Skip to content

STOR-2921: update deployment manifests from upstream#174

Open
dobsonj wants to merge 1 commit into
openshift:mainfrom
dobsonj:STOR-2921
Open

STOR-2921: update deployment manifests from upstream#174
dobsonj wants to merge 1 commit into
openshift:mainfrom
dobsonj:STOR-2921

Conversation

@dobsonj

@dobsonj dobsonj commented Jun 17, 2026

Copy link
Copy Markdown
Member

https://redhat.atlassian.net/browse/STOR-2921

This PR addresses node and controller deployment manifest drift from upstream. Includes changes from openshift/ibm-vpc-block-csi-driver#154 and previous rebases.

Summary by CodeRabbit

  • Chores
    • Increased CPU and memory resource requests for the storage provisioning, attachment, snapshotting, and driver components.
    • Added VPC retry configuration (attempt and timing) to improve retry behavior during transient failures.
    • Enhanced node-side settings by adding a volume attachment limit and configuring udev settle/retry timing.
    • Strengthened security contexts by adjusting group execution and applying SELinux options for the liveness probe.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 17, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 17, 2026

Copy link
Copy Markdown

@dobsonj: This pull request references STOR-2921 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "5.0.0" version, but multiple target versions were set.

Details

In response to this:

https://redhat.atlassian.net/browse/STOR-2921

This PR addresses node and controller deployment manifest drift from upstream. Includes changes from openshift/ibm-vpc-block-csi-driver#154 and previous rebases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7e3b4db8-66a1-4473-bb41-3b4eace8119f

📥 Commits

Reviewing files that changed from the base of the PR and between 2521746 and b4c5f58.

📒 Files selected for processing (2)
  • assets/controller.yaml
  • assets/node.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • assets/node.yaml
  • assets/controller.yaml

Walkthrough

Two Kubernetes manifest files are updated: the controller Deployment receives increased CPU/memory requests across four sidecar containers and three new VPC retry environment variables on the csi-driver container; the node DaemonSet gains environment variables for attachment limits, node mode, sidecar group ID, and udev timing, higher resource requests, runAsGroup: 0 additions, and a tightened non-root securityContext on the liveness-probe container.

Changes

CSI Driver Manifest Resource and Security Configuration

Layer / File(s) Summary
Controller resource increases
assets/controller.yaml
Raises CPU and memory resource requests for csi-provisioner (to 20m/40Mi), csi-attacher (to 15m/30Mi), csi-snapshotter (to 20m/40Mi), and csi-driver (to 75m/150Mi).
Controller VPC retry configuration
assets/controller.yaml
Adds MAX_VPC_RETRY_ATTEMPT, MIN_VPC_RETRY_INTERVAL, and MIN_VPC_RETRY_INTERVAL_ATTEMPT environment variables to the csi-driver container.
Node registrar configuration
assets/node.yaml
Adds VOLUME_ATTACHMENT_LIMIT environment variable to csi-driver-registrar and sets runAsGroup: 0 in its securityContext.
Node driver configuration
assets/node.yaml
Adds five environment variables (IS_NODE_SERVER, SIDECAR_GROUP_ID, and three udev-related vars) to csi-driver; increases CPU/memory resource requests and adds runAsGroup: 0 to its securityContext.
Liveness probe security hardening
assets/node.yaml
Reconfigures liveness-probe securityContext to enforce non-root execution (runAsNonRoot: true, runAsUser: 2121, runAsGroup: 2121), disable privileges, and apply SELinux policy (type: spc_t, level: s0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • dfajmon
  • mpatlasov

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Container-Privileges ❌ Error node.yaml csi-driver container has privileged: true and runs as root (runAsUser: 0) without documented justification in the manifest. Add security context comment documenting why privileged mode is required for CSI block device management, or adjust security posture to minimize privileges.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately identifies the main change: updating deployment manifests to align with upstream versions, which is the primary focus of the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo tests exist in this PR. All test files use standard Go testing package with static, deterministic test function names containing no dynamic values.
Test Structure And Quality ✅ Passed PR modifies only Kubernetes manifests (controller.yaml, node.yaml). No Ginkgo test files are modified or added; check is not applicable to YAML configuration changes.
Microshift Test Compatibility ✅ Passed PR does not add any Ginkgo e2e tests; it only modifies Kubernetes manifests and adds standard Go unit tests, making the MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds no new Ginkgo e2e tests. Changes are limited to Kubernetes deployment manifests (controller.yaml and node.yaml) with resource/environment configuration updates and security hardening.
Topology-Aware Scheduling Compatibility ✅ Passed PR manifests contain no topology-breaking scheduling constraints. Controller Deployment is topology-agnostic; Node DaemonSet uses standard region/zone labels (present on all topologies) and broad t...
Ote Binary Stdout Contract ✅ Passed PR only modifies Kubernetes YAML manifests and asset files, not OTE test code. OTE stdout contract check is inapplicable to this PR since it contains no OTE test binaries or test suite configuration.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests are added in this PR. The changes are limited to Kubernetes YAML manifests (controller.yaml and node.yaml), which are not subject to this check.
No-Weak-Crypto ✅ Passed PR only modifies Kubernetes deployment manifests; no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or unsafe secret comparisons detected.
No-Sensitive-Data-In-Logs ✅ Passed The PR modifies Kubernetes YAML manifests with no sensitive data exposed in logs. New environment variables contain only non-sensitive values: numeric timeouts/counts, boolean flags, and configurat...
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from RomanBednar and dfajmon June 17, 2026 19:14
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2026
@dobsonj

dobsonj commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

/test

@dobsonj

dobsonj commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

/test e2e-ibmcloud-csi
/test e2e-ibmcloud-csi-extended

@dobsonj

dobsonj commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

/test e2e-ibmcloud-csi
/test e2e-ibmcloud-csi-extended

@dobsonj

dobsonj commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

/test e2e-ibmcloud-csi
/test e2e-ibmcloud-csi-extended

@dobsonj

dobsonj commented Jun 22, 2026

Copy link
Copy Markdown
Member Author

/retest

@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

@dobsonj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-ibmcloud-csi-extended b4c5f58 link false /test e2e-ibmcloud-csi-extended
ci/prow/e2e-ibmcloud-csi b4c5f58 link false /test e2e-ibmcloud-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants