SlideShare a Scribd company logo

KubeCon EU 2016: Kubernetes Storage 101

KubeAcademy, profile picture
KubeAcademy

The document outlines various storage options and management strategies within a Kubernetes environment, detailing persistent volume claims (PVCs) and persistent volumes (PVs) settings alongside their configurations. It highlights security policies including pod security policies (PSPs) and security context constraints (SCCs) that define conditions for pod acceptance and container behavior. Additionally, it provides examples of Kubernetes pods with specific volume configurations and security contexts, illustrating ownership and SELinux management capabilities.

Technology
1 of 30
Downloaded 217 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
○
Temp Local Network ● emptyDir ● hostPath ● GlusterFS ● CephRBD ● gitRepo ● secret ● flocker ● gcePersistentDisk ● AWS ElasticBlockStore (EBS) ● NFS ● iSCSI ● Fibre Channel ● Cinder
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
○ ○
VS.
Cattle Storage
KubeCon EU 2016: Kubernetes Storage 101
SALLYBOB GLOBAL Persistent Volume (PV123) Persistent Volume (PV456) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC001) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC002) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC003)
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
kind: PersistentVolumeClaim apiVersion: v1 metadata: name: dyn-prov-claim annotations: volume.alpha.kubernetes.io/storage-class: aws-ebs spec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi Available Provisioners: OpenStack Cinder kubernetes.io/cinder AWS Elastic Block Store (EBS) kubernetes.io/aws-ebs GCE Persistent Disk (gcePD) kubernetes.io/gce-pd
PROVISION: ● MANUAL ● DYNAMIC AVAILABLE BOUND PV + PVC = RELEASED PV + PVC = FAILURE POD CLAIM REQUEST CLAIM DELETED PENDING RETAIN PV (default policy) volume cannot mount CrashBackLoop
PROVISION: ● MANUAL ● DYNAMIC AVAILABLE BOUND PV + PVC = RELEASED PV + PVC = FAILURE POD CLAIM REQUEST POD DELETED PENDING FAILURE RETAIN PV POD CLAIM REQUEST volume cannot mount CrashBackLoop Timing / vague state
KubeCon EU 2016: Kubernetes Storage 101
Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift) ● PSP provides an interface for the security types but enforcement doesn’t exist today ● No admission controller SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following: 1. Running of privileged containers. 2. Capabilities a container can request to be added. 3. Use of host directories as volumes. 4. The SELinux context of the container. 5. The user ID. 6. The use of host namespaces and networking. 7. Allocating an FSGroup that owns the pod’s volumes 8. Configuring allowable supplemental groups ● SCC defined by namespace and can be restricted to specific users
# ls -ld /opt/nfs # on NFS server drwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs kind: Pod metadata: name: nginx-nfs-test spec: containers: - name: nginx-nfs-test image: fedora/nginx ports: - name: web containerPort: 80 volumeMounts: - name: nginx-nfs mountPath: /usr/share/nginx/html/test securityContext: supplementalGroups: [1234] volumes: - name: nginx-nfs persistentVolumeClaim claimName: nfs-claim
Currently the list of volumes which support ownership management includes: ● AWS Elastic Block Store ● OpenStack Cinder ● GCE Persistent Disk ● iSCSI ● emptyDir ● Ceph RBD ● gitRepo apiVersion: v1 kind: Pod metadata: name: rbd-web spec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ceph-rbd mountPath: "/usr/share/nginx/html" securityContext: fsGroup: 1234 volumes: - name: ceph-rbd rbd: monitors: - 192.168.122.133:6789 pool: rbd image: foo user: admin secretRef: name: ceph-secret fsType: ext4 readOnly: false
Currently the list of volumes which support SELinux management includes: ● AWS Elastic Block Store ● OpenStack Cinder ● GCE Persistent Disk ● iSCSI ● emptyDir ● Ceph RBD ● gitRepo ● Fibre Channel apiVersion: v1 kind: Pod metadata: name: ebs-web spec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ebs-volume mountPath: "/usr/share/nginx/html" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: ebs-volume awsElasticBlockStore: volumeID: <VOLUME ID>
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101

More Related Content

PDF
Introduction to Kubernetes and GKE
Opsta
 
PDF
Kubernetes dealing with storage and persistence
Janakiram MSV
 
PPTX
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
PDF
Persistent Storage with Containers with Kubernetes & OpenShift
Red Hat Events
 
PDF
The Container Storage Interface (CSI)
Masiar Ighani
 
PDF
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
PDF
DevOps - Interview Question.pdf
MinhTrnNht7
 
PPTX
Kubernetes #6 advanced scheduling
Terry Cho
 
Introduction to Kubernetes and GKE
Opsta
 
Kubernetes dealing with storage and persistence
Janakiram MSV
 
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Persistent Storage with Containers with Kubernetes & OpenShift
Red Hat Events
 
The Container Storage Interface (CSI)
Masiar Ighani
 
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
DevOps - Interview Question.pdf
MinhTrnNht7
 
Kubernetes #6 advanced scheduling
Terry Cho
 

What's hot (20)

PPTX
Kubernetes Introduction
Martin Danielsson
 
PDF
Kubernetes
erialc_w
 
PDF
(Draft) Kubernetes - A Comprehensive Overview
Bob Killen
 
PDF
Deep dive into Kubernetes Networking
Sreenivas Makam
 
PDF
Kubernetes 101
Crevise Technologies
 
PDF
2019.06.27 Intro to Ceph
Ceph Community
 
ODP
VPC Implementation In OpenStack Heat
Saju Madhavan
 
PDF
Autoscaling Kubernetes
craigbox
 
PPTX
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
PDF
2021.02 new in Ceph Pacific Dashboard
Ceph Community
 
PDF
Quick introduction to Kubernetes
Eduardo Garcia Moyano
 
PDF
Elasticsearch Tutorial | Getting Started with Elasticsearch | ELK Stack Train...
Edureka!
 
PDF
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
PDF
Introduction to Kubernetes and Google Container Engine (GKE)
Opsta
 
PDF
Cluster management with Kubernetes
Satnam Singh
 
PPT
OpenSearch
hchen1
 
PPTX
Azure kubernetes service (aks)
Akash Agrawal
 
PDF
An overview of the Kubernetes architecture
Igor Sfiligoi
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
PPTX
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
GMO-Z.com Vietnam Lab Center
 
Kubernetes Introduction
Martin Danielsson
 
Kubernetes
erialc_w
 
(Draft) Kubernetes - A Comprehensive Overview
Bob Killen
 
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Kubernetes 101
Crevise Technologies
 
2019.06.27 Intro to Ceph
Ceph Community
 
VPC Implementation In OpenStack Heat
Saju Madhavan
 
Autoscaling Kubernetes
craigbox
 
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
2021.02 new in Ceph Pacific Dashboard
Ceph Community
 
Quick introduction to Kubernetes
Eduardo Garcia Moyano
 
Elasticsearch Tutorial | Getting Started with Elasticsearch | ELK Stack Train...
Edureka!
 
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
Introduction to Kubernetes and Google Container Engine (GKE)
Opsta
 
Cluster management with Kubernetes
Satnam Singh
 
OpenSearch
hchen1
 
Azure kubernetes service (aks)
Akash Agrawal
 
An overview of the Kubernetes architecture
Igor Sfiligoi
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Tìm hiểu và triển khai ứng dụng Web với Kubernetes
GMO-Z.com Vietnam Lab Center
 
Ad

Viewers also liked (20)

PDF
Behavioural activity monitoring on CoreOS with Sysdig Falco
Sysdig
 
PDF
Gluster Containerized Storage for Cloud Applications
Gluster.org
 
PDF
An Introduction to Kubernetes
Imesh Gunaratne
 
PDF
Cloud expo 2015
Aaron Brongersma
 
PPTX
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Patrick Chanezon
 
PDF
Federation of Kubernetes Clusters (Ubernetes) KubeCon 2015 slides - Quinton H...
Quinton Hoole
 
PDF
Red Hat Storage Day LA - Persistent Storage for Linux Containers
Red_Hat_Storage
 
PDF
Kubernetes Scaling SIG (K8Scale)
KubeAcademy
 
PDF
Consuming Cinder from Docker
John Griffith
 
PDF
Federated mesos clusters for global data center designs
Krishna-Kumar
 
PDF
Marc Sluiter - 15 Kubernetes Features in 15 Minutes
Marc Sluiter
 
PDF
Kubernetes 101 for Developers
Ross Kukulinski
 
PPTX
9 ways to consume kubernetes on open stack in 15 mins (k8s meetup)
Stacy Véronneau
 
ODP
OpenShift Enterprise
Ali Sadeghi Ardestani
 
PDF
KubeCon EU 2016: Full Automatic Database: PostgreSQL HA with Kubernetes
KubeAcademy
 
PDF
The NFS Version 4 Protocol
Kelum Senanayake
 
PDF
Kubernetes Networking
Giragadurai Vallirajan
 
PDF
05. k means clustering ( k-means 클러스터링)
Jeonghun Yoon
 
PPTX
Ceph Day Chicago - Ceph Deployment at Target: Best Practices and Lessons Learned
Ceph Community
 
PDF
Wanting distributed volumes - Experiences with ceph-docker
Ewout Prangsma
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Sysdig
 
Gluster Containerized Storage for Cloud Applications
Gluster.org
 
An Introduction to Kubernetes
Imesh Gunaratne
 
Cloud expo 2015
Aaron Brongersma
 
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Patrick Chanezon
 
Federation of Kubernetes Clusters (Ubernetes) KubeCon 2015 slides - Quinton H...
Quinton Hoole
 
Red Hat Storage Day LA - Persistent Storage for Linux Containers
Red_Hat_Storage
 
Kubernetes Scaling SIG (K8Scale)
KubeAcademy
 
Consuming Cinder from Docker
John Griffith
 
Federated mesos clusters for global data center designs
Krishna-Kumar
 
Marc Sluiter - 15 Kubernetes Features in 15 Minutes
Marc Sluiter
 
Kubernetes 101 for Developers
Ross Kukulinski
 
9 ways to consume kubernetes on open stack in 15 mins (k8s meetup)
Stacy Véronneau
 
OpenShift Enterprise
Ali Sadeghi Ardestani
 
KubeCon EU 2016: Full Automatic Database: PostgreSQL HA with Kubernetes
KubeAcademy
 
The NFS Version 4 Protocol
Kelum Senanayake
 
Kubernetes Networking
Giragadurai Vallirajan
 
05. k means clustering ( k-means 클러스터링)
Jeonghun Yoon
 
Ceph Day Chicago - Ceph Deployment at Target: Best Practices and Lessons Learned
Ceph Community
 
Wanting distributed volumes - Experiences with ceph-docker
Ewout Prangsma
 
Ad

Similar to KubeCon EU 2016: Kubernetes Storage 101 (20)

PDF
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 
PDF
Docker and Containers for Development and Deployment — SCALE12X
Jérôme Petazzoni
 
PDF
[BarCamp2018][20180915][Tips for Virtual Hosting on Kubernetes]
Wong Hoi Sing Edison
 
PPTX
On Docker and its use for LHC at CERN
Sebastien Goasguen
 
PDF
Container Attached Storage with OpenEBS - CNCF Paris Meetup
MayaData Inc
 
PPTX
Introduction to Container Storage Interface (CSI)
Idan Atias
 
PPTX
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
PDF
Webinar - DreamObjects/Ceph Case Study
Ceph Community
 
PDF
Keeping OpenStack storage trendy with Ceph and containers
Sage Weil
 
PDF
CEPH DAY BERLIN - PRACTICAL CEPHFS AND NFS USING OPENSTACK MANILA
Ceph Community
 
PDF
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
TomBarron
 
PPTX
Couch to OpenStack: Cinder - August 6, 2013
Trevor Roberts Jr.
 
PPTX
Kubernetes #4 volume &amp; stateful set
Terry Cho
 
PDF
The Automation Factory
Nathan Milford
 
PDF
Using CVMFS on a distributed Kubernetes cluster - The PRP Experience
Igor Sfiligoi
 
PDF
Introduction to Docker (as presented at December 2013 Global Hackathon)
Jérôme Petazzoni
 
PDF
Solving k8s persistent workloads using k8s DevOps style
MayaData
 
PDF
Andrija Panic - Ceph with CloudStack
ShapeBlue
 
PPTX
OpenEBS hangout #4
OpenEBS
 
PDF
Kubernetes stack reliability
Oleg Chunikhin
 
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 
Docker and Containers for Development and Deployment — SCALE12X
Jérôme Petazzoni
 
[BarCamp2018][20180915][Tips for Virtual Hosting on Kubernetes]
Wong Hoi Sing Edison
 
On Docker and its use for LHC at CERN
Sebastien Goasguen
 
Container Attached Storage with OpenEBS - CNCF Paris Meetup
MayaData Inc
 
Introduction to Container Storage Interface (CSI)
Idan Atias
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
Webinar - DreamObjects/Ceph Case Study
Ceph Community
 
Keeping OpenStack storage trendy with Ceph and containers
Sage Weil
 
CEPH DAY BERLIN - PRACTICAL CEPHFS AND NFS USING OPENSTACK MANILA
Ceph Community
 
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
TomBarron
 
Couch to OpenStack: Cinder - August 6, 2013
Trevor Roberts Jr.
 
Kubernetes #4 volume &amp; stateful set
Terry Cho
 
The Automation Factory
Nathan Milford
 
Using CVMFS on a distributed Kubernetes cluster - The PRP Experience
Igor Sfiligoi
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Jérôme Petazzoni
 
Solving k8s persistent workloads using k8s DevOps style
MayaData
 
Andrija Panic - Ceph with CloudStack
ShapeBlue
 
OpenEBS hangout #4
OpenEBS
 
Kubernetes stack reliability
Oleg Chunikhin
 

More from KubeAcademy (20)

PDF
KubeCon EU 2016: Distributed containers in the physical world
KubeAcademy
 
PDF
KubeCon EU 2016:
KubeAcademy
 
PDF
KubeCon EU 2016: ChatOps and Automatic Deployment on Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeAcademy
 
PDF
KubeCon EU 2016: Trading in the Kube
KubeAcademy
 
ODP
KubeCon EU 2016: Integrated trusted computing in Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016: Leveraging ephemeral namespaces in a CI/CD pipeline
KubeAcademy
 
PPTX
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
PDF
KubeCon EU 2016: Heroku to Kubernetes
KubeAcademy
 
PPTX
KubeCon EU 2016: Transforming the Government
KubeAcademy
 
PDF
KubeCon EU 2016: Getting the Jobs Done With Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016: Using Traffic Control to Test Apps in Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016: Kubernetes in Production in The New York Times newsroom
KubeAcademy
 
PDF
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeAcademy
 
PDF
KubeCon EU 2016: SmartCity IoT on Kubernetes
KubeAcademy
 
PDF
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeAcademy
 
PDF
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeAcademy
 
PDF
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeAcademy
 
PDF
KubeCon EU 2016: Killing containers to make weather beautiful
KubeAcademy
 
PPTX
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeAcademy
 
KubeCon EU 2016: Distributed containers in the physical world
KubeAcademy
 
KubeCon EU 2016:
KubeAcademy
 
KubeCon EU 2016: ChatOps and Automatic Deployment on Kubernetes
KubeAcademy
 
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeAcademy
 
KubeCon EU 2016: Trading in the Kube
KubeAcademy
 
KubeCon EU 2016: Integrated trusted computing in Kubernetes
KubeAcademy
 
KubeCon EU 2016: Leveraging ephemeral namespaces in a CI/CD pipeline
KubeAcademy
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
KubeCon EU 2016: Heroku to Kubernetes
KubeAcademy
 
KubeCon EU 2016: Transforming the Government
KubeAcademy
 
KubeCon EU 2016: Getting the Jobs Done With Kubernetes
KubeAcademy
 
KubeCon EU 2016: Using Traffic Control to Test Apps in Kubernetes
KubeAcademy
 
KubeCon EU 2016: Kubernetes in Production in The New York Times newsroom
KubeAcademy
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeAcademy
 
KubeCon EU 2016: SmartCity IoT on Kubernetes
KubeAcademy
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeAcademy
 
KubeCon EU 2016 Keynote: Pushing Kubernetes Forward
KubeAcademy
 
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeAcademy
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeAcademy
 
KubeCon EU 2016: Multi-Tenant Kubernetes
KubeAcademy
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

KubeCon EU 2016: Kubernetes Storage 101

  • 3.
  • 4. Temp Local Network ● emptyDir ● hostPath ● GlusterFS ● CephRBD ● gitRepo ● secret ● flocker ● gcePersistentDisk ● AWS ElasticBlockStore (EBS) ● NFS ● iSCSI ● Fibre Channel ● Cinder
  • 10. VS.
  • 13. SALLYBOB GLOBAL Persistent Volume (PV123) Persistent Volume (PV456) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC001) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC002) POD CLAIM REFERENCE PERSISTENT VOLUME CLAIM (PVC003)
  • 20. kind: PersistentVolumeClaim apiVersion: v1 metadata: name: dyn-prov-claim annotations: volume.alpha.kubernetes.io/storage-class: aws-ebs spec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi Available Provisioners: OpenStack Cinder kubernetes.io/cinder AWS Elastic Block Store (EBS) kubernetes.io/aws-ebs GCE Persistent Disk (gcePD) kubernetes.io/gce-pd
  • 21. PROVISION: ● MANUAL ● DYNAMIC AVAILABLE BOUND PV + PVC = RELEASED PV + PVC = FAILURE POD CLAIM REQUEST CLAIM DELETED PENDING RETAIN PV (default policy) volume cannot mount CrashBackLoop
  • 22. PROVISION: ● MANUAL ● DYNAMIC AVAILABLE BOUND PV + PVC = RELEASED PV + PVC = FAILURE POD CLAIM REQUEST POD DELETED PENDING FAILURE RETAIN PV POD CLAIM REQUEST volume cannot mount CrashBackLoop Timing / vague state
  • 24. Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift) ● PSP provides an interface for the security types but enforcement doesn’t exist today ● No admission controller SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following: 1. Running of privileged containers. 2. Capabilities a container can request to be added. 3. Use of host directories as volumes. 4. The SELinux context of the container. 5. The user ID. 6. The use of host namespaces and networking. 7. Allocating an FSGroup that owns the pod’s volumes 8. Configuring allowable supplemental groups ● SCC defined by namespace and can be restricted to specific users
  • 25. # ls -ld /opt/nfs # on NFS server drwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs kind: Pod metadata: name: nginx-nfs-test spec: containers: - name: nginx-nfs-test image: fedora/nginx ports: - name: web containerPort: 80 volumeMounts: - name: nginx-nfs mountPath: /usr/share/nginx/html/test securityContext: supplementalGroups: [1234] volumes: - name: nginx-nfs persistentVolumeClaim claimName: nfs-claim
  • 26. Currently the list of volumes which support ownership management includes: ● AWS Elastic Block Store ● OpenStack Cinder ● GCE Persistent Disk ● iSCSI ● emptyDir ● Ceph RBD ● gitRepo apiVersion: v1 kind: Pod metadata: name: rbd-web spec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ceph-rbd mountPath: "/usr/share/nginx/html" securityContext: fsGroup: 1234 volumes: - name: ceph-rbd rbd: monitors: - 192.168.122.133:6789 pool: rbd image: foo user: admin secretRef: name: ceph-secret fsType: ext4 readOnly: false
  • 27. Currently the list of volumes which support SELinux management includes: ● AWS Elastic Block Store ● OpenStack Cinder ● GCE Persistent Disk ● iSCSI ● emptyDir ● Ceph RBD ● gitRepo ● Fibre Channel apiVersion: v1 kind: Pod metadata: name: ebs-web spec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ebs-volume mountPath: "/usr/share/nginx/html" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: ebs-volume awsElasticBlockStore: volumeID: <VOLUME ID>