Add csi-proxy project #362
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
the
size/M
|
cc @msau42 |
jingxu97
force-pushed
the
sep/csiproxy
branch
2 times, most recently
from
028469f to
0924dbf
Compare
|
/release-note-none |
k8s-ci-robot
added
release-note-none
book/src/SUMMARY.md
Outdated
| @@ -31,6 +31,7 @@ | |||
| - [Volume Snapshot & Restore](snapshot-restore-feature.md) | |||
| - [Ephemeral Local Volumes](ephemeral-local-volumes.md) | |||
| - [Volume Limits](volume-limits.md) | |||
| - [CSI proxy](csi-proxy.md) | |||
There was a problem hiding this comment.
Can we have 2 pages?
One for the csi proxy component, which should go under "Kubernetes Cluster Controllers", and one for Windows, which should go under "Features".
The csi-proxy page focuses on what a cluster operator needs to do to deploy the csi-proxy, and the Windows feature page focuses on how csi driver authors can add Windows support to their driver.
book/src/csi-proxy.md
Outdated
|
|
||
| Status | Min K8s Version | Max K8s Version | ||
| --|--|-- | ||
| Alpha | 1.18 | - |
There was a problem hiding this comment.
Can you put the actual version in this column?
There was a problem hiding this comment.
it is the actual version?
There was a problem hiding this comment.
I mean a number like "v0.1.0"
book/src/csi-proxy.md
Outdated
|
|
||
| Run csi-proxy.exe binary directly on Window node. Command line options | ||
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
What is this path used for? Do we append "/plugins_registry or /plugins" after it?
There was a problem hiding this comment.
this path is mainly for validating the path requested from client is valid (under pod volume dir), not some other arbitrary path for security reason.
There was a problem hiding this comment.
Can you add more details of what this path is used for in the description of this field? The name of this field is also confusing because it's the kubelet root, not the plugins path.
There was a problem hiding this comment.
we are in the process of hanging this part to use kublet-path instead of two to match the name. will update it after the change is done.
There was a problem hiding this comment.
has this been updated for v1?
There was a problem hiding this comment.
-kubelet-csi-plugins-path and -kubelet-pod-path below should be replaced with (or noted as removed in favor of) -kubelet-pod-path in v1.0.
book/src/csi-proxy.md
Outdated
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). | ||
|
|
||
| * `-kubelet-pod-path`: This is the prefix path of the kubelet pod directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
This is assuming "/pods" are appended afterwards?
Should this just be the kubelet root directory?
There was a problem hiding this comment.
at the initial design, it was set to pod dir, but then due to some issue (I forgot the cause), we relax it to the upper level path in there https://github.com/kubernetes-csi/csi-proxy/pull/28/files
So that's why we say it is prefix. I think the idea is user might still set it to different paths as they desire. We could use one parameter like kublet dir, but to change this, it would be user facing breaking change, so we try to avoid it unless very necessary.
There was a problem hiding this comment.
Can we change this for the GA v1 version? I think this field is a little confusing because pod path is usually "/var/lib/kubelet/pods". Especially because this path and the csi-plugins-path is the same. Can we combine the two options?
There was a problem hiding this comment.
yes, we plan to do it.
book/src/csi-proxy.md
Outdated
|
|
||
| CSI Proxy is a binary that exposes a set of gRPC APIs around storage operations over named pipes in Windows. A container, such as CSI node plugins, can mount the named pipes depending on operations it wants to exercise on the host and invoke the APIs. | ||
|
|
||
| Each named pipe will support a specific version of an API (e.g. v1alpha1, v2beta1) that targets a specific area of storage (e.g. disk, volume, file, SMB, iSCSI). |
There was a problem hiding this comment.
Where do these pipes get created?
There was a problem hiding this comment.
added some examples \.\pipe\csi-proxy-disk-v1beta1
book/src/csi-proxy.md
Outdated
|
|
||
| ## Deployment | ||
|
|
||
| Directly run csi-proxy.exe binary or run it as a Windows Serivce. |
There was a problem hiding this comment.
Clarify this should be run on Kubernetes nodes.
jingxu97
force-pushed
the
sep/csiproxy
branch
from
0924dbf to
f60223b
Compare
k8s-ci-robot
added
size/L
jingxu97
force-pushed
the
sep/csiproxy
branch
from
f60223b to
da6dc02
Compare
book/src/csi-proxy.md
Outdated
|
|
||
| CSI Proxy is a binary that exposes a set of gRPC APIs around storage operations over named pipes in Windows. A container, such as CSI node plugins, can mount the named pipes depending on operations it wants to exercise on the host and invoke the APIs. | ||
|
|
||
| Each named pipe will support a specific version of an API (e.g. v1alpha1, v2beta1) that targets a specific area of storage (e.g. disk, volume, file, SMB, iSCSI). For example, `\\.\pipe\csi-proxy-filesystem-v1alpha1`, `\\.\pipe\csi-proxy-disk-v1beta1` |
There was a problem hiding this comment.
Is there a place where every pipe is actually documented and we can point to?
There was a problem hiding this comment.
not really, just a short explanation on csi-proxy readme. https://github.com/kubernetes-csi/csi-proxy
There was a problem hiding this comment.
Can we open an issue to investigate if we can have some api reference generator?
There was a problem hiding this comment.
yes, we are checking on it
book/src/csi-windows.md
Outdated
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows currently does not support privileged containers. To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) - that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileges storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). | ||
|
|
||
| ## How to use the CSI Proxy for Windows? | ||
| The CSI Proxy executable - csi-proxy.exe - needs to be deployed and running on all Windows nodes in a cluster - similar to kubelet.exe, dockerd.exe, etc. This may be achieved by enhancing any existing Windows node setup mechanism or script used for installing and configuring dockerd.exe/containerd.exe, kubelet.exe, kubeproxy.exe, etc. |
There was a problem hiding this comment.
The instructions for csi-proxy deployment should go in the csi-proxy page, and you can link to it from here
book/src/csi-windows.md
Outdated
| kubernetes.io/os: windows | ||
| containers: | ||
| - name: csi-driver-registrar | ||
| image: gke.gcr.io/csi-node-driver-registrar:win-v1 |
There was a problem hiding this comment.
Let's use K8s community images instead of gke images.
book/src/csi-windows.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows currently does not support privileged containers. To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) - that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileges storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). |
There was a problem hiding this comment.
It would be good to mention somewhere that csi controller level operations/sidecars are not supported on Windows.
There was a problem hiding this comment.
"To solve this problem, CSI Proxy is a binary that runs on the Windows host"
book/src/csi-windows.md
Outdated
| ## How to use the CSI Proxy for Windows? | ||
| The CSI Proxy executable - csi-proxy.exe - needs to be deployed and running on all Windows nodes in a cluster - similar to kubelet.exe, dockerd.exe, etc. This may be achieved by enhancing any existing Windows node setup mechanism or script used for installing and configuring dockerd.exe/containerd.exe, kubelet.exe, kubeproxy.exe, etc. | ||
|
|
||
| The CSI Proxy executable surfaces a set of named pipes, each corresponding to a specific version of a storage API group. The set of storage API groups supported as of Beta are: Disks, Volumes, SMB, FileSystem. The daemonset specification of a CSI node plugin for Windows can mount the desired named pipes from CSI Proxy based on the version of the API groups that satisfy the privileged operations that the node-plugin needs to execute. |
There was a problem hiding this comment.
Can we link to the go-client that plugin authors can import into their csi driver? Do we have a sample driver they can use as an example?
There was a problem hiding this comment.
we can use gce pd driver as an example
|
|
||
| **Status:** Beta starting with v0.2.0 | ||
|
|
||
| Status | Min K8s Version | Max K8s Version |
There was a problem hiding this comment.
Similar to the other component pages, can you add a column for where the community binaries are located?
There was a problem hiding this comment.
added, right now only in staging
There was a problem hiding this comment.
I will update this after promote to release is available.
book/src/csi-windows.md
Outdated
| Status | Min K8s Version | Max K8s Version | ||
| --|--|-- | ||
| Alpha | 1.18 | - | ||
| Beta | 1.19 | - |
There was a problem hiding this comment.
It would also be good to add a column for which version of node-driver-registrar and csi-proxy are required
book/src/csi-proxy.md
Outdated
|
|
||
| ## Deployment | ||
|
|
||
| Directly run csi-proxy.exe binary or run it as a Windows Serivce on Kubernetes nodes. |
There was a problem hiding this comment.
Can you add a note here saying that is it the responsibility of the Kubernetes distribution or cluster admin to install csi-proxy
jingxu97
force-pushed
the
sep/csiproxy
branch
2 times, most recently
from
2caee7a to
0bb454f
Compare
|
updated it to address comments. |
book/src/csi-proxy.md
Outdated
|
|
||
| CSI Proxy is a binary that exposes a set of gRPC APIs around storage operations over named pipes in Windows. A container, such as CSI node plugins, can mount the named pipes depending on operations it wants to exercise on the host and invoke the APIs. | ||
|
|
||
| Each named pipe will support a specific version of an API (e.g. v1alpha1, v2beta1) that targets a specific area of storage (e.g. disk, volume, file, SMB, iSCSI). For example, `\\.\pipe\csi-proxy-filesystem-v1alpha1`, `\\.\pipe\csi-proxy-disk-v1beta1` |
There was a problem hiding this comment.
Can we open an issue to investigate if we can have some api reference generator?
book/src/csi-proxy.md
Outdated
|
|
||
| Run csi-proxy.exe binary directly on Window node. Command line options | ||
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
Can you add more details of what this path is used for in the description of this field? The name of this field is also confusing because it's the kubelet root, not the plugins path.
book/src/csi-proxy.md
Outdated
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). | ||
|
|
||
| * `-kubelet-pod-path`: This is the prefix path of the kubelet pod directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
Can we change this for the GA v1 version? I think this field is a little confusing because pod path is usually "/var/lib/kubelet/pods". Especially because this path and the csi-plugins-path is the same. Can we combine the two options?
book/src/csi-windows.md
Outdated
|
|
||
| Status | Min K8s Version | Min CSI proxy Version | Min Node Driver Registrar Version | latest artifacts | ||
| --|--|-- | ||
| Beta | 1.19 | 0.2.0 | 1.3.0 | [binary](gs://k8s-staging-sig-storage/csi-proxy/csi-proxy-master.exe) |
There was a problem hiding this comment.
For the binary, is it versioned? how do we get v0.2.0 vs v0.3.0?
We also really need to get the binary promotion issue solved. Artifacts in staging are generally automatically deleted after 30 days. We can't have anyone depending on the staging location.
There was a problem hiding this comment.
Does the path include the version now?
There was a problem hiding this comment.
I would say let's not publish the staging location for now and update this once we get the official version so that we don't have users depending on a staging version that could get garbage collected.
book/src/csi-windows.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows currently does not support privileged containers. To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) - that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileges storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). |
There was a problem hiding this comment.
"To solve this problem, CSI Proxy is a binary that runs on the Windows host"
book/src/csi-windows.md
Outdated
| The CSI Proxy executable surfaces a set of named pipes, each corresponding to a specific version of a storage API group. The set of storage API groups supported as of Beta are: Disks, Volumes, SMB, FileSystem. The daemonset specification of a CSI node plugin for Windows can mount the desired named pipes from CSI Proxy based on the version of the API groups that satisfy the privileged operations that the node-plugin needs to execute. | ||
|
|
||
|
|
||
| The following daemonset YAML shows how to mount various API groups from CSI Proxy into a CSI Node plugin: |
book/src/csi-windows.md
Outdated
| type: "" | ||
| - name: csi-proxy-filesystem-pipe | ||
| hostPath: | ||
| path: \\.\pipe\csi-proxy-filesystem-v1alpha1 |
book/src/csi-proxy.md
Outdated
|
|
||
| CSI Proxy is a binary that exposes a set of gRPC APIs around storage operations over named pipes in Windows. A container, such as CSI node plugins, can mount the named pipes depending on operations it wants to exercise on the host and invoke the APIs. | ||
|
|
||
| Each named pipe will support a specific version of an API (e.g. v1alpha1, v2beta1) that targets a specific area of storage (e.g. disk, volume, file, SMB, iSCSI). For example, `\\.\pipe\csi-proxy-filesystem-v1alpha1`, `\\.\pipe\csi-proxy-disk-v1beta1` |
There was a problem hiding this comment.
Is there any information we can provide about backwards compatibility of apigroups? How many api versions will csi-proxy support at a time?
There was a problem hiding this comment.
csi-proxy support backwards compatibility. So all api versions (alpha, beta, GA) are being supported.
book/src/csi-windows.md
Outdated
|
|
||
| ## Status | ||
|
|
||
| Status | Min K8s Version | Min CSI proxy Version | Min Node Driver Registrar Version | latest artifacts |
There was a problem hiding this comment.
When I preview this page, the table formatting does not seem correct
book/src/csi-windows.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows currently does not support privileged containers. To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) - that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileges storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). |
There was a problem hiding this comment.
typo: privileges => privileged
|
/assign @ddebroy |
book/src/csi-proxy.md
Outdated
|
|
||
| ## Usage | ||
|
|
||
| Run csi-proxy.exe binary directly on Window node. Command line options |
book/src/csi-proxy.md
Outdated
|
|
||
| ## Deployment | ||
|
|
||
| It the responsibility of the Kubernetes distribution or cluster admin to install csi-proxy. Directly run csi-proxy.exe binary or run it as a Windows Serivce on Kubernetes nodes. |
book/src/csi-windows.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows currently does not support privileged containers. To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) is a binary that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileged storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). |
There was a problem hiding this comment.
However, Windows currently does not support privileged containers => since the PRs for Windows privileged support are now merged, should we say, it is in the process of being introduced?
book/src/csi-proxy.md
Outdated
|
|
||
| Run csi-proxy.exe binary directly on Window node. Command line options | ||
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
has this been updated for v1?
|
|
||
| * `-windows-service`: Configure as a Windows Service | ||
|
|
||
| * `-log_file`: If non-empty, use this log file. (Note: must set `logtostdrr`=false if setting -log_file) |
There was a problem hiding this comment.
Is this a flag from klog that uses underscores? (vs dashes for the other args)
There was a problem hiding this comment.
This is from klog option, not csi-proxy actually
book/src/csi-windows.md
Outdated
|
|
||
| Status | Min K8s Version | Min CSI proxy Version | Min Node Driver Registrar Version | latest artifacts | ||
| --|--|-- | ||
| Beta | 1.19 | 0.2.0 | 1.3.0 | [binary](gs://k8s-staging-sig-storage/csi-proxy/csi-proxy-master.exe) |
There was a problem hiding this comment.
Does the path include the version now?
|
|
||
| **Status:** Beta starting with v0.2.0 | ||
|
|
||
| Status | Min K8s Version | Max K8s Version |
book/src/csi-proxy.md
Outdated
|
|
||
| Run csi-proxy.exe binary directly on Window node. Command line options | ||
|
|
||
| * `-kubelet-csi-plugins-path`: This is the prefix path of the Kubelet plugin directory in the host file system (`C:\var\lib\kubelet` is used by default). |
There was a problem hiding this comment.
-kubelet-csi-plugins-path and -kubelet-pod-path below should be replaced with (or noted as removed in favor of) -kubelet-pod-path in v1.0.
book/src/csi-windows.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| CSI drivers (e.g. AzureDisk, GCE PD, etc.) are recommended to be deployed as containers. CSI driver’s node plugin typically runs on every worker node in the cluster (as a DaemonSet). Node plugin containers need to run with elevated privileges to perform storage related operations. However, Windows was not supporting privileged containers (Note: privileged containers a.k.a Host process is introduced as alpha feature in Kubernetes 1.22 very recently). To solve this problem, [CSI Proxy](https://github.com/kubernetes-csi/csi-proxy) is a binary that runs on the Windows host and executes a set of privileged storage operations on Windows nodes on behalf of containers in a CSI Node plugin daemonset. This enables multiple CSI Node plugin authors to execute privileged storage operations on Windows nodes without having to ship a custom privileged operation proxy (until privileged operations get enabled for containers in Windows in the future). |
There was a problem hiding this comment.
couple of nits:
"CSI Node plugin authors to execute" => "CSI Node plugins to execute"
Let's remove "(until privileged operations get enabled for containers in Windows in the future)."
book/src/csi-windows.md
Outdated
| - name: plugin-dir | ||
| mountPath: C:\csi | ||
| - name: csi-proxy-disk-pipe | ||
| mountPath: \\.\pipe\csi-proxy-disk-v1beta2 |
There was a problem hiding this comment.
Let's update the api versions in this example to the latest - v1
book/src/csi-proxy.md
Outdated
|
|
||
| Run csi-proxy.exe binary directly on a Window node. Starting from v1.0.0, the command line options are | ||
|
|
||
| * -kubelet-path: This is the prefix path of the kubelet directory in the host file system |
There was a problem hiding this comment.
Also add the backticks around the arg.
book/src/csi-proxy.md
Outdated
|
|
||
| ## Usage | ||
|
|
||
| Run csi-proxy.exe binary directly on a Window node. Starting from v1.0.0, the command line options are |
|
|
||
| * `-kubelet-pod-path`: This is the prefix path of the kubelet pod directory in the host file system (`C:\var\lib\kubelet` is used by default). | ||
|
|
||
| * `-windows-service`: Configure as a Windows Service |
There was a problem hiding this comment.
Are these options also available in 1.0? The indenting makes it seem like these options are not available in 1.0 anymore. Maybe for simplicilty, let's remove the detailed entries for the old kubelet path arguments, and just mention in the description for kubelet-path that it replaces kubelet-pod-path and kubelet-csi-plugins-path in previous versions.
book/src/csi-windows.md
Outdated
|
|
||
| Status | Min K8s Version | Min CSI proxy Version | Min Node Driver Registrar Version | latest artifacts | ||
| --|--|-- | ||
| Beta | 1.19 | 0.2.0 | 1.3.0 | [binary](gs://k8s-staging-sig-storage/csi-proxy/csi-proxy-master.exe) |
There was a problem hiding this comment.
I would say let's not publish the staging location for now and update this once we get the official version so that we don't have users depending on a staging version that could get garbage collected.
Add csi-proxy project in docs
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jingxu97, msau42 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Add csi-proxy project in docs