Skip to content

Commit

Permalink
Update README and fix manifest
Browse files Browse the repository at this point in the history 
Signed-off-by: Arnon Gilboa <[email protected]>
  • Loading branch information
@arnongilboa
arnongilboa committed Oct 15, 2023
1 parent 76ddd75 commit fcb271a
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 197 deletions.
169 changes: 43 additions & 126 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,139 +4,49 @@ This checkup performs storage checks, validating storage is working correctly fo

## Permissions

Cluster admin should create the following permissions and/for dedicated storage checkup ServiceAccount and namespace:
The [following](manifests/storage_checkup_permissions.yaml) ServiceAccount, Role and RoleBinding should be applied on the test namespace.

```bash
kubectl apply -n <target-namespace> -f manifests/storage_checkup_permissions.yaml
```

Cluster admin should create the following cluster-reader permissions for dedicated `storage-checkup-sa` ServiceAccount and namespace:

```yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: storage-checkup-sa
namespace: <target-namespace>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubevirt-storage-checker
rules:
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses" ]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubevirt-storage-checker
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
namespace: <target-namespace>
roleRef:
kind: ClusterRole
name: kubevirt-storage-checker
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubevirt-storage-checker-volumesnapshotclasses
rules:
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotclasses" ]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubevirt-storage-checker-volumesnapshotclasses
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
namespace: <target-namespace>
roleRef:
kind: ClusterRole
name: kubevirt-storage-checker-volumesnapshotclasses
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kiagnose-configmap-access
namespace: <target-namespace>
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: ["get", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kiagnose-configmap-access
namespace: <target-namespace>
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
roleRef:
kind: Role
name: kiagnose-configmap-access
apiGroup: rbac.authorization.k8s.io
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubevirt-storage-checkup-clustereader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
namespace: <target-namespace>
```
## Configuration
| Key | Description | Is Mandatory | Remarks |
|Key|Description|Is Mandatory|Remarks|
|---------------------------------------------|-------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------|
| spec.timeout | How much time before the checkup will try to close itself | True | |
|spec.timeout|How much time before the checkup will try to close itself|True||
### Example
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: storage-checkup-config
namespace: <target-namespace>
data:
spec.timeout: 5m
```
## Execution
In order to execute the checkup, fill in the required data and apply this manifest:
```yaml
apiVersion: batch/v1
kind: Job
metadata:
name: storage-checkup
namespace: <target-namespace>
spec:
backoffLimit: 0
template:
spec:
serviceAccount: storage-checkup-sa
restartPolicy: Never
containers:
- name: storage-checkup
image: quay.io/kiagnose/kubevirt-storage-checkup:main
imagePullPolicy: Always
env:
- name: CONFIGMAP_NAMESPACE
value: <target-namespace>
- name: CONFIGMAP_NAME
value: storage-checkup-config
```
In order to execute the checkup, the [following](manifests/storage_checkup.yaml) ConfigMap and Job should be applied on the test namespace.
You can create the permissions, ConfigMap and Job with:
You can create the ConfigMap and Job with:
```bash
export CHECKUP_NAMESPACE=<target-namespace>

envsubst < manifests/storage_checkup_permissions.yaml | kubectl apply -f -
envsubst < manifests/storage_checkup.yaml | kubectl apply -f -
envsubst < manifests/storage_checkup.yaml|kubectl apply -f -
```

and cleanup the ConfigMap and Job:
and cleanup them with:
```bash
envsubst < manifests/storage_checkup.yaml | kubectl delete -f -
envsubst < manifests/storage_checkup.yaml|kubectl delete -f -
```
## Checkup Results Retrieval

Expand All @@ -145,14 +55,21 @@ After the checkup Job had completed, the results are made available at the user-
```bash
kubectl get configmap storage-checkup-config -n <target-namespace> -o yaml
```
| Key | Description | Remarks |
|Key|Description|Remarks|
|--------------------------------------------------|-------------------------------------------------------------------|----------|
| status.succeeded | Has the checkup succeeded | |
| status.failureReason | Failure reason in case of a failure | |
| status.startTimestamp | Checkup start timestamp | RFC 3339 |
| status.completionTimestamp | Checkup completion timestamp | RFC 3339 |
| status.result.defaultStorageClass | Indicates whether there is a default storage class | |
| status.result.storageProfilesWithEmptyClaimPropertySets | StorageProfiles with empty claimPropertySets (unknown provisioners) | |
| status.result.storageProfilesWithSpecClaimPropertySets | StorageProfiles with spec-overrriden claimPropertySets | |
| status.result.storageWithRWX | Storage with RWX access mode | |
| status.result.storageMissingVolumeSnapshotClass | Storage using snapshot-based clone but missing VolumeSnapshotClass | |
|status.succeeded|Has the checkup succeeded||
|status.failureReason|Failure reason in case of a failure||
|status.startTimestamp|Checkup start timestamp|RFC 3339|
|status.completionTimestamp|Checkup completion timestamp|RFC 3339|
|status.result.defaultStorageClass|Indicates whether there is a default storage class||
|status.result.storageProfilesWithEmptyClaimPropertySets|StorageProfiles with empty claimPropertySets (unknown provisioners)||
|status.result.storageProfilesWithSpecClaimPropertySets|StorageProfiles with spec-overrriden claimPropertySets||
|status.result.storageWithRWX|Storage with RWX access mode||
|status.result.storageMissingVolumeSnapshotClass|Storage using snapshot-based clone but missing VolumeSnapshotClass||
|status.result.goldenImagesNotUpToDate|Golden images whose DataImportCron is not up to date or DataSource is not ready||
|status.result.vmsWithNonVirtRbdStorageClass|VMs using the plain RBD storageclass when the virtualization storageclass exists||
|status.result.vmsWithUnsetEfsStorageClass|VMs using an EFS storageclass where the gid and uid are not set in the storageclass||
|status.result.vmBootFromGoldenImage|VM created and started from a golden image||
|status.result.vmVolumeClone|VM volume clone type used (efficient or host-assisted) and fallback reason||
|status.result.vmLiveMigration|VM live-migration||
|status.result.vmHotplugVolume|VM volume hotplug and unplug||
74 changes: 3 additions & 71 deletions manifests/storage_checkup_permissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,82 +3,15 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: storage-checkup-sa
namespace: $CHECKUP_NAMESPACE
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubevirt-storage-checker
rules:
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses" ]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubevirt-storage-checker
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
namespace: $CHECKUP_NAMESPACE
roleRef:
kind: ClusterRole
name: kubevirt-storage-checker
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubevirt-storage-checker-volumesnapshotclasses
rules:
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotclasses" ]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubevirt-storage-checker-volumesnapshotclasses
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
namespace: $CHECKUP_NAMESPACE
roleRef:
kind: ClusterRole
name: kubevirt-storage-checker-volumesnapshotclasses
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kiagnose-configmap-access
namespace: $CHECKUP_NAMESPACE
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: ["get", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kiagnose-configmap-access
namespace: $CHECKUP_NAMESPACE
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
roleRef:
kind: Role
name: kiagnose-configmap-access
apiGroup: rbac.authorization.k8s.io

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kubevirt-storage-checker
namespace: $CHECKUP_NAMESPACE
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: ["get", "update"]
- apiGroups: [ "kubevirt.io" ]
resources: [ "virtualmachines" ]
verbs: [ "create", "delete" ]
Expand All @@ -99,7 +32,6 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubevirt-storage-checker
namespace: $CHECKUP_NAMESPACE
subjects:
- kind: ServiceAccount
name: storage-checkup-sa
Expand Down

0 comments on commit fcb271a

Please sign in to comment.