── 步骤11-使用Calio加固EKS集群安全.md │ │ ├── 步骤12-EFK日志收集.md │ │ ├── 步骤13-Prometheus&Grafana监控.md │ │ ├── 步骤14-在EKS集群上部署Istio服务网格.md │ │ ├── 步骤2-创建EKS集群.md │ │ ├── 步骤3-部署官方的KubernetesDashboard.md │ │ ├── 步骤4-部署微服务以及配置ALBIngressController.md │ │ ├── 步骤5-配置使用EBS.md │ │ ├── 步骤6-配置使用EFS.md │ │ ├── 步骤7-在EKS中使用IAMRole进行权限管理.md │ │ ├── 步骤8-对应用Pod和集群进行自动扩展.md │ │ └── 步骤9-使用Helm部署应用.md │ ├── 2020_GCR_Kubeflow_Workshop/ │ │ ├── Kubeflow_Pipelines.md │ │ ├── Kubeflow_fairing.md │ │ ├── README.md │ │ ├── resources/ │ │ │ └── mnist-tensorflow-jupyter.py │ │ ├── 创建和使用jupter笔记本.md │ │ ├── 安装Kubeflow.md │ │ └── 清理资源.md │ └── 2021_GCR_Kubeflow_on_EKS/ │ ├── Kubeflow on AWS EKS (GCR Region) 部署.md │ ├── resource/ │ │ ├── app1.yaml │ │ ├── aws-alb-config-map.yaml │ │ ├── dex-config.yaml │ │ ├── ingress-iam-policy.json │ │ ├── kfctl_aws.v1.2.0.yaml │ │ ├── kfctl_aws.v1.2.0.yaml.tpl │ │ ├── kubeflow-workshop-eks.yaml │ │ ├── mutating-webhook.yaml │ │ └── s3-kubeflow-on-eks-app1.json │ └── resource.tgz └── global/ ├── 2019_GCR_EKS_Workshop/ │ ├── README.md │ ├── 步骤1-通过AWS Cloud9搭建服务器环境.md │ ├── 步骤2-设置默认region, 安装eksctl, kubectl工具.md │ ├── 步骤3-创建EKS集群(启用按需实例和Fargate).md │ ├── 步骤4-部署示例应用,通过HPA测试Fargate弹性伸缩功能.md │ └── 步骤5-在EKS中使用IAM Role进行权限管理(可选).md ├── 2020_GCR_SZ_ContainerDay/ │ ├── README.md │ ├── docker/ │ │ ├── Lab2-Docker 基本操作.md │ │ ├── Lab3-使用Docker 运行Web服务.md │ │ └── Lab4-多容器管理实践.md │ ├── resources/ │ │ ├── IRSA/ │ │ │ └── iam-pod.yaml │ │ ├── alb-ingress-controller/ │ │ │ ├── alb-ingress-controller.yaml │ │ │ ├── iam-policy.json │ │ │ ├── nginx-alb-ingress.yaml │ │ │ └── rbac-role.yaml │ │ ├── aws-ebs-csi-driver/ │ │ │ ├── aws-ebs-csi-driver/ │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── templates/ │ │ │ │ │ ├── NOTES.txt │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ ├── csidriver.yaml │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── rbac.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── statefulset.yaml │ │ │ │ └── values.yaml │ │ │ ├── deploy/ │ │ │ │ └── kubernetes/ │ │ │ │ ├── base/ │ │ │ │ │ ├── controller.yaml │ │ │ │ │ ├── csidriver.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── node.yaml │ │ │ │ │ └── rbac.yaml │ │ │ │ ├── cluster/ │ │ │ │ │ └── crd_snapshotter.yaml │ │ │ │ ├── overlays/ │ │ │ │ │ ├── alpha/ │ │ │ │ │ │ ├── controller_add_resizer.yaml │ │ │ │ │ │ ├── controller_add_snapshotter.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ ├── rbac_add_resizer.yaml │ │ │ │ │ │ ├── rbac_add_snapshot_controller.yaml │ │ │ │ │ │ ├── rbac_add_snapshotter.yaml │ │ │ │ │ │ └── snapshot_controller.yaml │ │ │ │ │ ├── dev/ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ └── stable/ │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── secret.yaml │ │ │ ├── ebs-csi-iam-policy.json │ │ │ ├── examples/ │ │ │ │ └── kubernetes/ │ │ │ │ ├── block-volume/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── pod.yaml │ │ │ │ │ ├── raw-claim.yaml │ │ │ │ │ └── storageclass.yaml │ │ │ │ ├── dynamic-provisioning/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ ├── pod.yaml │ │ │ │ │ └── storageclass.yaml │ │ │ │ ├── resizing/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── spec/ │ │ │ │ │ └── example.yaml │ │ │ │ ├── snapshot/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ ├── app/ │ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ │ └── pod.yaml │ │ │ │ │ ├── classes/ │ │ │ │ │ │ ├── snapshotclass.yaml │ │ │ │ │ │ └── storageclass.yaml │ │ │ │ │ ├── snapshot/ │ │ │ │ │ │ └── snapshot.yaml │ │ │ │ │ ├── snapshot-import/ │ │ │ │ │ │ ├── volume-snapshot-content.yaml │ │ │ │ │ │ └── volume-snapshot.yaml │ │ │ │ │ └── snapshot-restore/ │ │ │ │ │ ├── claim.yaml │ │ │ │ │ └── pod.yaml │ │ │ │ ├── static-provisioning/ │ │ │ │ │ ├── README.md │ │ │ │ │ └── specs/ │ │ │ │ │ └── example.yaml │ │ │ │ └── storageclass/ │ │ │ │ ├── README.md │ │ │ │ └── specs/ │ │ │ │ └── example.yaml │ │ │ └── updaterole.sh │ │ ├── cluster-autoscaler/ │ │ │ ├── cluster_autoscaler.yml │ │ │ ├── cluster_autoscaler.yml.orgin │ │ │ ├── k8s-asg-policy.json │ │ │ └── nginx-to-scaleout.yaml │ │ └── hpa/ │ │ ├── metrics-server-v0.3.6/ │ │ │ ├── .gitignore │ │ │ ├── .golangci.yml │ │ │ ├── .travis.yml │ │ │ ├── CONTRIBUTING.md │ │ │ ├── LICENSE │ │ │ ├── Makefile │ │ │ ├── OWNERS │ │ │ ├── OWNERS_ALIASES │ │ │ ├── README.md │ │ │ ├── SECURITY_CONTACTS │ │ │ ├── code-of-conduct.md │ │ │ └── deploy/ │ │ │ ├── 1.7/ │ │ │ │ ├── auth-delegator.yaml │ │ │ │ ├── auth-reader.yaml │ │ │ │ ├── metrics-apiservice.yaml │ │ │ │ ├── metrics-server-deployment.yaml │ │ │ │ └── metrics-server-service.yaml │ │ │ ├── 1.8+/ │ │ │ │ ├── aggregated-metrics-reader.yaml │ │ │ │ ├── auth-delegator.yaml │ │ │ │ ├── auth-reader.yaml │ │ │ │ ├── metrics-apiservice.yaml │ │ │ │ ├── metrics-server-deployment.yaml │ │ │ │ ├── metrics-server-service.yaml │ │ │ │ └── resource-reader.yaml │ │ │ └── docker/ │ │ │ └── Dockerfile │ │ └── php-apache.yaml │ ├── resources.tgz │ ├── 步骤1-通过AWS Cloud9搭建服务器环境.md │ ├── 步骤2-设置默认region, 安装eksctl, kubectl工具.md │ ├── 步骤3-创建EKS集群.md │ ├── 步骤4-配置ALBIngressController.md │ ├── 步骤5-部署官方的KubernetesDashboard.md │ ├── 步骤6-使用EBS存储.md │ ├── 步骤7-在EKS中使用IAMRole进行权限管理.md │ └── 步骤8-实现应用Pod和集群进行自动扩展.md ├── 2021_GCR_MAD_Day/ │ ├── README.md │ ├── lab1-serverless/ │ │ ├── 步骤1-从头开始写一个 serverless API.md │ │ ├── 步骤1-使用serverless 快速构建Express应用.md │ │ └── 步骤2-使用serverless 快速构建Express应用.md │ ├── lab2-eks/ │ │ ├── 步骤1-设置默认region, 安装eksctl, kubectl工具.md │ │ ├── 步骤2-创建EKS集群.md │ │ ├── 步骤3-部署配置aws-load-balancer-controller&2048游戏.md │ │ ├── 步骤4-可观测性-日志收集.md │ │ ├── 步骤5-可观测性-prometheus-grafana.md │ │ ├── 步骤6-使用CodePipeline 实现EKS环境CICD.md │ │ ├── 步骤7-使用Karpenter实现EKS工作节点弹性伸缩.md │ │ └── 步骤8-EBS使用.md │ ├── resources/ │ │ ├── 1.25/ │ │ │ └── eksworkshop.tgz │ │ ├── aws-load-balancer-controller/ │ │ │ ├── 2048_full_latest.yaml │ │ │ ├── iam-policy.json │ │ │ └── v2_2_1_full.yaml │ │ ├── codepipeline/ │ │ │ ├── aws-auth-patch.yml │ │ │ └── iam-role-policy │ │ ├── nginx.yaml │ │ └── observeration/ │ │ ├── elastisearch.yaml │ │ ├── fluent-bit.yaml │ │ ├── grafana.yaml │ │ └── kibana.yaml │ └── 通过AWS Cloud9搭建实验环境.md └── karpenter_handson/ └── 使用Karpenter实现EKS工作节点弹性伸缩.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/PULL_REQUEST_TEMPLATE.md ================================================ *Issue #, if available:* *Description of changes:* By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. ================================================ FILE: .gitignore ================================================ .DS_Store china/.DS_Store global/.DS_Store resource/china/ecsdemo-crystal resource/china/ecsdemo-frontend resource/china/ecsdemo-nodejs resource/china/s3-echoer resource/china/hpa/metrics-server-v0.3.6.tar.gz resource/china/hpa/metrics-server-v0.3.6/* ================================================ FILE: CODE_OF_CONDUCT.md ================================================ ## Code of Conduct This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing Guidelines Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community. Please read through this document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution. ## Reporting Bugs/Feature Requests We welcome you to use the GitHub issue tracker to report bugs or suggest features. When filing an issue, please check [existing open](https://github.com/aws-samples/eks-workshop-greater-china/issues), or [recently closed](https://github.com/aws-samples/eks-workshop-greater-china/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: * A reproducible test case or series of steps * The version of our code being used * Any modifications you've made relevant to the bug * Anything unusual about your environment or deployment ## Contributing via Pull Requests Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 1. You are working against the latest source on the *master* branch. 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. To send us a pull request, please: 1. Fork the repository. 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 3. Ensure local tests pass. 4. Commit to your fork using clear commit messages. 5. Send us a pull request, answering any default questions in the pull request interface. 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). ## Finding contributions to work on Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-samples/eks-workshop-greater-china/labels/help%20wanted) issues is a great place to start. ## Code of Conduct This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. ## Security issue notifications If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. ## Licensing See the [LICENSE](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. ================================================ FILE: LICENSE ================================================ Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ ## AWS GCR EKS Resource [AWS EKS集群使用Karpenter实现EC2工作节点弹性伸缩](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/karpenter_handson/%E4%BD%BF%E7%94%A8Karpenter%E5%AE%9E%E7%8E%B0EKS%E5%B7%A5%E4%BD%9C%E8%8A%82%E7%82%B9%E5%BC%B9%E6%80%A7%E4%BC%B8%E7%BC%A9.md) [Kubernetes 节点弹性伸缩开源组件 Karpenter 实践:部署GPU推理应用](https://aws.amazon.com/cn/blogs/china/kubernetes-node-elastic-scaling-open-source-component-karpenter-practice-deploying-gpu-inference-applications/) [Kubernetes 节点弹性伸缩开源组件 Karpenter 实践:使用 Spot 实例进行成本优化](https://aws.amazon.com/cn/blogs/china/kubernetes-node-elastic-scaling-open-source-component-karpenter-practice-cost-optimization-using-spot-instance/) [Unreal Engine 像素流送在g4dn上实现容器化部署实践(二)](https://aws.amazon.com/cn/blogs/china/practice-of-container-deployment-of-unreal-engine-pixel-streaming-on-g4dn-ii/) #### China Region Workshop Resource *** #### Tech Day 资料: [AWS GCR 2020 EKS Launch Hands-on Workshop](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/README.md) 1. [步骤1-准备实验环境](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤1-准备实验环境.md) 2. [步骤2-创建EKS集群](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤2-创建EKS集群.md) 3. [步骤3-部署官方的KubernetesDashboard](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤3-部署官方的KubernetesDashboard.md) 4. [步骤4-部署微服务以及配置ALBIngressController](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤4-部署微服务以及配置ALBIngressController.md) 5. [步骤5-配置使用EBS](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤5-配置使用EBS.md) 6. [步骤6-配置使用EFS](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤6-配置使用EFS.md) 7. [步骤7-在EKS中使用IAMRole进行权限管理](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤7-在EKS中使用IAMRole进行权限管理.md) 8. [步骤8-对应用Pod和集群进行自动扩展](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤8-对应用Pod和集群进行自动扩展.md) 9. [步骤9-使用Helm部署应用](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤9-使用Helm部署应用.md) 10. [步骤10-可用性-健康检查](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤10-可用性-健康检查.md) 11. [步骤11-使用Calio加固EKS集群安全](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤11-使用Calio加固EKS集群安全.md) 12. [步骤12 使用EFK收集、处理日志](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤12-EFK日志收集.md) 13. [步骤13 部署Prometheus & Grafana监控](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤13-Prometheus&Grafana监控.md) 14. [步骤14 在EKS集群上部署Istio 服务网格](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_EKS_Launch_Workshop/步骤14-在EKS集群上部署Istio服务网格.md) [2020_GCR_Kuberflow_Workshop](https://github.com/aws-samples/eks-workshop-greater-china/tree/master/china/2020_GCR_Kubeflow_Workshop) 1. [安装kubeflow](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_GCR_Kubeflow_Workshop/%E5%AE%89%E8%A3%85Kubeflow.md) 2. [创建和使用jupter笔记本.md](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_GCR_Kubeflow_Workshop/%E5%88%9B%E5%BB%BA%E5%92%8C%E4%BD%BF%E7%94%A8jupter%E7%AC%94%E8%AE%B0%E6%9C%AC.md) 3. [使用Kubeflow fairing](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_GCR_Kubeflow_Workshop/Kubeflow_fairing.md) 4. [使用Kubeflow pipeline](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/china/2020_GCR_Kubeflow_Workshop/Kubeflow_Pipelines.md) #### Global Region Workshop Resource *** #### Tech Day 资料: [AWS 2021 Modern Application Development(MAD) Day](https://github.com/aws-samples/eks-workshop-greater-china/tree/master/global/2021_GCR_MAD_Day) [通过Cloud9搭建准备实验环境](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/%E9%80%9A%E8%BF%87AWS%20Cloud9%E6%90%AD%E5%BB%BA%E5%AE%9E%E9%AA%8C%E7%8E%AF%E5%A2%83.md) Lab1 Serverless 1. [步骤1-从头开始写一个 serverless API](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A41-%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4region%2C%20%E5%AE%89%E8%A3%85eksctl%2C%20kubectl%E5%B7%A5%E5%85%B7.md) 2. [步骤2-使用serverless 快速构建Express应用](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab1-serverless/%E6%AD%A5%E9%AA%A41-%E4%BD%BF%E7%94%A8serverless%20%E5%BF%AB%E9%80%9F%E6%9E%84%E5%BB%BAExpress%E5%BA%94%E7%94%A8.md) Lab2 EKS 动手训练营 1. [步骤1-设置默认region, 安装eksctl, kubectl工具](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A41-%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4region%2C%20%E5%AE%89%E8%A3%85eksctl%2C%20kubectl%E5%B7%A5%E5%85%B7.md) 2. [步骤2, 创建EKS集群](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A42-%E5%88%9B%E5%BB%BAEKS%E9%9B%86%E7%BE%A4.md) 3. [步骤3, 配置aws-load-balancer-controller&部署2048游戏](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A43-%E9%83%A8%E7%BD%B2%E9%85%8D%E7%BD%AEaws-load-balancer-controller%262048%E6%B8%B8%E6%88%8F.md) 4. [步骤4-可观测性-日志收集](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A44-%E5%8F%AF%E8%A7%82%E6%B5%8B%E6%80%A7-%E6%97%A5%E5%BF%97%E6%94%B6%E9%9B%86.md) 5. [步骤5-可观测性-prometheus-grafana.md](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A45-%E5%8F%AF%E8%A7%82%E6%B5%8B%E6%80%A7-prometheus-grafana.md) 6. [步骤6-使用CodePipeline 实现EKS环境CICD.md](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A46-%E4%BD%BF%E7%94%A8CodePipeline%20%E5%AE%9E%E7%8E%B0EKS%E7%8E%AF%E5%A2%83CICD.md) 7. [步骤7 使用Karpenter实现EKS工作节点弹性伸缩](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2021_GCR_MAD_Day/lab2-eks/%E6%AD%A5%E9%AA%A47-%E4%BD%BF%E7%94%A8Karpenter%E5%AE%9E%E7%8E%B0EKS%E5%B7%A5%E4%BD%9C%E8%8A%82%E7%82%B9%E5%BC%B9%E6%80%A7%E4%BC%B8%E7%BC%A9.md) [AWS GCR 2020 Container Day](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/README.md) 1. [步骤1 , 通过Cloud9搭建准备实验环境](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A41-%E9%80%9A%E8%BF%87AWS%20Cloud9%E6%90%AD%E5%BB%BA%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%8E%AF%E5%A2%83.md) 2. [步骤2, 安装eksctl, kubectl , jq等工具](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A42-%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4region%2C%20%E5%AE%89%E8%A3%85eksctl%2C%20kubectl%E5%B7%A5%E5%85%B7.md) 3. [步骤3, 创建EKS集群](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A43-%E5%88%9B%E5%BB%BAEKS%E9%9B%86%E7%BE%A4.md) 4. [步骤4, 使用ALB Ingress](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A44-%E9%85%8D%E7%BD%AEALBIngressController.md) 5. [步骤5,使用Kubernetes Dashboard](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A45-%E9%83%A8%E7%BD%B2%E5%AE%98%E6%96%B9%E7%9A%84KubernetesDashboard.md) 6. [步骤6,使用EBS存储](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A46-%E4%BD%BF%E7%94%A8EBS%E5%AD%98%E5%82%A8.md) 7. [步骤7, IRSA(可选)](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A47-%E5%9C%A8EKS%E4%B8%AD%E4%BD%BF%E7%94%A8IAMRole%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86.md) 8. [步骤8, 实现应用Pod和集群进行自动扩展(可选)](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2020_GCR_SZ_ContainerDay/%E6%AD%A5%E9%AA%A48-%E5%AE%9E%E7%8E%B0%E5%BA%94%E7%94%A8Pod%E5%92%8C%E9%9B%86%E7%BE%A4%E8%BF%9B%E8%A1%8C%E8%87%AA%E5%8A%A8%E6%89%A9%E5%B1%95.md) [AWS GCR 2019 EKS New Feature Workshop](https://github.com/aws-samples/eks-workshop-greater-china/tree/master/global/2019_GCR_EKS_Workshop) 1. [步骤1: 通过AWSCloud9搭建服务器环境](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2019_GCR_EKS_Workshop/%E6%AD%A5%E9%AA%A41-%E9%80%9A%E8%BF%87AWS%20Cloud9%E6%90%AD%E5%BB%BA%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%8E%AF%E5%A2%83.md) 2. [步骤2: 设置默认region, 安装eksctl,kubectl工具](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2019_GCR_EKS_Workshop/%E6%AD%A5%E9%AA%A42-%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4region%2C%20%E5%AE%89%E8%A3%85eksctl%2C%20kubectl%E5%B7%A5%E5%85%B7.md) 3. [步骤3: 创建EKS集群(启用按需实例和Fargate)](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2019_GCR_EKS_Workshop/%E6%AD%A5%E9%AA%A43-%E5%88%9B%E5%BB%BAEKS%E9%9B%86%E7%BE%A4(%E5%90%AF%E7%94%A8%E6%8C%89%E9%9C%80%E5%AE%9E%E4%BE%8B%E5%92%8CFargate).md) 4. [步骤4: 部署示例应用,通过HPA测试Fargate弹性伸缩功能](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2019_GCR_EKS_Workshop/%E6%AD%A5%E9%AA%A44-%E9%83%A8%E7%BD%B2%E7%A4%BA%E4%BE%8B%E5%BA%94%E7%94%A8%EF%BC%8C%E9%80%9A%E8%BF%87HPA%E6%B5%8B%E8%AF%95Fargate%E5%BC%B9%E6%80%A7%E4%BC%B8%E7%BC%A9%E5%8A%9F%E8%83%BD.md) 5. [步骤5: 在EKS中使用IAM Role进行权限管理](https://github.com/aws-samples/eks-workshop-greater-china/blob/master/global/2019_GCR_EKS_Workshop/%E6%AD%A5%E9%AA%A45-%E5%9C%A8EKS%E4%B8%AD%E4%BD%BF%E7%94%A8IAM%20Role%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86(%E5%8F%AF%E9%80%89).md) ## Other Resource - [Amazon EKS 入门](https://docs.aws.amazon.com/zh_cn/eks/latest/userguide/getting-started.html) - [eksworkshop.com](https://eksworkshop.com/) - [eksctl doc](https://eksctl.io/) ## License Summary This sample code is made available under the MIT-0 license. See the LICENSE file. ================================================ FILE: china/2020_EKS_Launch_Workshop/README.md ================================================ # AWS EKS China Region Launch Hands-on Workshop * 概要 在本练习中,您将学习如何使用创建、管理AWS EKS平台,并学会如何在EKS中创建集群并使用使用托管节点组/非托管节点组,在实验中我们还会学习到如何Kubernets 如何与Amazon IAM一起进行权限管理, 如何使用Horizental Pod Autoscaler (HPA)进行Pod的自动扩展,等等常见EKS操作。 在此教程中,您将完成以下实验: * [步骤1-准备实验环境](步骤1-准备实验环境.md) * [步骤2-创建EKS集群](步骤2-创建EKS集群.md) * [步骤3-部署官方的KubernetesDashboard](步骤3-部署官方的KubernetesDashboard.md) * [步骤4-部署微服务以及配置ALBIngressController](步骤4-部署微服务以及配置ALBIngressController.md) * [步骤5-配置使用EBS](步骤5-配置使用EBS.md) * [步骤6-配置使用EFS](步骤6-配置使用EFS.md) * [步骤7-在EKS中使用IAMRole进行权限管理](步骤7-在EKS中使用IAMRole进行权限管理.md) * [步骤8-对应用Pod和集群进行自动扩展](步骤8-对应用Pod和集群进行自动扩展.md) * [步骤9-使用Helm部署应用](步骤9-使用Helm部署应用.md) * [步骤10-可用性-健康检查](步骤10-可用性-健康检查.md) * [步骤11-使用Calio加固EKS集群安全](步骤11-使用Calio加固EKS集群安全.md) * [步骤12 使用EFK收集、处理日志](步骤12-EFK日志收集.md) * [步骤13 部署Prometheus & Grafana监控](步骤13-Prometheus&Grafana监控.md) * [步骤14 在EKS集群上部署Istio 服务网格](步骤14-在EKS集群上部署Istio服务网格.md) 本实验使用宁夏ZHY(cn-northwest-1)Region 本文所需要的资源均在 china/2020_EKS_Lanuch_Workshop/resource/目录 >请下载本git repository ```bash git clone https://github.com/aws-samples/eks-workshop-greater-china.git ``` **重要说明:** 本实验中使用到的gcr.io/k8s.gcr.io, quay.io镜像如果国内无法直接访问,请使用第三方image镜像或者个人dockerhub仓库,(可参考2.4 中国区镜像处理章节配置自动修改模式或者在实验中自行编辑对应的yaml文件). ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/IRSA/iam-pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: s3-echoer spec: serviceAccountName: s3-echoer containers: - name: main image: atlassian/pipelines-awscli command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600'] env: - name: AWS_DEFAULT_REGION value: "cn-northwest-1" - name: ENABLE_IRP value: "true" ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/alb-ingress-controller/alb-ingress-controller.yaml ================================================ # Application Load Balancer (ALB) Ingress Controller Deployment Manifest. # This manifest details sensible defaults for deploying an ALB Ingress Controller. # GitHub: https://github.com/kubernetes-sigs/aws-alb-ingress-controller apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: alb-ingress-controller name: alb-ingress-controller # Namespace the ALB Ingress Controller should run in. Does not impact which # namespaces it's able to resolve ingress resource for. For limiting ingress # namespace scope, see --watch-namespace. namespace: kube-system spec: selector: matchLabels: app.kubernetes.io/name: alb-ingress-controller template: metadata: labels: app.kubernetes.io/name: alb-ingress-controller spec: containers: - name: alb-ingress-controller args: # Limit the namespace where this ALB Ingress Controller deployment will # resolve ingress resources. If left commented, all namespaces are used. # - --watch-namespace=your-k8s-namespace # Setting the ingress-class flag below ensures that only ingress resources with the # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may # choose any class you'd like for this controller to respect. - --ingress-class=alb # REQUIRED # Name of your cluster. Used when naming resources created # by the ALB Ingress Controller, providing distinction between # clusters. - --cluster-name=eksworkshop # AWS VPC ID this ingress controller will use to create AWS resources. # If unspecified, it will be discovered from ec2metadata. # - --aws-vpc-id=vpc-xxxxxx - --aws-vpc-id=<你的vpc-id> # AWS region this ingress controller will operate in. # If unspecified, it will be discovered from ec2metadata. # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region - --aws-region=cn-northwest-1 # Enables logging on all outbound requests sent to the AWS API. # If logging is desired, set to true. # - --aws-api-debug # Maximum number of times to retry the aws calls. # defaults to 10. # - --aws-max-retries=10 # 如果你在中国区使用alb-ingress-controller 1.1.7以及以上版本 需要禁用 #- --feature-gates=waf=false,wafv2=false env: - name: AWS_REGION value: cn-northwest-1 # AWS key id for authenticating with the AWS API. # This is only here for examples. It's recommended you instead use # a project like kube2iam for granting access. #- name: AWS_ACCESS_KEY_ID # value: KEYVALUE # AWS key secret for authenticating with the AWS API. # This is only here for examples. It's recommended you instead use # a project like kube2iam for granting access. #- name: AWS_SECRET_ACCESS_KEY # value: SECRETVALUE # Repository location of the ALB Ingress Controller. image: docker.io/amazon/aws-alb-ingress-controller:v1.1.5 serviceAccountName: alb-ingress-controller ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/alb-ingress-controller/ingress-iam-policy.json ================================================ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", "acm:GetCertificate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteTags", "ec2:DeleteSecurityGroup", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyRule", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RemoveListenerCertificates", "elasticloadbalancing:RemoveTags", "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:SetSubnets", "elasticloadbalancing:SetWebACL" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:GetServerCertificate", "iam:ListServerCertificates" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPoolClient" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "tag:GetResources", "tag:TagResources" ], "Resource": "*" } ] } ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/alb-ingress-controller/nginx-alb-ingress.yaml ================================================ --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment-ingress labels: app: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: "service-nginx-clusterip" spec: selector: app: nginx #type: ClusterIP type: NodePort ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: "alb-ingress" namespace: "default" annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing #alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/target-type: instance labels: app: nginx spec: rules: - http: paths: - path: /* backend: serviceName: "service-nginx-clusterip" servicePort: 80 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/alb-ingress-controller/rbac-role.yaml ================================================ --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: alb-ingress-controller name: alb-ingress-controller rules: - apiGroups: - "" - extensions resources: - configmaps - endpoints - events - ingresses - ingresses/status - services verbs: - create - get - list - update - watch - patch - apiGroups: - "" - extensions resources: - nodes - pods - secrets - services - namespaces verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: alb-ingress-controller name: alb-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: alb-ingress-controller subjects: - kind: ServiceAccount name: alb-ingress-controller namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: alb-ingress-controller name: alb-ingress-controller namespace: kube-system ... ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/.helmignore ================================================ # Patterns to ignore when building packages. # This supports shell glob matching, relative path matching, and # negation (prefixed with !). Only one pattern per line. .DS_Store # Common VCS dirs .git/ .gitignore .bzr/ .bzrignore .hg/ .hgignore .svn/ # Common backup files *.swp *.bak *.tmp *~ # Various IDEs .project .idea/ *.tmproj .vscode/ ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/Chart.yaml ================================================ apiVersion: v1 appVersion: "0.5.0" name: aws-ebs-csi-driver description: A Helm chart for AWS EBS CSI Driver version: 0.3.0 kubeVersion: ">=1.13.0-0" home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver sources: - https://github.com/kubernetes-sigs/aws-ebs-csi-driver keywords: - aws - ebs - csi maintainers: - name: leakingtapan email: chengpan@amazon.com ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/NOTES.txt ================================================ To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/_helpers.tpl ================================================ {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. */}} {{- define "aws-ebs-csi-driver.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} {{- define "aws-ebs-csi-driver.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} {{/* Create chart name and version as used by the chart label. */}} {{- define "aws-ebs-csi-driver.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Common labels */}} {{- define "aws-ebs-csi-driver.labels" -}} app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* Convert the `--extra-volume-tags` command line arg from a map. */}} {{- define "aws-ebs-csi-driver.extra-volume-tags" -}} {{- $result := dict "pairs" (list) -}} {{- range $key, $value := .Values.extraVolumeTags -}} {{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}} {{- end -}} {{- if gt (len $result.pairs) 0 -}} - --extra-volume-tags={{- join "," $result.pairs -}} {{- end -}} {{- end -}} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/csidriver.yaml ================================================ apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: ebs.csi.aws.com spec: attachRequired: true podInfoOnMount: false ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/daemonset.yaml ================================================ # Node Service kind: DaemonSet apiVersion: apps/v1 metadata: name: ebs-csi-node namespace: kube-system spec: selector: matchLabels: app: ebs-csi-node app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: app: ebs-csi-node app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Values.node.podAnnotations }} annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} {{- end }} spec: nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: Exists {{- with .Values.node.tolerations }} {{ toYaml . | indent 8 }} {{- end }} containers: - name: ebs-plugin securityContext: privileged: true image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" args: - node - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: device-dir mountPath: /dev ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - name: node-driver-registrar image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=5 lifecycle: preStop: exec: command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"] env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} args: - --csi-address=/csi/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: device-dir hostPath: path: /dev type: Directory ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/deployment.yaml ================================================ # Controller Service kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app: ebs-csi-controller app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: app: ebs-csi-controller app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Values.podAnnotations }} annotations: {{ toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: nodeSelector: beta.kubernetes.io/os: linux {{- with .Values.nodeSelector }} {{ toYaml . | indent 8 }} {{- end }} serviceAccountName: ebs-csi-controller-sa priorityClassName: system-cluster-critical {{- with .Values.affinity }} affinity: {{ toYaml . | nindent 8 }} {{- end }} tolerations: - operator: Exists {{- with .Values.tolerations }} {{ toYaml . | indent 8 }} {{- end }} containers: - name: ebs-plugin image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - controller - --endpoint=$(CSI_ENDPOINT) {{ include "aws-ebs-csi-driver.extra-volume-tags" . }} - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: aws-secret key: key_id optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: aws-secret key: access_key optional: true {{- if .Values.region }} - name: AWS_REGION value: {{ .Values.region }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} - name: csi-provisioner image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} args: - --csi-address=$(ADDRESS) - --v=5 {{- if .Values.enableVolumeScheduling }} - --feature-gates=Topology=true {{- end}} - --enable-leader-election - --leader-election-type=leases env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} args: - --csi-address=$(ADDRESS) - --v=5 - --leader-election=true - --leader-election-type=leases env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- if .Values.enableVolumeSnapshot }} - name: csi-snapshotter image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} args: - --csi-address=$(ADDRESS) - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- end }} {{- if .Values.enableVolumeResizing }} - name: csi-resizer image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }} imagePullPolicy: Always args: - --csi-address=$(ADDRESS) - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} args: - --csi-address=/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /csi volumes: - name: socket-dir emptyDir: {} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/rbac.yaml ================================================ --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-provisioner-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-provisioner-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-attacher-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-attacher-role apiGroup: rbac.authorization.k8s.io {{- if .Values.enableVolumeSnapshot }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-snapshotter-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-snapshotter-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-snapshotter-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-snapshot-controller-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-snapshot-controller-binding subjects: - kind: ServiceAccount name: ebs-snapshot-controller namespace: kube-system roleRef: kind: ClusterRole name: ebs-snapshot-controller-role apiGroup: rbac.authorization.k8s.io --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-snapshot-controller-leaderelection namespace: kube-system rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: snapshot-controller-leaderelection namespace: kube-system subjects: - kind: ServiceAccount name: ebs-snapshot-controller namespace: kube-system roleRef: kind: Role name: snapshot-controller-leaderelection apiGroup: rbac.authorization.k8s.io {{- end }} {{- if .Values.enableVolumeResizing }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-resizer-role rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-resizer-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-resizer-role apiGroup: rbac.authorization.k8s.io {{- end}} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/serviceaccount.yaml ================================================ apiVersion: v1 kind: ServiceAccount metadata: name: ebs-csi-controller-sa namespace: kube-system {{- with .Values.serviceAccount.controller.annotations }} annotations: {{ toYaml . | nindent 4 }} {{- end }} --- apiVersion: v1 kind: ServiceAccount metadata: name: ebs-snapshot-controller namespace: kube-system {{- with .Values.serviceAccount.snapshot.annotations }} annotations: {{ toYaml . | nindent 4 }} {{- end }} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/templates/statefulset.yaml ================================================ {{- if .Values.enableVolumeSnapshot }} #Snapshot controller kind: StatefulSet apiVersion: apps/v1 metadata: name: ebs-snapshot-controller namespace: kube-system spec: serviceName: ebs-snapshot-controller replicas: 1 selector: matchLabels: app: ebs-snapshot-controller template: metadata: labels: app: ebs-snapshot-controller spec: serviceAccount: ebs-snapshot-controller containers: - name: snapshot-controller image: quay.io/k8scsi/snapshot-controller:v2.0.1 args: - --v=5 - --leader-election=false {{- end }} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/aws-ebs-csi-driver/values.yaml ================================================ # Default values for aws-ebs-csi-driver. # This is a YAML-formatted file. # Declare variables to be passed into your templates. replicaCount: 2 image: repository: amazon/aws-ebs-csi-driver tag: "v0.5.0" pullPolicy: IfNotPresent sidecars: provisionerImage: repository: quay.io/k8scsi/csi-provisioner tag: "v1.5.0" attacherImage: repository: quay.io/k8scsi/csi-attacher tag: "v1.2.0" snapshotterImage: repository: quay.io/k8scsi/csi-snapshotter tag: "v2.0.1" livenessProbeImage: repository: quay.io/k8scsi/livenessprobe tag: "v1.1.0" resizerImage: repository: quay.io/k8scsi/csi-resizer tag: "v0.3.0" nodeDriverRegistrarImage: repository: quay.io/k8scsi/csi-node-driver-registrar tag: "v1.1.0" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" podAnnotations: {} # True if enable volume scheduling for dynamic volume provisioning enableVolumeScheduling: false # True if enable volume resizing enableVolumeResizing: false # True if enable volume snapshot enableVolumeSnapshot: false resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} # Extra volume tags to attach to each dynamically provisioned volume. # --- # extraVolumeTags: # key1: value1 # key2: value2 extraVolumeTags: {} # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata # service. # --- # region: us-east-1 region: "" node: podAnnotations: {} tolerations: [] serviceAccount: controller: annotations: {} snapshot: annotations: {} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/base/controller.yaml ================================================ --- # Controller Service kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system spec: replicas: 2 selector: matchLabels: app: ebs-csi-controller template: metadata: labels: app: ebs-csi-controller spec: nodeSelector: beta.kubernetes.io/os: linux serviceAccount: ebs-csi-controller-sa priorityClassName: system-cluster-critical tolerations: - key: CriticalAddonsOnly operator: Exists containers: - name: ebs-plugin image: amazon/aws-ebs-csi-driver:latest args : # - {all,controller,node} # specify the driver mode - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: aws-secret key: key_id optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: aws-secret key: access_key optional: true # overwrite the AWS region instead of looking it up dynamically via the AWS EC2 metadata svc # - name: AWS_REGION # value: us-east-1 volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:v1.5.0 args: - --csi-address=$(ADDRESS) - --v=5 - --feature-gates=Topology=true - --enable-leader-election - --leader-election-type=leases env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v1.2.0 args: - --csi-address=$(ADDRESS) - --v=5 - --leader-election=true - --leader-election-type=leases env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: liveness-probe image: quay.io/k8scsi/livenessprobe:v1.1.0 args: - --csi-address=/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /csi volumes: - name: socket-dir emptyDir: {} ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/base/csidriver.yaml ================================================ --- apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: ebs.csi.aws.com spec: attachRequired: true podInfoOnMount: false ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/base/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kube-system resources: - controller.yaml - node.yaml - rbac.yaml - csidriver.yaml ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/base/node.yaml ================================================ --- # Node Service kind: DaemonSet apiVersion: apps/v1 metadata: name: ebs-csi-node namespace: kube-system spec: selector: matchLabels: app: ebs-csi-node template: metadata: labels: app: ebs-csi-node spec: nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: Exists containers: - name: ebs-plugin securityContext: privileged: true image: amazon/aws-ebs-csi-driver:latest args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: device-dir mountPath: /dev ports: - name: healthz containerPort: 9808 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - name: node-driver-registrar image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=5 lifecycle: preStop: exec: command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"] env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - name: liveness-probe image: quay.io/k8scsi/livenessprobe:v1.1.0 args: - --csi-address=/csi/csi.sock volumeMounts: - name: plugin-dir mountPath: /csi volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: device-dir hostPath: path: /dev type: Directory ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/base/rbac.yaml ================================================ apiVersion: v1 kind: ServiceAccount metadata: name: ebs-csi-controller-sa namespace: kube-system #Enable if EKS IAM for SA is used #annotations: # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-provisioner-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-provisioner-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-attacher-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-attacher-role apiGroup: rbac.authorization.k8s.io ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/cluster/crd_snapshotter.yaml ================================================ --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (devel) api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" creationTimestamp: null name: volumesnapshotclasses.snapshot.storage.k8s.io spec: group: snapshot.storage.k8s.io names: kind: VolumeSnapshotClass listKind: VolumeSnapshotClassList plural: volumesnapshotclasses singular: volumesnapshotclass scope: Cluster preserveUnknownFields: false validation: openAPIV3Schema: description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string deletionPolicy: description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. enum: - Delete - Retain type: string driver: description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string parameters: additionalProperties: type: string description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. type: object required: - deletionPolicy - driver type: object version: v1beta1 versions: - name: v1beta1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (devel) api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" creationTimestamp: null name: volumesnapshotcontents.snapshot.storage.k8s.io spec: group: snapshot.storage.k8s.io names: kind: VolumeSnapshotContent listKind: VolumeSnapshotContentList plural: volumesnapshotcontents singular: volumesnapshotcontent scope: Cluster subresources: status: {} preserveUnknownFields: false validation: openAPIV3Schema: description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string spec: description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. properties: deletionPolicy: description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. In dynamic snapshot creation case, this field will be filled in with the "DeletionPolicy" field defined in the VolumeSnapshotClass the VolumeSnapshot refers to. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. enum: - Delete - Retain type: string driver: description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. type: string source: description: source specifies from where a snapshot will be created. This field is immutable after creation. Required. properties: snapshotHandle: description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system. This field is immutable. type: string volumeHandle: description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. type: string type: object volumeSnapshotClassName: description: name of the VolumeSnapshotClass to which this snapshot belongs. type: string volumeSnapshotRef: description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object required: - deletionPolicy - driver - source - volumeSnapshotRef type: object status: description: status represents the current information of a snapshot. properties: creationTime: description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in with the "creation_time" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. format: int64 type: integer error: description: error is the latest observed error during snapshot creation, if any. properties: message: description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' type: string time: description: time is the timestamp when the error was encountered. format: date-time type: string type: object readyToUse: description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in with the "ready_to_use" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. type: boolean restoreSize: description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in with the "size_bytes" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. format: int64 minimum: 0 type: integer snapshotHandle: description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. type: string type: object required: - spec type: object version: v1beta1 versions: - name: v1beta1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (devel) api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" creationTimestamp: null name: volumesnapshots.snapshot.storage.k8s.io spec: group: snapshot.storage.k8s.io names: kind: VolumeSnapshot listKind: VolumeSnapshotList plural: volumesnapshots singular: volumesnapshot scope: Namespaced subresources: status: {} preserveUnknownFields: false validation: openAPIV3Schema: description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string spec: description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' properties: source: description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. properties: persistentVolumeClaimName: description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object in the same namespace as the VolumeSnapshot object where the snapshot should be dynamically taken from. This field is immutable. type: string volumeSnapshotContentName: description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object. This field is immutable. type: string type: object volumeSnapshotClassName: description: 'volumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. If not specified, the default snapshot class will be used if one exists. If not specified, and there is no default snapshot class, dynamic snapshot creation will fail. Empty string is not allowed for this field. TODO(xiangqian): a webhook validation on empty string. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes' type: string required: - source type: object status: description: 'status represents the current information of a snapshot. NOTE: status can be modified by sources other than system controllers, and must not be depended upon for accuracy. Controllers should only use information from the VolumeSnapshotContent object after verifying that the binding is accurate and complete.' properties: boundVolumeSnapshotContentName: description: 'boundVolumeSnapshotContentName represents the name of the VolumeSnapshotContent object to which the VolumeSnapshot object is bound. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: Specified boundVolumeSnapshotContentName alone does not mean binding is valid. Controllers MUST always verify bidirectional binding between VolumeSnapshot and VolumeSnapshotContent to avoid possible security issues.' type: string creationTime: description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in with the "creation_time" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates that the creation time of the snapshot is unknown. format: date-time type: string error: description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. properties: message: description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' type: string time: description: time is the timestamp when the error was encountered. format: date-time type: string type: object readyToUse: description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in with the "ready_to_use" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. type: boolean restoreSize: description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in with the "size_bytes" value returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. type: string type: object required: - spec type: object version: v1beta1 versions: - name: v1beta1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml ================================================ kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system spec: template: spec: containers: - name: csi-resizer image: quay.io/k8scsi/csi-resizer:v0.3.0 args: - --csi-address=$(ADDRESS) - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml ================================================ kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: kube-system spec: template: spec: containers: - name: csi-snapshotter image: quay.io/k8scsi/csi-snapshotter:v2.0.1 args: - --csi-address=$(ADDRESS) - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../../base images: - name: amazon/aws-ebs-csi-driver newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/aws-ebs-csi-driver newTag: v0.4.0 - name: quay.io/k8scsi/csi-provisioner newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-provisioner newTag: v1.3.0 - name: quay.io/k8scsi/csi-attacher newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-attacher newTag: v1.2.0 - name: quay.io/k8scsi/livenessprobe newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-liveness-probe newTag: v1.1.0 - name: quay.io/k8scsi/csi-node-driver-registrar newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-node-driver-registrar newTag: v1.1.0 patches: - controller_add_snapshotter.yaml - controller_add_resizer.yaml resources: - rbac_add_snapshotter.yaml - rbac_add_resizer.yaml - rbac_add_snapshot_controller.yaml - snapshot_controller.yaml ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/rbac_add_resizer.yaml ================================================ --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-resizer-role rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-resizer-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-resizer-role apiGroup: rbac.authorization.k8s.io ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/rbac_add_snapshot_controller.yaml ================================================ # RBAC file for the snapshot controller. apiVersion: v1 kind: ServiceAccount metadata: name: ebs-snapshot-controller namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-snapshot-controller-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-snapshot-controller-binding subjects: - kind: ServiceAccount name: ebs-snapshot-controller namespace: kube-system roleRef: kind: ClusterRole name: ebs-snapshot-controller-role apiGroup: rbac.authorization.k8s.io --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-snapshot-controller-leaderelection namespace: kube-system rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: snapshot-controller-leaderelection namespace: kube-system subjects: - kind: ServiceAccount name: ebs-snapshot-controller namespace: kube-system roleRef: kind: Role name: snapshot-controller-leaderelection apiGroup: rbac.authorization.k8s.io ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml ================================================ --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-external-snapshotter-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ebs-csi-snapshotter-binding subjects: - kind: ServiceAccount name: ebs-csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: ebs-external-snapshotter-role apiGroup: rbac.authorization.k8s.io ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/alpha/snapshot_controller.yaml ================================================ --- kind: StatefulSet apiVersion: apps/v1 metadata: name: ebs-snapshot-controller namespace: kube-system spec: serviceName: ebs-snapshot-controller replicas: 1 selector: matchLabels: app: ebs-snapshot-controller template: metadata: labels: app: ebs-snapshot-controller spec: serviceAccount: ebs-snapshot-controller containers: - name: snapshot-controller image: quay.io/k8scsi/snapshot-controller:v2.0.1 args: - --v=5 - --leader-election=false ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/dev/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../../base images: - name: amazon/aws-ebs-csi-driver newTag: latest newName: chengpan/aws-ebs-csi-driver ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../../base images: - name: amazon/aws-ebs-csi-driver newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/aws-ebs-csi-driver newTag: v0.4.0 - name: quay.io/k8scsi/csi-provisioner newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-provisioner newTag: v1.3.0 - name: quay.io/k8scsi/csi-attacher newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-attacher newTag: v1.2.0 - name: quay.io/k8scsi/livenessprobe newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-liveness-probe newTag: v1.1.0 - name: quay.io/k8scsi/csi-node-driver-registrar newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-node-driver-registrar newTag: v1.1.0 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/deploy/kubernetes/secret.yaml ================================================ apiVersion: v1 kind: Secret metadata: name: aws-secret namespace: kube-system stringData: key_id: "" access_key: "" ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/ebs-csi-iam-policy.json ================================================ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DetachVolume" ], "Resource": "*" } ] } ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/block-volume/README.md ================================================ ## Raw Block Volume This example shows how to consume a dynamically-provisioned EBS volume as a raw block device. ### Edit [Persistence Volume Claim Spec](./specs/raw-claim.yaml) Make sure the `volumeMode` is `Block`. ### Edit [Application Pod](./specs/pod.yaml) Make sure the pod is consuming the PVC with the defined name and `volumeDevices` is used instead of `volumeMounts`. ### Deploy the Application ```sh kubectl apply -f examples/kubernetes/block-volume/specs/storageclass.yaml kubectl apply -f examples/kubernetes/block-volume/specs/raw-claim.yaml kubectl apply -f examples/kubernetes/block-volume/specs/pod.yaml ``` ### Access Block Device After the objects are created, verify that pod is running: ```sh $ kubectl get pods NAME READY STATUS RESTARTS AGE app 1/1 Running 0 16m ``` Verify the device node is mounted inside the container: ```sh $ kubectl exec -ti app -- ls -al /dev/xvda brw-rw---- 1 root disk 202, 23296 Mar 12 04:23 /dev/xvda ``` Write to the device using: ```sh dd if=/dev/zero of=/dev/xvda bs=1024k count=100 100+0 records in 100+0 records out 104857600 bytes (105 MB, 100 MiB) copied, 0.0492386 s, 2.1 GB/s ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/block-volume/specs/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: busybox command: ["/bin/sh", "-c"] args: ["tail -f /dev/null"] volumeDevices: - name: data devicePath: /dev/xvda volumes: - name: data persistentVolumeClaim: claimName: block-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/block-volume/specs/raw-claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: block-claim spec: accessModes: - ReadWriteOnce volumeMode: Block storageClassName: ebs-sc resources: requests: storage: 10Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/block-volume/specs/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/README.md ================================================ # Dynamic Volume Provisioning This example shows how to create a EBS volume and consume it from container dynamically. ## Prerequisites 1. Kubernetes 1.13+ (CSI 1.0). 1. The [aws-ebs-csi-driver driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) is installed. ## Usage 1. Create a sample app along with the StorageClass and the PersistentVolumeClaim: ``` kubectl apply -f specs/ ``` 2. Validate the volume was created and `volumeHandle` contains an EBS volumeID: ``` kubectl describe pv ``` 3. Validate the pod successfully wrote data to the volume: ``` kubectl exec -it app cat /data/out.txt ``` 4. Cleanup resources: ``` kubectl delete -f specs/ ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/specs/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-claim spec: accessModes: - ReadWriteOnce storageClassName: ebs-sc resources: requests: storage: 4Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/specs/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/specs/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/resizing/README.md ================================================ ## Volume Resizing This example shows how to resize EBS persistence volume using volume resizing features. **Note** 1. CSI volume resizing is still alpha as of Kubernetes 1.15 2. EBS has a limit of one volume modification every 6 hours. Refer to [EBS documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVolume.html) for more details. ## Usage 1. Add `allowVolumeExpansion: true` in the StorageClass spec in [example manifest](./specs/example.yaml) to enable volume expansion. You can only expand a PVC if its storage class’s allowVolumeExpansion field is set to true 2. Deploy the example: ```sh kubectl apply -f specs/ ``` 3. Verify the volume is created and Pod is running: ```sh kubectl get pv kubectl get po app ``` 4. Expand the volume size by increasing the capacity in PVC's `spec.resources.requests.storage`: ```sh kubectl edit pvc ebs-claim ``` Save the result at the end of the edit. 5. Verify that both the persistence volume and persistence volume claim are resized: ```sh kubectl get pv kubectl get pvc ``` You should see that both should have the new value relfected in the capacity fields. 6. Verify that the application is continuously running without any interruption: ```sh kubectl exec -it app cat /data/out.txt ``` 7. Cleanup resources: ``` kubectl delete -f specs/ ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/resizing/spec/example.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: resize-sc provisioner: ebs.csi.aws.com allowVolumeExpansion: true --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-claim spec: accessModes: - ReadWriteOnce storageClassName: resize-sc resources: requests: storage: 4Gi --- apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: centos command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/README.md ================================================ # Volume Snapshots ## Overview This driver implements basic volume snapshotting functionality using the [external snapshotter](https://github.com/kubernetes-csi/external-snapshotter) sidecar and creates snapshots of EBS volumes using the `VolumeSnapshot` custom resources. ## Prerequisites 1. Kubernetes 1.13+ (CSI 1.0). 1. The `VolumeSnapshotDataSource` must be set in `--feature-gates=` in the `kube-apiserver`. 1. The [aws-ebs-csi-driver driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) is installed. ### Usage 1. Create the `StorageClass` and `VolumeSnapshotClass`: ``` kubectl apply -f specs/classes/ ``` 2. Create a sample app and the `PersistentVolumeClaim`: ``` kubectl apply -f specs/app/ ``` 3. Validate the volume was created and `volumeHandle` contains an EBS volumeID: ``` kubectl describe pv ``` 4. Validate the pod successfully wrote data to the volume, taking note of the timestamp of the first entry: ``` kubectl exec -it app cat /data/out.txt ``` 5. Create a `VolumeSnapshot` referencing the `PersistentVolumeClaim` name: ``` kubectl apply -f specs/snapshot/ ``` 6. Wait for the `Ready To Use: true` attribute of the `VolumeSnapshot`: ``` kubectl describe volumesnapshot.snapshot.storage.k8s.io ebs-volume-snapshot ``` 7. Delete the existing app: ``` kubectl delete -f specs/app/ ``` 8. Restore a volume from the snapshot with a `PersistentVolumeClaim` referencing the `VolumeSnapshot` in its `dataSource`: ``` kubectl apply -f specs/snapshot-restore/ ``` 9. Validate the new pod has the restored data by comparing the timestamp of the first entry to that of in step 4: ``` kubectl exec -it app cat /data/out.txt ``` 10. Cleanup resources: ``` kubectl delete -f specs/snapshot-restore kubectl delete -f specs/snapshot kubectl delete -f specs/classes ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/app/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-claim spec: accessModes: - ReadWriteOnce storageClassName: ebs-sc resources: requests: storage: 4Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/app/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: centos command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/classes/snapshotclass.yaml ================================================ apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshotClass metadata: name: csi-aws-vsc driver: ebs.csi.aws.com deletionPolicy: Delete ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/classes/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/snapshot/snapshot.yaml ================================================ apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshot metadata: name: ebs-volume-snapshot spec: volumeSnapshotClassName: csi-aws-vsc source: persistentVolumeClaimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/snapshot-import/volume-snapshot-content.yaml ================================================ apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshotContent metadata: name: static-snapshot-content spec: volumeSnapshotRef: kind: VolumeSnapshot name: static-snapshot-demo namespace: default source: snapshotHandle: snap-0fba4d7649d765c50 driver: ebs.csi.aws.com volumeSnapshotClassName: csi-aws-vsc ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/snapshot-import/volume-snapshot.yaml ================================================ apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshot metadata: name: static-snapshot-demo namespace: default spec: volumeSnapshotClassName: csi-aws-vsc source: volumeSnapshotContentName: static-snapshot-content ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/snapshot-restore/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-snapshot-restored-claim spec: accessModes: - ReadWriteOnce storageClassName: ebs-sc resources: requests: storage: 4Gi dataSource: name: ebs-volume-snapshot kind: VolumeSnapshot apiGroup: snapshot.storage.k8s.io ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/snapshot/specs/snapshot-restore/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: centos command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-snapshot-restored-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/static-provisioning/README.md ================================================ # Static Provisioning This example shows how to create and consume persistence volume from exising EBS using static provisioning. ## Usage 1. Edit the PersistentVolume spec in [example manifest](./specs/example.yaml). Update `volumeHandle` with EBS volume ID that you are going to use, and update the `fsType` with the filesystem type of the volume. In this example, I have a pre-created EBS volume in us-east-1c availability zone and it is formatted with xfs filesystem. ``` apiVersion: v1 kind: PersistentVolume metadata: name: test-pv spec: capacity: storage: 50Gi volumeMode: Filesystem accessModes: - ReadWriteOnce storageClassName: ebs-sc csi: driver: ebs.csi.aws.com volumeHandle: {volumeId} fsType: xfs nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: topology.ebs.csi.aws.com/zone operator: In values: - us-east-1c ``` Note that node affinity is used here since EBS volume is created in us-east-1c, hence only node in the same AZ can consume this persisence volume. 2. Deploy the example: ```sh kubectl apply -f specs/ ``` 3. Verify application pod is running: ```sh kubectl describe po app ``` 4. Validate the pod successfully wrote data to the volume: ```sh kubectl exec -it app cat /data/out.txt ``` 5. Cleanup resources: ```sh kubectl delete -f specs/ ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/static-provisioning/specs/example.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer reclaimPolicy: Retain --- apiVersion: v1 kind: PersistentVolume metadata: name: test-pv spec: capacity: storage: 50Gi volumeMode: Filesystem accessModes: - ReadWriteOnce storageClassName: ebs-sc csi: driver: ebs.csi.aws.com volumeHandle: vol-05786ec9ec9526b67 fsType: xfs nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: topology.ebs.csi.aws.com/zone operator: In values: - us-east-1c --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-claim spec: accessModes: - ReadWriteOnce storageClassName: ebs-sc resources: requests: storage: 50Gi --- apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: centos command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/storageclass/README.md ================================================ # Configuring StorageClass This example shows how to configure Kubernetes storageclass to provision EBS volumes with various configuration parameters. EBS CSI driver is compatiable with in-tree EBS plugin on StorageClass parameters. For the full list of in-tree EBS plugin parameters, please refer to Kubernetes documentation of [StorageClass Parameter](https://kubernetes.io/docs/concepts/storage/storage-classes/#aws-ebs). ## Usage 1. Edit the StorageClass spec in [example manifest](./specs/example.yaml) and update storageclass parameters to desired value. In this example, a `io1` EBS volume will be created and formatted to `xfs` filesystem with encryption enabled using the default KMS key. 2. Deploy the example: ```sh kubectl apply -f specs/ ``` 3. Verify the volume is created: ```sh kubectl describe pv ``` 4. Validate the pod successfully wrote data to the volume: ```sh kubectl exec -it app cat /data/out.txt ``` 5. Cleanup resources: ```sh kubectl delete -f specs/ ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/examples/kubernetes/storageclass/specs/example.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer parameters: csi.storage.k8s.io/fstype: xfs type: io1 iopsPerGB: "50" encrypted: "true" allowedTopologies: - matchLabelExpressions: - key: topology.ebs.csi.aws.com/zone values: - us-east-1a --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ebs-claim spec: accessModes: - ReadWriteOnce storageClassName: ebs-sc resources: requests: storage: 4Gi --- apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: centos command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: ebs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-ebs-csi-driver/updaterole.sh ================================================ echo "CSI Policy ARN| $1" CSI_ARN=$1 ROLES=$(aws iam list-roles --query 'Roles[?contains(RoleName,`nodegr`)].RoleName' --output text) for i in $ROLES do echo attach [$CSI_ARN] to [$i] aws iam attach-role-policy \ --policy-arn $CSI_ARN \ --role-name $i \ --region cn-northwest-1 done ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.dockerignore ================================================ vendor/ ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/ISSUE_TEMPLATE/bug_report.md ================================================ --- name: Bug report about: Create a report to help us improve EBS CSI Driver labels: --- /kind bug **What happened?** **What you expected to happen?** **How to reproduce it (as minimally and precisely as possible)?** **Anything else we need to know?**: **Environment** - Kubernetes version (use `kubectl version`): - Driver version: ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/ISSUE_TEMPLATE/enhancement-request.md ================================================ --- name: Enhancement request about: Suggest an idea for this project labels: --- **Is your feature request related to a problem?/Why is this needed** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] /feature **Describe the solution you'd like in detail** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here. ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/ISSUE_TEMPLATE/feature_request.md ================================================ --- name: Feature request about: Suggest an idea for this project labels: --- **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] **Describe the solution you'd like in detail** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here. ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/ISSUE_TEMPLATE/support-request.md ================================================ --- name: Support request about: Ask questions about the driver labels: --- /triage support ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/PULL_REQUEST_TEMPLATE.md ================================================ **Is this a bug fix or adding new feature?** **What is this PR about? / Why do we need it?** **What testing is done?** ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.github/workflows/container-image.yaml ================================================ name: Container Images on: push jobs: build: # this is to prevent the job to run at forked projects if: github.repository == 'kubernetes-sigs/aws-efs-csi-driver' runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - name: Build container image run: | docker build -t aws-efs-csi-driver . - name: Push to Github registry run: | USER=$(echo $GITHUB_REPOSITORY | cut -d'/' -f1) BRANCH=$(echo $GITHUB_REF | cut -d'/' -f3) IMAGE=aws-efs-csi-driver if [ "$BRANCH" = "master" ]; then TAG="latest" else TAG=$BRANCH fi docker login docker.pkg.github.com -u $USER -p ${{ secrets.REGISTRY_TOKEN }} docker tag aws-efs-csi-driver docker.pkg.github.com/$GITHUB_REPOSITORY/$IMAGE:$TAG docker push docker.pkg.github.com/$GITHUB_REPOSITORY/$IMAGE:$TAG - name: Push to Dockerhub registry run: | BRANCH=$(echo $GITHUB_REF | cut -d'/' -f3) REPO=amazon/aws-efs-csi-driver if [ "$BRANCH" = "master" ]; then TAG="latest" else TAG=$BRANCH fi docker login -u ${{ secrets.DOCKERHUB_USER }} -p ${{ secrets.DOCKERHUB_TOKEN }} docker tag aws-efs-csi-driver $REPO:$TAG docker push $REPO:$TAG ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.gitignore ================================================ *.swp bin/ vendor/ ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/.travis.yml ================================================ language: go go_import_path: github.com/kubernetes-sigs/aws-efs-csi-driver env: global: - GO111MODULE=on go: - "1.13.4" before_install: - go get github.com/mattn/goveralls script: - make - go test -covermode=count -coverprofile=profile.cov $(go list ./pkg/... | grep -v /driver) # TODO stop skipping controller tests when controller is implemented - go test -covermode=count -coverprofile=profile.cov ./pkg/driver/... -ginkgo.skip='\[Controller.Server\]' - $GOPATH/bin/goveralls -coverprofile=profile.cov -service=travis-ci ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/deploy/kubernetes/base/csidriver.yaml ================================================ --- apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: efs.csi.aws.com spec: attachRequired: false ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/deploy/kubernetes/base/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kube-system resources: - node.yaml - csidriver.yaml ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/deploy/kubernetes/base/node.yaml ================================================ --- # Node Service kind: DaemonSet apiVersion: apps/v1 metadata: name: efs-csi-node namespace: kube-system spec: selector: matchLabels: app: efs-csi-node template: metadata: labels: app: efs-csi-node spec: nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: Exists containers: - name: efs-plugin securityContext: privileged: true image: amazon/aws-efs-csi-driver:latest args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet mountPropagation: "Bidirectional" - name: plugin-dir mountPath: /csi - name: efs-state-dir mountPath: /var/run/efs ports: - containerPort: 9809 name: healthz protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 2 failureThreshold: 5 - name: csi-driver-registrar image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v=5 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - name: liveness-probe imagePullPolicy: Always image: quay.io/k8scsi/livenessprobe:v1.1.0 args: - --csi-address=/csi/csi.sock - --health-port=9809 volumeMounts: - mountPath: /csi name: plugin-dir volumes: - name: kubelet-dir hostPath: path: /var/lib/kubelet type: Directory - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/efs.csi.aws.com/ type: DirectoryOrCreate - name: efs-state-dir hostPath: path: /var/run/efs type: DirectoryOrCreate ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/kustomization.yaml ================================================ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../../base images: - name: amazon/aws-efs-csi-driver newTag: v0.3.0 newName: amazon/aws-efs-csi-driver - name: quay.io/k8scsi/livenessprobe newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-liveness-probe newTag: v1.1.0 - name: quay.io/k8scsi/csi-node-driver-registrar newName: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/eks/csi-node-driver-registrar newTag: v1.1.0 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/README.md ================================================ ## Encryption in Transit This example shows how to make a static provisioned EFS persistence volume (PV) mounted inside container with encryption in transit enabled. **Note**: this example requires Kubernetes v1.13+ ### Edit [Persistence Volume Spec](./specs/pv.yaml) ``` apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc mountOptions: - tls csi: driver: efs.csi.aws.com volumeHandle: [FileSystemId] ``` Note that encryption in transit is enabled using mount option `tls`. Replace `VolumeHandle` value with `FileSystemId` of the EFS filesystem that needs to be mounted. You can find it using AWS CLI: ```sh >> aws efs describe-file-systems --query "FileSystems[*].FileSystemId" ``` ### Deploy the Example Create PV, persistence volume claim (PVC) and storage class: ```sh >> kubectl apply -f examples/kubernetes/encryption_in_transit/specs/storageclass.yaml >> kubectl apply -f examples/kubernetes/encryption_in_transit/specs/pv.yaml >> kubectl apply -f examples/kubernetes/encryption_in_transit/specs/claim.yaml >> kubectl apply -f examples/kubernetes/encryption_in_transit/specs/pod.yaml ``` ### Check EFS filesystem is used After the objects are created, verify that pod is running: ```sh >> kubectl get pods ``` Also you can verify that data is written onto EFS filesystem: ```sh >> kubectl exec -ti efs-app -- tail -f /data/out.txt ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/specs/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim spec: accessModes: - ReadWriteOnce storageClassName: efs-sc resources: requests: storage: 5Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/specs/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: efs-app spec: containers: - name: app image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: efs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/specs/pv.yaml ================================================ apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc mountOptions: - tls csi: driver: efs.csi.aws.com volumeHandle: fs-4af69aab ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/specs/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: efs-sc provisioner: efs.csi.aws.com mountOptions: - tls ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/README.md ================================================ ## Multiple Pods Read Write Many This example shows how to create a static provisioned EFS persistence volume (PV) and access it from multiple pods with RWX access mode. ### Edit Persistent Volume Edit persistent volume using sample [spec](./specs/pv.yaml): ``` apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: [FileSystemId] ``` Replace `volumeHandle` value with `FileSystemId` of the EFS filesystem that needs to be mounted. Note that the access mode is `RWX` which means the PV can be read and written from multiple pods. You can get `FileSystemId` using AWS CLI: ```sh >> aws efs describe-file-systems --query "FileSystems[*].FileSystemId" ``` ### Deploy the Example Application Create PV, persistence volume claim (PVC), storageclass and the pods that consume the PV: ```sh >> kubectl apply -f examples/kubernetes/multiple_pods/specs/storageclass.yaml >> kubectl apply -f examples/kubernetes/multiple_pods/specs/pv.yaml >> kubectl apply -f examples/kubernetes/multiple_pods/specs/claim.yaml >> kubectl apply -f examples/kubernetes/multiple_pods/specs/pod1.yaml >> kubectl apply -f examples/kubernetes/multiple_pods/specs/pod2.yaml ``` In the example, both pod1 and pod2 are writing to the same EFS filesystem at the same time. ### Check the Application uses EFS filesystem After the objects are created, verify that pod is running: ```sh >> kubectl get pods ``` Also verify that data is written onto EFS filesystem from both pods: ```sh >> kubectl exec -ti app1 -- tail -f /data/out1.txt >> kubectl exec -ti app2 -- tail -f /data/out2.txt ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/specs/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim spec: accessModes: - ReadWriteMany storageClassName: efs-sc resources: requests: storage: 5Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/specs/pod1.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app1 spec: containers: - name: app1 image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: efs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/specs/pod2.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: app2 spec: containers: - name: app2 image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out2.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: efs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/specs/pv.yaml ================================================ apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: fs-9c48a679 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/multiple_pods/specs/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: efs-sc provisioner: efs.csi.aws.com ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/statefulset/README.md ================================================ ## Use in Stateful Set This example shows how to consume EFS filesystem from StatefulSets using the driver. Before the example, refer to [StatefulSets](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) for what it is. ## Deploy the example ```sh kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/statefulset/specs/example.yaml ``` ## Check the StatefulSets Application Check StatefulSets is deployed successfully: ```sh $ kubectl get sts NAME READY AGE efs-app-sts 3/3 70m ``` Check the pods are running: ```sh $ kubectl get po NAME READY STATUS RESTARTS AGE efs-app-sts-0 1/1 Running 0 71m efs-app-sts-1 1/1 Running 0 71m efs-app-sts-2 1/1 Running 0 71m ``` Check data are written onto EFS filesystem: ```sh $ kubectl exec -ti efs-app-sts-0 -- tail -f /efs-data/out.txt Mon May 6 00:50:15 UTC 2019 Mon May 6 00:50:18 UTC 2019 Mon May 6 00:50:19 UTC 2019 Mon May 6 00:50:20 UTC 2019 Mon May 6 00:50:23 UTC 2019 Mon May 6 00:50:24 UTC 2019 Mon May 6 00:50:25 UTC 2019 Mon May 6 00:50:28 UTC 2019 Mon May 6 00:50:29 UTC 2019 Mon May 6 00:50:30 UTC 2019 ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/statefulset/specs/example.yaml ================================================ apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: fs-4af69aab --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim spec: accessModes: - ReadWriteMany storageClassName: efs-sc resources: requests: storage: 5Gi --- apiVersion: apps/v1 kind: StatefulSet metadata: name: efs-app-sts spec: selector: matchLabels: app: test-efs serviceName: efs-app replicas: 3 template: metadata: labels: app: test-efs spec: terminationGracePeriodSeconds: 10 containers: - name: linux image: amazonlinux:2 command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /efs-data/out.txt; sleep 5; done"] volumeMounts: - name: efs-storage mountPath: /efs-data volumes: - name: efs-storage persistentVolumeClaim: claimName: efs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/static_provisioning/README.md ================================================ ## Static Provisioning This example shows how to make a static provisioned EFS persistence volume (PV) mounted inside container. ### Edit [Persistence Volume Spec](./specs/pv.yaml) ``` apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: [FileSystemId] ``` Replace `VolumeHandle` value with `FileSystemId` of the EFS filesystem that needs to be mounted. You can find it using AWS CLI: ```sh >> aws efs describe-file-systems --query "FileSystems[*].FileSystemId" ``` ### Deploy the Example Application Create PV, persistence volume claim (PVC) and storage class: ```sh >> kubectl apply -f examples/kubernetes/static_provisioning/specs/storageclass.yaml >> kubectl apply -f examples/kubernetes/static_provisioning/specs/pv.yaml >> kubectl apply -f examples/kubernetes/static_provisioning/specs/claim.yaml >> kubectl apply -f examples/kubernetes/static_provisioning/specs/pod.yaml ``` ### Check EFS filesystem is used After the objects are created, verify that pod is running: ```sh >> kubectl get pods ``` Also you can verify that data is written onto EFS filesystem: ```sh >> kubectl exec -ti efs-app -- tail -f /data/out.txt ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/static_provisioning/specs/claim.yaml ================================================ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim spec: accessModes: - ReadWriteOnce storageClassName: efs-sc resources: requests: storage: 5Gi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/static_provisioning/specs/pod.yaml ================================================ apiVersion: v1 kind: Pod metadata: name: efs-app spec: containers: - name: app image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"] volumeMounts: - name: persistent-storage mountPath: /data volumes: - name: persistent-storage persistentVolumeClaim: claimName: efs-claim ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/static_provisioning/specs/pv.yaml ================================================ apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: fs-9c48a679 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/static_provisioning/specs/storageclass.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: efs-sc provisioner: efs.csi.aws.com ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/volume_path/README.md ================================================ ## EFS Volume Path Similar to [static provisioning example](../static_provisioning). A sub directory of EFS can be mounted inside container. This gives cluster operator the flexibility to restrict the amount of data being accessed from different containers on EFS. **Note**: this feature requires the sub directory to mount precreated on EFS before consuming the volume from pod. ### Edit [Persistence Volume Spec](./specs/example.yaml) ``` apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv1 spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc csi: driver: efs.csi.aws.com volumeHandle: [FileSystemId]:[Path] ``` Replace `FileSystemId` of the EFS filesystem ID that needs to be mounted. And replace `Path` with a existing path on the filesystem. You can find it using AWS CLI: ```sh >> aws efs describe-file-systems --query "FileSystems[*].FileSystemId" ``` ### Deploy the Example Application Create PV, persistence volume claim (PVC) and storage class: ```sh >> kubectl apply -f examples/kubernetes/volume_path/specs/example.yaml ``` ### Check EFS filesystem is used After the objects are created, verify that pod is running: ```sh >> kubectl get pods ``` Also you can verify that data is written onto EFS filesystem: ```sh >> kubectl exec -ti efs-app -- tail -f /data-dir1/out.txt >> kubectl exec -ti efs-app -- ls /data-dir2 ``` ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/aws-efs-csi-driver/examples/kubernetes/volume_path/specs/example.yaml ================================================ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: efs-sc provisioner: efs.csi.aws.com --- apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv1 spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc mountOptions: - tls csi: driver: efs.csi.aws.com volumeHandle: fs-e8a95a42:/dir1 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim1 spec: accessModes: - ReadWriteMany storageClassName: efs-sc resources: requests: storage: 5Gi --- apiVersion: v1 kind: PersistentVolume metadata: name: efs-pv2 spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: efs-sc mountOptions: - tls csi: driver: efs.csi.aws.com volumeHandle: fs-e8a95a42:/dir2 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: efs-claim2 spec: accessModes: - ReadWriteMany storageClassName: efs-sc resources: requests: storage: 5Gi --- apiVersion: v1 kind: Pod metadata: name: efs-app spec: containers: - name: app image: busybox command: ["/bin/sh"] args: ["-c", "while true; do echo $(date -u) >> /data-dir1/out.txt; sleep 5; done"] volumeMounts: - name: efs-volume-1 mountPath: /data-dir1 - name: efs-volume-2 mountPath: /data-dir2 volumes: - name: efs-volume-1 persistentVolumeClaim: claimName: efs-claim1 - name: efs-volume-2 persistentVolumeClaim: claimName: efs-claim2 ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/cluster-autoscaler/cluster_autoscaler.yml ================================================ --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-addon: cluster-autoscaler.addons.k8s.io k8s-app: cluster-autoscaler name: cluster-autoscaler namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-autoscaler labels: k8s-addon: cluster-autoscaler.addons.k8s.io k8s-app: cluster-autoscaler rules: - apiGroups: [""] resources: ["events", "endpoints"] verbs: ["create", "patch"] - apiGroups: [""] resources: ["pods/eviction"] verbs: ["create"] - apiGroups: [""] resources: ["pods/status"] verbs: ["update"] - apiGroups: [""] resources: ["endpoints"] resourceNames: ["cluster-autoscaler"] verbs: ["get", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["watch", "list", "get", "update"] - apiGroups: [""] resources: - "pods" - "services" - "replicationcontrollers" - "persistentvolumeclaims" - "persistentvolumes" verbs: ["watch", "list", "get"] - apiGroups: ["extensions"] resources: ["replicasets", "daemonsets"] verbs: ["watch", "list", "get"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["watch", "list"] - apiGroups: ["apps"] resources: ["statefulsets", "replicasets", "daemonsets"] verbs: ["watch", "list", "get"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["watch", "list", "get"] - apiGroups: ["batch", "extensions"] resources: ["jobs"] verbs: ["get", "list", "watch", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cluster-autoscaler namespace: kube-system labels: k8s-addon: cluster-autoscaler.addons.k8s.io k8s-app: cluster-autoscaler rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] - apiGroups: [""] resources: ["configmaps"] resourceNames: ["cluster-autoscaler-status", "cluster-autoscaler-priority-expander"] verbs: ["delete", "get", "update", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-autoscaler labels: k8s-addon: cluster-autoscaler.addons.k8s.io k8s-app: cluster-autoscaler roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-autoscaler subjects: - kind: ServiceAccount name: cluster-autoscaler namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cluster-autoscaler namespace: kube-system labels: k8s-addon: cluster-autoscaler.addons.k8s.io k8s-app: cluster-autoscaler roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cluster-autoscaler subjects: - kind: ServiceAccount name: cluster-autoscaler namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: cluster-autoscaler namespace: kube-system labels: app: cluster-autoscaler spec: replicas: 1 selector: matchLabels: app: cluster-autoscaler template: metadata: labels: app: cluster-autoscaler spec: serviceAccountName: cluster-autoscaler #nodeSelector: # intent: control-apps containers: - image: k8s.gcr.io/cluster-autoscaler:v1.14.7 name: cluster-autoscaler resources: limits: cpu: 100m memory: 300Mi requests: cpu: 100m memory: 300Mi command: - ./cluster-autoscaler - --v=4 - --stderrthreshold=info - --cloud-provider=aws - --skip-nodes-with-local-storage=false - --nodes=1:3:eksctl-eksworkshop-nodegroup-ng-6ee72264-NodeGroup-1HV2SGGAPW9U3 - --expander=random - --expendable-pods-priority-cutoff=-10 - --scale-down-unneeded-time=2m0s - --scale-down-unready-time=3m0s - --scale-down-delay-after-add=2m0s - --scale-down-utilization-threshold=0.7 - --balance-similar-node-groups - --max-total-unready-percentage=75 - --ok-total-unready-count=20 - --max-empty-bulk-delete=30 env: - name: AWS_REGION value: cn-northwest-1 volumeMounts: - name: ssl-certs mountPath: /etc/ssl/certs/ca-certificates.crt readOnly: true imagePullPolicy: "Always" volumes: - name: ssl-certs hostPath: path: "/etc/ssl/certs/ca-bundle.crt" ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/cluster-autoscaler/k8s-asg-policy.json ================================================ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:DescribeTags" ], "Resource": "*" } ] } ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/cluster-autoscaler/nginx-to-scaleout.yaml ================================================ apiVersion: apps/v1 kind: Deployment metadata: name: nginx-to-scaleout spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: service: nginx app: nginx spec: containers: - image: nginx name: nginx-to-scaleout resources: limits: cpu: 500m memory: 512Mi requests: cpu: 500m memory: 512Mi ================================================ FILE: china/2020_EKS_Launch_Workshop/resource/efk/fluent-bit.yaml ================================================ apiVersion: v1 kind: ServiceAccount metadata: name: fluent-bit --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: pod-log-reader rules: - apiGroups: [""] resources: - namespaces - pods verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: pod-log-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pod-log-reader subjects: - kind: ServiceAccount name: fluent-bit namespace: default --- apiVersion: v1 kind: ConfigMap metadata: name: fluent-bit-config labels: app.kubernetes.io/name: fluentbit data: fluent-bit.conf: | [SERVICE] Parsers_File parsers.conf [INPUT] Name tail Tag kube.* Path /var/log/containers/*.log Parser docker DB /var/log/flb_kube.db Mem_Buf_Limit 5MB Skip_Long_Lines On Refresh_Interval 10 [FILTER] Name parser Match ** Parser nginx Key_Name log [OUTPUT] Name cloudwatch Match * region cn-northwest-1 log_group_name fluent-bit-cloudwatch log_stream_prefix from-fluent-bit- auto_create_group true parsers.conf: | [PARSER] Name nginx Format regex Regex ^(?[^ ]*) (?[^ ]*) (?[^ ]*) \[(?