kubecon eu 2016: kubernetes storage 101
TRANSCRIPT
![Page 1: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/1.jpg)
![Page 2: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/2.jpg)
![Page 3: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/3.jpg)
○
![Page 4: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/4.jpg)
Temp Local Network
● emptyDir ● hostPath ● GlusterFS● CephRBD● gitRepo● secret● flocker● gcePersistentDisk● AWS ElasticBlockStore (EBS)● NFS● iSCSI● Fibre Channel● Cinder
![Page 5: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/5.jpg)
![Page 6: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/6.jpg)
![Page 7: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/7.jpg)
![Page 8: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/8.jpg)
![Page 9: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/9.jpg)
○
○
![Page 10: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/10.jpg)
VS.
![Page 11: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/11.jpg)
Cattle Storage
![Page 12: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/12.jpg)
![Page 13: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/13.jpg)
SALLYBOB
GLOBAL Persistent Volume (PV123) Persistent Volume (PV456)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC001)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC002)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC003)
![Page 14: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/14.jpg)
![Page 15: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/15.jpg)
![Page 16: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/16.jpg)
![Page 17: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/17.jpg)
![Page 18: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/18.jpg)
![Page 19: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/19.jpg)
![Page 20: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/20.jpg)
kind: PersistentVolumeClaimapiVersion: v1metadata: name: dyn-prov-claim annotations: volume.alpha.kubernetes.io/storage-class: aws-ebsspec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi
Available Provisioners:
OpenStack Cinderkubernetes.io/cinder
AWS Elastic Block Store (EBS)kubernetes.io/aws-ebs
GCE Persistent Disk (gcePD)kubernetes.io/gce-pd
![Page 21: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/21.jpg)
PROVISION:● MANUAL● DYNAMIC
AVAILABLE
BOUNDPV + PVC =
RELEASEDPV + PVC =
FAILURE
POD CLAIM REQUEST
CLAIM DELETED
PENDING
RETAIN PV(default policy)
volume cannot mount
CrashBackLoop
![Page 22: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/22.jpg)
PROVISION:● MANUAL● DYNAMIC
AVAILABLE
BOUNDPV + PVC =
RELEASEDPV + PVC =
FAILURE
POD CLAIM REQUEST
POD DELETED
PENDING
FAILURE
RETAIN PV
POD CLAIM REQUEST
volume cannot mount
CrashBackLoop
Timing / vague state
![Page 23: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/23.jpg)
![Page 24: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/24.jpg)
Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift)
● PSP provides an interface for the security types but enforcement doesn’t exist today
● No admission controller
SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:
1. Running of privileged containers.2. Capabilities a container can request to be added.3. Use of host directories as volumes.4. The SELinux context of the container.5. The user ID.6. The use of host namespaces and networking.7. Allocating an FSGroup that owns the pod’s volumes8. Configuring allowable supplemental groups
● SCC defined by namespace and can be restricted to specific users
![Page 25: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/25.jpg)
# ls -ld /opt/nfs # on NFS serverdrwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs
kind: Podmetadata: name: nginx-nfs-testspec: containers: - name: nginx-nfs-test image: fedora/nginx ports: - name: web containerPort: 80 volumeMounts: - name: nginx-nfs mountPath: /usr/share/nginx/html/test securityContext: supplementalGroups: [1234] volumes: - name: nginx-nfs persistentVolumeClaim claimName: nfs-claim
![Page 26: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/26.jpg)
Currently the list of volumes which support ownership management includes:
● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo
apiVersion: v1kind: Podmetadata: name: rbd-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ceph-rbd mountPath: "/usr/share/nginx/html" securityContext: fsGroup: 1234 volumes: - name: ceph-rbd rbd: monitors: - 192.168.122.133:6789 pool: rbd image: foo user: admin secretRef: name: ceph-secret fsType: ext4 readOnly: false
![Page 27: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/27.jpg)
Currently the list of volumes which support SELinux management includes:
● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo● Fibre Channel
apiVersion: v1kind: Podmetadata: name: ebs-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ebs-volume mountPath: "/usr/share/nginx/html" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: ebs-volume awsElasticBlockStore: volumeID: <VOLUME ID>
![Page 28: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/28.jpg)
![Page 29: KubeCon EU 2016: Kubernetes Storage 101](https://reader031.vdocuments.us/reader031/viewer/2022021500/587081911a28ab57368b67b1/html5/thumbnails/29.jpg)