Update local-volume-provisioner (#9463)

- Update and re-work the documentation:
  - Update links
  - Fix formatting (especially for lists)
  - Remove documentation about `useAlphaApi`,
    a flag only for k8s versions < v1.10
  - Attempt to clarify the doc
- Update to version 1.5.0
- Remove PodSecurityPolicy (deprecated in k8s v1.21+)
- Update ClusterRole following upstream
  (cf https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner/pull/292)
- Add nodeSelector to DaemonSet (following upstream)

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/defaults/main.yml

@@ -6,9 +6,9 @@ local_volume_provisioner_nodelabels: []
 #   - topology.kubernetes.io/region
 #   - topology.kubernetes.io/zone
 local_volume_provisioner_tolerations: []
-# Levarages Ansibles string to Python datatype casting. Otherwise the dict_key isn't substituted
-# see https://github.com/ansible/ansible/issues/17324
 local_volume_provisioner_use_node_name_only: false
+# Leverages Ansible's string to Python datatype casting. Otherwise the dict_key isn't substituted.
+# see https://github.com/ansible/ansible/issues/17324
 local_volume_provisioner_storage_classes: |
   {
     "{{ local_volume_provisioner_storage_class | default('local-storage') }}": {
@@ -16,6 +16,5 @@ local_volume_provisioner_storage_classes: |
       "mount_dir": "{{ local_volume_provisioner_mount_dir | default('/mnt/disks') }}",
       "volume_mode": "Filesystem",
       "fs_type": "ext4"
-
     }
   }

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml

@@ -24,17 +24,6 @@
       - { name: local-volume-provisioner-cm, file: local-volume-provisioner-cm.yml, type: cm }
       - { name: local-volume-provisioner-ds, file: local-volume-provisioner-ds.yml, type: ds }
       - { name: local-volume-provisioner-sc, file: local-volume-provisioner-sc.yml, type: sc }
-    local_volume_provisioner_templates_for_psp_not_system_ns:
-      - { name: local-volume-provisioner-psp, file: local-volume-provisioner-psp.yml, type: psp }
-      - { name: local-volume-provisioner-psp-role, file: local-volume-provisioner-psp-role.yml, type: role }
-      - { name: local-volume-provisioner-psp-rb, file: local-volume-provisioner-psp-rb.yml, type: rolebinding }
-
-- name: Local Volume Provisioner | Insert extra templates to Local Volume Provisioner templates list for PodSecurityPolicy
-  set_fact:
-    local_volume_provisioner_templates: "{{ local_volume_provisioner_templates[:2] + local_volume_provisioner_templates_for_psp_not_system_ns + local_volume_provisioner_templates[2:] }}"
-  when:
-    - podsecuritypolicy_enabled
-    - local_volume_provisioner_namespace != "kube-system"
 
 - name: Local Volume Provisioner | Create manifests
   template:

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-clusterrole.yml.j2

@@ -5,6 +5,18 @@ metadata:
   name: local-volume-provisioner-node-clusterrole
   namespace: {{ local_volume_provisioner_namespace }}
 rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["watch"]
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "update", "patch"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get"]

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-clusterrolebinding.yml.j2

@@ -1,20 +1,6 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-metadata:
-  name: local-volume-provisioner-system-persistent-volume-provisioner
-  namespace: {{ local_volume_provisioner_namespace }}
-subjects:
-- kind: ServiceAccount
-  name: local-volume-provisioner
-  namespace: {{ local_volume_provisioner_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
 metadata:
   name: local-volume-provisioner-system-node
   namespace: {{ local_volume_provisioner_namespace }}

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-ds.yml.j2

@@ -20,6 +20,8 @@ spec:
     spec:
       priorityClassName: {% if local_volume_provisioner_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
       serviceAccountName: local-volume-provisioner
+      nodeSelector:
+        kubernetes.io/os: linux
 {% if local_volume_provisioner_tolerations %}
       tolerations:
         {{ local_volume_provisioner_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-cr.yml.j2

@@ -1,14 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:local-volume-provisioner
-  namespace: {{ local_volume_provisioner_namespace }}
-rules:
-  - apiGroups:
-    - policy
-    resourceNames:
-    - local-volume-provisioner
-    resources:
-    - podsecuritypolicies
-    verbs:
-    - use

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-rb.yml.j2

@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:local-volume-provisioner
-  namespace: {{ local_volume_provisioner_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: local-volume-provisioner
-    namespace: {{ local_volume_provisioner_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: psp:local-volume-provisioner
-  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-role.yml.j2

@@ -1,15 +0,0 @@
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:local-volume-provisioner
-  namespace: {{ local_volume_provisioner_namespace }}
-rules:
-  - apiGroups:
-    - policy
-    resourceNames:
-    - local-volume-provisioner
-    resources:
-    - podsecuritypolicies
-    verbs:
-    - use

roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2

@@ -1,45 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: local-volume-provisioner
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'secret'
-    - 'downwardAPI'
-    - 'hostPath'
-  allowedHostPaths:
-{% for class_name, class_config in local_volume_provisioner_storage_classes.items() %}
-    - pathPrefix: "{{ class_config.host_dir }}"
-      readOnly: false
-{% endfor %}
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'RunAsAny'
-  readOnlyRootFilesystem: false