Merge branch 'kubernetes-sigs:master' into stringInterpolationExistin…

…gVolMod
kubernetes-sigs · Sep 23, 2024 · fb9a46f · fb9a46f
2 parents a69a89f + 502677c
commit fb9a46f
Show file tree

Hide file tree

Showing 50 changed files with 772 additions and 1,738 deletions.
diff --git a/.github/workflows/generate-code-coverage.yaml b/.github/workflows/generate-code-coverage.yaml
@@ -14,6 +14,11 @@
 
 name: Generate Code Coverage
 on: [pull_request]
+
+permissions:
+ contents: read
+# upload-artifact does not need write permissions as it relies on an undocumented token
+# https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436
 
 jobs:
  cover-base:

diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -13,7 +13,13 @@
 # limitations under the License.
 
 name: 'govulncheck'
-on: [pull_request]
+on:
+ pull_request:
+ branches:
+ - 'release-*'
+
+permissions:
+ contents: read
 
 jobs:
  govulncheck:

diff --git a/.github/workflows/helm-chart-release.yaml b/.github/workflows/helm-chart-release.yaml
@@ -21,6 +21,10 @@ on:
  paths:
  - "charts/**/Chart.yaml"
 
+permissions:
+ contents: write # Create new release to host chart artifacts
+ pages: write # Publish chart to pages
+
 jobs:
  release:
  runs-on: ubuntu-latest

diff --git a/.github/workflows/output-code-coverage.yaml b/.github/workflows/output-code-coverage.yaml
@@ -17,6 +17,10 @@ on:
  workflow_run:
  workflows: [Generate Code Coverage]
  types: [completed]
+
+permissions:
+ contents: read
+ pull-requests: write # Create/update comment on PRs
 
 jobs:
  output-code-coverage:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -18,6 +18,10 @@ on:
  # Sequence of patterns matched against refs/tags
  tags:
  - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
+
+permissions:
+ contents: write # Create releases
+
 jobs:
  build:
  name: Release

diff --git a/.github/workflows/trivy-containers.yaml b/.github/workflows/trivy-containers.yaml
@@ -20,6 +20,10 @@ on:
  schedule:
  - cron: '0 */24 * * *'
 
+permissions:
+ contents: read
+ security-events: write # Update findings in security tab
+
 jobs:
  build-matrix:
  runs-on: ubuntu-latest

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -18,6 +18,10 @@ on:
  branches:
  - master
  pull_request:
+
+permissions:
+ contents: read
+ security-events: write # Update findings in security tab
 
 jobs:
  build:

diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -18,6 +18,9 @@ on:
  branches:
  - master
  pull_request:
+
+permissions:
+ contents: read
 
 jobs:
  buildx:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,13 @@
+# v1.35.0
+### Notable Changes
+* Add legacy-xfs driver option for clusters that mount XFS volumes to nodes with Linux kernel <= 5.4. Warning: This is a temporary workaround for customers unable to immediately upgrade their nodes. It will be removed in a future release. See [the options documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/release-1.35/docs/options.md) for more details.([#2121](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2121),[@AndrewSirenko](https://github.com/AndrewSirenko))
+* Add local snapshots on outposts ([#2130](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2130), [@ElijahQuinones](https://github.com/ElijahQuinones))
+
+### Improvements
+* Bump dependencies for driver release v1.35.0 ([#2142](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2142), [@ElijahQuinones](https://github.com/ElijahQuinones))
+* Add support for outpost nodegroups to make cluster/create ([#2135](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2135), [@ConnorJC3](https://github.com/ConnorJC3))
+* Update faq.md with Karpenter best practices ([#2131](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2131),[@AndrewSirenko](https://github.com/AndrewSirenko))
+
 # v1.34.0
 ### Notable Changes
 * Consider accelerators when calculating node attachment limit ([#2115](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2115), [@ElijahQuinones](https://github.com/ElijahQuinones))

diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,7 @@
 # See
 # https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
 # for info on BUILDPLATFORM, TARGETOS, TARGETARCH, etc.
-FROM --platform=$BUILDPLATFORM golang:1.22 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
 WORKDIR /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver
 RUN go env -w GOCACHE=/gocache GOMODCACHE=/gomodcache
 COPY go.* .

diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 
 ## Variables/Functions
 
-VERSION?=v1.34.0
+VERSION?=v1.35.0
 
 PKG=github.com/kubernetes-sigs/aws-ebs-csi-driver
 GIT_COMMIT?=$(shell git rev-parse HEAD)

diff --git a/README.md b/README.md
@@ -20,8 +20,8 @@ The [Amazon Elastic Block Store](https://aws.amazon.com/ebs/) Container Storage
 
 | Driver Version | [registry.k8s.io](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) Image | [ECR Public](https://gallery.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver) Image |
 |----------------|---------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
+| v1.35.0 | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.35.0 | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.35.0 |
 | v1.34.0 | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.34.0 | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0 |
-| v1.33.0 | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.33.0 | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.33.0 |
 
 ## Releases
 

diff --git a/charts/aws-ebs-csi-driver/CHANGELOG.md b/charts/aws-ebs-csi-driver/CHANGELOG.md
@@ -1,4 +1,13 @@
 # Helm chart
+## v2.35.1
+* Fix an issue causing the `csi-attacher` container to get stuck in `CrashLoopBackoff` on clusters with VAC enabled. Users with a VAC-enabled cluster are strongly encouraged to skip `v2.35.0` and/or upgrade directly to `v2.35.1` or later.
+
+## v2.35.0
+* Bump driver version to `v1.35.0`
+* Add reservedVolumeAttachments to windows nodes ([#2134](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2134),[@AndrewSirenko](https://github.com/AndrewSirenko))
+* Add legacy-xfs driver option for clusters that mount XFS volumes to nodes with Linux kernel <= 5.4. Warning: This is a temporary workaround for customers unable to immediately upgrade their nodes. It will be removed in a future release. See [the options documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/release-1.35/docs/options.md) for more details.([#2121](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2121),[@AndrewSirenko](https://github.com/AndrewSirenko))
+* Add back "Auto-enable VAC on clusters with beta API version" ([#2141](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2141), [@ConnorJC3](https://github.com/ConnorJC3))
+
 ## v2.34.0
 * Bump driver version to `v1.34.0`
 * Add toggle for PodDisruptionBudget in chart ([#2109](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2109), [@AndrewSirenko](https://github.com/AndrewSirenko))

diff --git a/charts/aws-ebs-csi-driver/Chart.yaml b/charts/aws-ebs-csi-driver/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 1.34.0
+appVersion: 1.35.0
 name: aws-ebs-csi-driver
 description: A Helm chart for AWS EBS CSI Driver
-version: 2.34.0
+version: 2.35.1
 kubeVersion: ">=1.17.0-0"
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 sources:

diff --git a/charts/aws-ebs-csi-driver/templates/_node-windows.tpl b/charts/aws-ebs-csi-driver/templates/_node-windows.tpl
@@ -68,9 +68,15 @@ spec:
  args:
  - node
  - --endpoint=$(CSI_ENDPOINT)
+ {{- with .Values.node.reservedVolumeAttachments }}
+ - --reserved-volume-attachments={{ . }}
+ {{- end }}
  {{- with .Values.node.volumeAttachLimit }}
  - --volume-attach-limit={{ . }}
  {{- end }}
+ {{- if .Values.node.legacyXFS }}
+ - --legacy-xfs=true
+ {{- end}}
  {{- with .Values.node.loggingFormat }}
  - --logging-format={{ . }}
  {{- end }}

diff --git a/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/aws-ebs-csi-driver/templates/_node.tpl
@@ -74,6 +74,9 @@ spec:
  {{- with .Values.node.volumeAttachLimit }}
  - --volume-attach-limit={{ . }}
  {{- end }}
+ {{- if .Values.node.legacyXFS }}
+ - --legacy-xfs=true
+ {{- end}}
  {{- with .Values.node.loggingFormat }}
  - --logging-format={{ . }}
  {{- end }}

diff --git a/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/aws-ebs-csi-driver/templates/controller.yaml
@@ -74,11 +74,7 @@ spec:
  image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }}
  imagePullPolicy: {{ .Values.image.pullPolicy }}
  args:
- {{- if ne .Release.Name "kustomize" }}
  - controller
- {{- else }}
- # - {all,controller,node} # specify the driver mode
- {{- end }}
  - --endpoint=$(CSI_ENDPOINT)
  {{- if .Values.controller.extraVolumeTags }}
  {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
@@ -231,6 +227,9 @@ spec:
  {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
  - --retry-interval-max=30m
  {{- end }}
+ {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
+ - --feature-gates=VolumeAttributesClass=true
+ {{- end }}
  {{- range .Values.sidecars.provisioner.additionalArgs }}
  - {{ . }}
  {{- end }}
@@ -449,6 +448,9 @@ spec:
  {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.resizer.additionalArgs)) }}
  - --retry-interval-max=30m
  {{- end }}
+ {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
+ - --feature-gates=VolumeAttributesClass=true
+ {{- end }}
  {{- range .Values.sidecars.resizer.additionalArgs }}
  - {{ . }}
  {{- end }}

diff --git a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml
@@ -10,11 +10,6 @@ metadata:
  annotations:
  {{- toYaml . | nindent 4 }}
  {{- end }}
- {{- if eq .Release.Name "kustomize" }}
- #Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details.
- #annotations:
- # eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
- {{- end }}
 {{- if .Values.controller.serviceAccount.automountServiceAccountToken }}
 automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
 {{- end }}

diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml
@@ -17,7 +17,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
- tag: "v5.0.1-eks-1-30-10"
+ tag: "v5.1.0-eks-1-31-3"
  logLevel: 2
  # Additional parameters provided by external-provisioner.
  additionalArgs: []
@@ -44,7 +44,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher
- tag: "v4.6.1-eks-1-30-10"
+ tag: "v4.7.0-eks-1-31-3"
  # Tune leader lease election for csi-attacher.
  # Leader election is on by default.
  leaderElection:
@@ -73,7 +73,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter
- tag: "v8.0.1-eks-1-30-12"
+ tag: "v8.0.1-eks-1-31-3"
  logLevel: 2
  # Additional parameters provided by csi-snapshotter.
  additionalArgs: []
@@ -89,7 +89,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
- tag: "v2.13.0-eks-1-30-10"
+ tag: "v2.14.0-eks-1-31-3"
  # Additional parameters provided by livenessprobe.
  additionalArgs: []
  resources: {}
@@ -101,7 +101,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
- tag: "v1.11.1-eks-1-30-10"
+ tag: "v1.12.0-eks-1-31-3"
  # Tune leader lease election for csi-resizer.
  # Leader election is on by default.
  leaderElection:
@@ -128,7 +128,7 @@ sidecars:
  image:
  pullPolicy: IfNotPresent
  repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
- tag: "v2.11.0-eks-1-30-10"
+ tag: "v2.12.0-eks-1-31-3"
  logLevel: 2
  # Additional parameters provided by node-driver-registrar.
  additionalArgs: []
@@ -392,6 +392,10 @@ node:
  # Enable the linux daemonset creation
  enableLinux: true
  enableWindows: false
+ # Warning: This option will be removed in a future release. It is a temporary workaround for users unable to immediately migrate off of older kernel versions.
+ # Formats XFS volumes with bigtime=0,inobtcount=0,reflink=0, for mounting onto nodes with linux kernel version <= 5.4.
+ # Note that XFS volumes formatted with this option will only have timestamp records until 2038.
+ legacyXFS: false
  # The number of attachment slots to reserve for system use (and not to be used for CSI volumes)
  # When this parameter is not specified (or set to -1), the EBS CSI Driver will attempt to determine the number of reserved slots via heuristic
  # Cannot be specified at the same time as `node.volumeAttachLimit`
@@ -485,4 +489,4 @@ nodeComponentOnly: false
 helmTester:
  enabled: true
  # Supply a custom image to the ebs-csi-driver-test pod in helm-tester.yaml
- image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240803-cf1183f2db-master"
+ image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240903-6a352c5344-master"
diff --git a/deploy/kubernetes/base/controller.yaml b/deploy/kubernetes/base/controller.yaml
@@ -62,10 +62,10 @@ spec:
  runAsUser: 1000
  containers:
  - name: ebs-plugin
- image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0
+ image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.35.0
  imagePullPolicy: IfNotPresent
  args:
- # - {all,controller,node} # specify the driver mode
+ - controller
  - --endpoint=$(CSI_ENDPOINT)
  - --batching=true
  - --logging-format=text
@@ -131,7 +131,7 @@ spec:
  seccompProfile:
  type: RuntimeDefault
  - name: csi-provisioner
- image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.0.1-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.1.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --timeout=60s
@@ -163,7 +163,7 @@ spec:
  seccompProfile:
  type: RuntimeDefault
  - name: csi-attacher
- image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.6.1-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.7.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --timeout=60s
@@ -192,7 +192,7 @@ spec:
  seccompProfile:
  type: RuntimeDefault
  - name: csi-snapshotter
- image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v8.0.1-eks-1-30-12
+ image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v8.0.1-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --csi-address=$(ADDRESS)
@@ -221,7 +221,7 @@ spec:
  seccompProfile:
  type: RuntimeDefault
  - name: csi-resizer
- image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.11.1-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.12.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --timeout=60s
@@ -251,7 +251,7 @@ spec:
  seccompProfile:
  type: RuntimeDefault
  - name: liveness-probe
- image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.14.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --csi-address=/csi/csi.sock

diff --git a/deploy/kubernetes/base/node.yaml b/deploy/kubernetes/base/node.yaml
@@ -54,7 +54,7 @@ spec:
  runAsUser: 0
  containers:
  - name: ebs-plugin
- image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0
+ image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.35.0
  imagePullPolicy: IfNotPresent
  args:
  - node
@@ -102,7 +102,7 @@ spec:
  exec:
  command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"]
  - name: node-driver-registrar
- image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.11.0-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.12.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --csi-address=$(ADDRESS)
@@ -139,7 +139,7 @@ spec:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  - name: liveness-probe
- image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-10
+ image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.14.0-eks-1-31-3
  imagePullPolicy: IfNotPresent
  args:
  - --csi-address=/csi/csi.sock

diff --git a/deploy/kubernetes/base/serviceaccount-csi-controller.yaml b/deploy/kubernetes/base/serviceaccount-csi-controller.yaml
@@ -6,7 +6,4 @@ metadata:
  name: ebs-csi-controller-sa
  labels:
  app.kubernetes.io/name: aws-ebs-csi-driver
- #Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details.
- #annotations:
- # eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
 automountServiceAccountToken: true