Chapter 40. Deploying External Persistent Volume Provisioners
40.1. Overview
The external provisioner for AWS EFS on OpenShift Container Platform is a Technology Preview feature. Technology Preview features are not supported with Red Hat production service-level agreements (SLAs) and might not be functionally complete, and Red Hat does not recommend using them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information, see Red Hat Technology Preview Features Support Scope.
An external provisioner is an application that enables dynamic provisioning for a particular storage provider. External provisioners can run alongside the provisioner plug-ins provided by OpenShift Container Platform and are configured in a similar way as the StorageClass objects are configured, as described in the Dynamic Provisioning and Creating Storage Classes section. Since these provisioners are external, you can deploy and update them independently of OpenShift Container Platform.
40.2. Before You Begin
An Ansible Playbook is also available to deploy and upgrade external provisioners.
Before proceeding, familiarize yourself with the Configuring Cluster Metrics and the Configuring Cluster Logging sections.
40.2.1. External Provisioners Ansible Role
The OpenShift Ansible openshift_provisioners role configures and deploys external provisioners using the variables from the Ansible inventory file. You must specify which provisioners to install by overriding their respective install variables to true.
40.2.2. External Provisioners Ansible Variables
Following is a list of role variables that apply to all provisioners for which the install variable is true.
| Variable | Description |
|---|---|
|
|
If |
|
|
The prefix for the component images. For example, with Defaults to |
|
|
The version for the component images. For example, with |
|
|
The project to deploy provisioners in. Defaults to |
40.2.3. AWS EFS Provisioner Ansible Variables
The AWS EFS provisioner dynamically provisions NFS PVs backed by dynamically created directories in a given EFS file system’s directory. You must satisfy the following requirements before the AWS EFS Provisioner Ansible variables can be configured:
- An IAM user assigned with the AmazonElasticFileSystemReadOnlyAccess policy (or better).
- An EFS file system in your cluster’s region.
- Mount targets and security groups such that any node (in any zone in the cluster’s region) can mount the EFS file system by its File system DNS name.
| Variable | Description |
|---|---|
|
|
The File system ID of the EFS file system, for example: |
|
| The Amazon EC2 region for the EFS file system. |
|
| The AWS access key of the IAM user (to check that the specified EFS file system exists). |
|
| The AWS secret access key of the IAM user (to check that the specified EFS file system exists). |
| Variable | Description |
|---|---|
|
|
If |
|
|
The path of the directory in the EFS file system, in which the EFS provisioner will create a directory to back each PV it creates. It must exist and be mountable by the EFS provisioner. Defaults to |
|
|
The |
|
|
A map of labels to select the nodes where the pod will land. For example: |
|
|
The supplemental group to give the pod, in case it is needed for permission to write to the EFS file system. Defaults to |
40.3. Deploying the Provisioners
You can deploy all provisioners at once or one provisioner at a time according to the configuration specified in the OpenShift Ansible variables. The following example shows you how to deploy a given provisioner and then create and configure a corresponding StorageClass.
40.3.1. Deploying the AWS EFS Provisioner
The following command sets the directory in the EFS volume to /data/persistentvolumes. This directory must exist in the file system and must be mountable and writeable by the provisioner pod. Change to the playbook directory and run the following playbook:
$ cd /usr/share/ansible/openshift-ansible
$ ansible-playbook -v -i <inventory_file> \
playbooks/openshift-provisioners/config.yml \
-e openshift_provisioners_install_provisioners=True \
-e openshift_provisioners_efs=True \
-e openshift_provisioners_efs_fsid=fs-47a2c22e \
-e openshift_provisioners_efs_region=us-west-2 \
-e openshift_provisioners_efs_aws_access_key_id=AKIAIOSFODNN7EXAMPLE \
-e openshift_provisioners_efs_aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
-e openshift_provisioners_efs_path=/data/persistentvolumes40.3.1.1. AWS EFS Object Definition
aws-efs-storageclass.yaml
kind: StorageClass apiVersion: storage.k8s.io/v1beta1 metadata: name: slow provisioner: openshift.org/aws-efs 1 parameters: gidMin: "40000" 2 gidMax: "50000" 3
Each dynamically provisioned volume’s corresponding NFS directory is assigned a unique GID owner from the range gidMin-gidMax. If it is not specified, gidMin defaults to 2000 and gidMax defaults to 2147483647. Any pod that consumes a provisioned volume via a claim automatically runs with the needed GID as a supplemental group and is able to read & write to the volume. Other mounters that do not have the supplemental group (and are not running as root) will not be able to read or write to the volume. For more information on using the supplemental groups to manage NFS access, see the Group IDs section of NFS Volume Security topic.
40.4. Cleanup
You can remove everything deployed by the OpenShift Ansible openshift_provisioners role by running the following command:
$ cd /usr/share/ansible/openshift-ansible
$ ansible-playbook -v -i <inventory_file> \
playbooks/openshift-provisioners/config.yml \
-e openshift_provisioners_install_provisioners=False