Provision Azure Files ReadWriteMany Persistent Volumes on Azure OpenShift: Difference between revisions
No edit summary |
No edit summary |
||
Line 29: | Line 29: | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder | oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder | ||
</syntaxhighlight> | |||
==Create the Azure Files StorageClass== | |||
<syntaxhighlight lang='bash'> | |||
export LOCATION=... | |||
export STORAGE_ACCOUNT_NAME=... | |||
export STORAGE_RESOURCE_GROUP=... | |||
cat << EOF | oc create -f - | |||
kind: StorageClass | |||
apiVersion: storage.k8s.io/v1 | |||
metadata: | |||
name: azure-file | |||
provisioner: kubernetes.io/azure-file | |||
parameters: | |||
location: ${LOCATION} | |||
skuName: Standard_LRS | |||
storageAccount: ${STORAGE_ACCOUNT_NAME} | |||
resourceGroup: ${STORAGE_RESOURCE_GROUP} | |||
reclaimPolicy: Delete | |||
volumeBindingMode: Immediate | |||
EOF | |||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 21:07, 25 November 2020
External
Internal
Procedure
1. Create a storage account with its dedicated resource group. Why? Why can't we use the OpenShift cluster resource group?. Use this:
2. Give the OpenShift service principal "listKey" permission on the new storage account resource group. Assign the "Contributor" role to achieve this.
The OpenShift service principal can be obtained as described here:
Assign the role:
az role assignment create --role Contributor --assignee <openshift-cluster-service-principal> -g <openshift-cluster-resource-group>
For more details about role assignment see:
3. The OpenShift persistent volume binder service account will need the ability to read secrets. This ability can be given by creating and assigning an OpenShift cluster role to achieve this. Login into the OpenShift API server as described here: OpenShift on Azure | oc login.
Create the role with:
oc create clusterrole azure-secret-reader --verb=create,get --resource=secrets
Bind the role to system:serviceaccount:kube-system:persistent-volume-binder with:
oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder
Create the Azure Files StorageClass
export LOCATION=...
export STORAGE_ACCOUNT_NAME=...
export STORAGE_RESOURCE_GROUP=...
cat << EOF | oc create -f -
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: azure-file
provisioner: kubernetes.io/azure-file
parameters:
location: ${LOCATION}
skuName: Standard_LRS
storageAccount: ${STORAGE_ACCOUNT_NAME}
resourceGroup: ${STORAGE_RESOURCE_GROUP}
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF