Provision Azure Files ReadWriteMany Persistent Volumes on Azure OpenShift

From NovaOrdis Knowledge Base
Revision as of 21:01, 25 November 2020 by Ovidiu (talk | contribs) (→‎Procedure)
Jump to navigation Jump to search

External

Internal

Procedure

1. Create a storage account with its dedicated resource group. Why? Why can't we use the OpenShift cluster resource group?. Use this:

Create Storage Account

2. Give the OpenShift service principal "listKey" permission on the new storage account resource group. Assign the "Contributor" role to achieve this.

The OpenShift service principal can be obtained as described here:

Obtain the OpenShift cluster service principal

Assign the role: 

az role assignment create --role Contributor --assignee <openshift-cluster-service-principal> -g <openshift-cluster-resource-group>

For more details about role assignment see:

Azure Security Operations | Assign a Role

3. The OpenShift persistent volume binder service account will need the ability to read secrets. This ability can be given by creating and assigning an OpenShift cluster role to achieve this. Login into the OpenShift API server as described here: OpenShift on Azure | oc login. Then create the role with: 

oc create clusterrole azure-secret-reader --verb=create,get --resource=secrets
Retrieved from "https://kb.novaordis.com/index.php?title=Provision_Azure_Files_ReadWriteMany_Persistent_Volumes_on_Azure_OpenShift&oldid=73647"