Provision Azure Files ReadWriteMany Persistent Volumes on Azure OpenShift: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 43: Line 43:
apiVersion: storage.k8s.io/v1
apiVersion: storage.k8s.io/v1
metadata:
metadata:
   name: azure-file
   name: azure-files
provisioner: kubernetes.io/azure-file
provisioner: kubernetes.io/azure-file
parameters:
parameters:
Line 54: Line 54:
EOF
EOF
</syntaxhighlight>
</syntaxhighlight>
==Change the default StorageClass (Optional)==
==Change the default StorageClass (Optional)==
<font color=darkgray>TODO</font>
<font color=darkgray>TODO</font>
==Test==
==Test==

Revision as of 21:27, 25 November 2020

External

Internal

Overview

This article documents the procedure to configure an Azure OpenShift instance to use Azure Files-backed PVs, provisioned by the kubernetes.io/azure-file plug-in. More details about the kubernetes.io/azure-file provisioner are available here:

Azure Kubernetes Storage | kubernetes.io/azure-file Provisioner

Procedure

1. Create a storage account with its dedicated resource group. Why? Why can't we use the OpenShift cluster resource group?. Use this:

Create Storage Account

2. Give the OpenShift service principal "listKey" permission on the new storage account resource group. Assign the "Contributor" role to achieve this.

The OpenShift service principal can be obtained as described here:

Obtain the OpenShift cluster service principal

Assign the role: 

az role assignment create --role Contributor --assignee <openshift-cluster-service-principal> -g <openshift-cluster-resource-group>

For more details about role assignment see:

Azure Security Operations | Assign a Role

3. The OpenShift persistent volume binder service account will need the ability to read secrets. This ability can be given by creating and assigning an OpenShift cluster role to achieve this. Login into the OpenShift API server as described here: OpenShift on Azure | oc login.

Create the role with: 

oc create clusterrole azure-secret-reader --verb=create,get --resource=secrets

Bind the role to system:serviceaccount:kube-system:persistent-volume-binder with: 

oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder

Create the Azure Files StorageClass

export LOCATION=...
export STORAGE_ACCOUNT_NAME=...
export STORAGE_RESOURCE_GROUP=...
cat << EOF | oc create -f - 
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azure-files
provisioner: kubernetes.io/azure-file
parameters:
  location: ${LOCATION}
  skuName: Standard_LRS 
  storageAccount: ${STORAGE_ACCOUNT_NAME}
  resourceGroup: ${STORAGE_RESOURCE_GROUP}
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF

Change the default StorageClass (Optional)

TODO

Test

Retrieved from "https://kb.novaordis.com/index.php?title=Provision_Azure_Files_ReadWriteMany_Persistent_Volumes_on_Azure_OpenShift&oldid=73659"