NFS PVC Dynamic Provisioning on OpenShift

Configuration

Setting Up the NFS Server

I run a RHEL box which provides all the supporting services needed for my POCs and other demos. During the install of RHEL, I setup the disk partitioning to have a significant chunk of the disk mount apportioned to /nfs to support the NFS needs for my local OpenShift cluster.

[root@nuc1 /]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0   477G  0 disk
├─sda1   8:1    0   600M  0 part /boot/efi
├─sda2   8:2    0     1G  0 part /boot
├─sda3   8:3    0   100G  0 part /home
├─sda4   8:4    0    70G  0 part /
├─sda5   8:5    0  15.6G  0 part [SWAP]
└─sda6   8:6    0 289.7G  0 part /nfs

Start by installing the nfs-utils package, enable the service, and add the directories.

yum install nfs-utils
systemctl enable --now nfs-server
mkdir /nfs/ocp
mkdir /nfs/ocp/registry
mkdir /nfs/ocp/containers

Next, setup the exports and restart the service. Update the file at /etc/exports with the following NFS exports.

/nfs/ocp/registry       *(rw,sync,no_root_squash,insecure,no_wdelay)
/nfs/ocp/containers     *(rw,sync,no_root_squash)
exportfs -arv
systemctl restart nfs-server
# Check the status of the service
systemctl status nfs-server

Last, we need to update the firewall to allow for NFS. 

firewall-cmd --zone=public --permanent --add-service=nfs
firewall-cmd --reload
# To check the status of the firewall
firewall-cmd --list-all

Installing the Helm Chart

To install the helm chart, execute the following commands. 

oc new-project nfs-subdir-external-provisioner

helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner

helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner -n nfs-subdir-external-provisioner \
    --set nfs.server=192.168.1.11 \
    --set nfs.path=/nfs/ocp/containers

The deployment will fail because of security issues. OpenShift has more restrictive policies which requires us to add an additional policy to the helm chart managed service account. 

oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:nfs-subdir-external-provisioner:nfs-subdir-external-provisioner

I also want to update the storage class to be the default by adding the annotation storageclass.kubernetes.io/is-default-class: 'true' to the nfs-client storage class.

Once the policy is applied, you can test with a simple PVC.


kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: test-claim
spec:
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Mi

Leave a Reply

Your email address will not be published. Required fields are marked *