Persistent storage using Cinder

OKD supports OpenStack Cinder. Some familiarity with Kubernetes and OpenStack is assumed.

Cinder volumes can be provisioned dynamically. Persistent volumes are not bound to a single project or namespace; they can be shared across the OKD cluster. Persistent volume claims are specific to a project or namespace and can be requested by users.

Additional resources

  • For more information about how OpenStack Block Storage provides persistent block storage management for virtual hard drives, see OpenStack Cinder.

Manual provisioning with Cinder

Storage must exist in the underlying infrastructure before it can be mounted as a volume in OKD.

Prerequisites

  • OKD configured for Red Hat OpenStack Platform (RHOSP)

  • Cinder volume ID

Creating the persistent volume

You must define your persistent volume (PV) in an object definition before creating it in OKD:

Procedure

  1. Save your object definition to a file.

    cinder-persistentvolume.yaml

    1. apiVersion: "v1"
    2. kind: "PersistentVolume"
    3. metadata:
    4. name: "pv0001" (1)
    5. spec:
    6. capacity:
    7. storage: "5Gi" (2)
    8. accessModes:
    9. - "ReadWriteOnce"
    10. cinder: (3)
    11. fsType: "ext3" (4)
    12. volumeID: "f37a03aa-6212-4c62-a805-9ce139fab180" (5)
    1The name of the volume that is used by persistent volume claims or pods.
    2The amount of storage allocated to this volume.
    3Indicates cinder for Red Hat OpenStack Platform (RHOSP) Cinder volumes.
    4The file system that is created when the volume is mounted for the first time.
    5The Cinder volume to use.

    Do not change the fstype parameter value after the volume is formatted and provisioned. Changing this value can result in data loss and pod failure.

  2. Create the object definition file you saved in the previous step.

    1. $ oc create -f cinder-persistentvolume.yaml

Persistent volume formatting

You can use unformatted Cinder volumes as PVs because OKD formats them before the first use.

Before OKD mounts the volume and passes it to a container, the system checks that it contains a file system as specified by the fsType parameter in the PV definition. If the device is not formatted with the file system, all data from the device is erased and the device is automatically formatted with the given file system.

Cinder volume security

If you use Cinder PVs in your application, configure security for their deployment configurations.

Prerequisites

  • An SCC must be created that uses the appropriate fsGroup strategy.

Procedure

  1. Create a service account and add it to the SCC:

    1. $ oc create serviceaccount <service_account>
    1. $ oc adm policy add-scc-to-user <new_scc> -z <service_account> -n <project>
  2. In your application’s deployment configuration, provide the service account name and securityContext:

    1. apiVersion: v1
    2. kind: ReplicationController
    3. metadata:
    4. name: frontend-1
    5. spec:
    6. replicas: 1 (1)
    7. selector: (2)
    8. name: frontend
    9. template: (3)
    10. metadata:
    11. labels: (4)
    12. name: frontend (5)
    13. spec:
    14. containers:
    15. - image: openshift/hello-openshift
    16. name: helloworld
    17. ports:
    18. - containerPort: 8080
    19. protocol: TCP
    20. restartPolicy: Always
    21. serviceAccountName: <service_account> (6)
    22. securityContext:
    23. fsGroup: 7777 (7)
    1The number of copies of the pod to run.
    2The label selector of the pod to run.
    3A template for the pod that the controller creates.
    4The labels on the pod. They must include labels from the label selector.
    5The maximum name length after expanding any parameters is 63 characters.
    6Specifies the service account you created.
    7Specifies an fsGroup for the pods.