我的书签
添加书签
移除书签Mounting Volumes on Privileged Pods
You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]
You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]
Overview
Persistent volumes can be mounted to pods with the privileged security context constraint (SCC) attached.
While this topic uses GlusterFS as a sample use-case for mounting volumes onto privileged pods, it can be adapted to use any supported storage plug-in. |
Prerequisites
An existing Gluster volume.
glusterfs-fuse installed on all hosts.
Definitions for GlusterFS:
Endpoints and services: gluster-endpoints-service.yaml and gluster-endpoints.yaml
Persistent volumes: gluster-pv.yaml
Persistent volume claims: gluster-pvc.yaml
Privileged pods: gluster-S3-pod.yaml
A user with the cluster-admin role binding. For this guide, that user is called
admin.
Creating the Persistent Volume
Creating the PersistentVolume makes the storage accessible to users, regardless of projects.
As the admin, create the service, endpoint object, and persistent volume:
$ oc create -f gluster-endpoints-service.yaml$ oc create -f gluster-endpoints.yaml$ oc create -f gluster-pv.yaml
Verify that the objects were created:
$ oc get svcNAME CLUSTER_IP EXTERNAL_IP PORT(S) SELECTOR AGEgluster-cluster 172.30.151.58 <none> 1/TCP <none> 24s
$ oc get epNAME ENDPOINTS AGEgluster-cluster 192.168.59.102:1,192.168.59.103:1 2m
$ oc get pvNAME LABELS CAPACITY ACCESSMODES STATUS CLAIM REASON AGEgluster-default-volume <none> 2Gi RWX Available 2d
Creating a Regular User
Adding a regular user to the privileged SCC (or to a group given access to the SCC) allows them to run privileged pods:
As the admin, add a user to the SCC:
$ oc adm policy add-scc-to-user privileged <username>
Log in as the regular user:
$ oc login -u <username> -p <password>
Then, create a new project:
$ oc new-project <project_name>
Creating the Persistent Volume Claim
As a regular user, create the PersistentVolumeClaim to access the volume:
$ oc create -f gluster-pvc.yaml -n <project_name>
Define your pod to access the claim:
Example 1. Pod Definition
apiVersion: v1id: gluster-S3-pvckind: Podmetadata:name: gluster-nginx-privspec:containers:- name: gluster-nginx-privimage: fedora/nginxvolumeMounts:- mountPath: /mnt/gluster (1)name: gluster-volume-claimsecurityContext:privileged: truevolumes:- name: gluster-volume-claimpersistentVolumeClaim:claimName: gluster-claim (2)
1 Volume mount within the pod. 2 The gluster-claim must reflect the name of the PersistentVolume. Upon pod creation, the mount directory is created and the volume is attached to that mount point.
As regular user, create a pod from the definition:
$ oc create -f gluster-S3-pod.yaml
Verify that the pod created successfully:
$ oc get podsNAME READY STATUS RESTARTS AGEgluster-S3-pod 1/1 Running 0 36m
It can take several minutes for the pod to create.
Verifying the Setup
Checking the Pod SCC
Export the pod configuration:
$ oc get -o yaml --export pod <pod_name>
Examine the output. Check that
openshift.io/scchas the value ofprivileged:Example 2. Export Snippet
metadata:annotations:openshift.io/scc: privileged
Verifying the Mount
Access the pod and check that the volume is mounted:
$ oc rsh <pod_name>[root@gluster-S3-pvc /]# mount
Examine the output for the Gluster volume:
Example 3. Volume Mount
192.168.59.102:gv0 on /mnt/gluster type fuse.gluster (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
