forked from kubernetes-sigs/blob-csi-driver
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support workload identity setting in static PV mount (kubernete…
…s-sigs#1204) * feat: support workload identity setting in static PV mount * fix
- Loading branch information
Showing
5 changed files
with
225 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,3 +12,5 @@ spec: | |
| volumeLifecycleModes: | ||
| - Persistent | ||
| - Ephemeral | ||
| tokenRequests: | ||
| - audience: api://AzureADTokenExchange | ||
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,178 @@ | ||
| # Example of static PV mount with workload identity | ||
|
|
||
| > Note: | ||
| > - Available kubernetes version >= v1.20 | ||
| ## prerequisite | ||
|
|
||
|
|
||
| ### 1. Create a cluster with oidc-issuer enabled and get the credential | ||
|
|
||
| Following the [documentation](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-oidc-issuer) to create an AKS cluster with the `--enable-oidc-issuer` parameter and get the AKS credentials. And export following environment variables: | ||
| ``` | ||
| export RESOURCE_GROUP=<your resource group name> | ||
| export CLUSTER_NAME=<your cluster name> | ||
| export REGION=<your region> | ||
| ``` | ||
|
|
||
|
|
||
| ### 2. Create a new storage account and container | ||
|
|
||
| Following the [documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli) to create a new storage account and container or use your own. And export following environment variables: | ||
| ``` | ||
| export STORAGE_RESOURCE_GROUP=<your storage account resource group> | ||
| export ACCOUNT=<your storage account name> | ||
| export CONTAINER=<your container name> | ||
| ``` | ||
|
|
||
| ### 3. Create managed identity and role assignment | ||
| ``` | ||
| export UAMI=<your managed identity name> | ||
| az identity create --name $UAMI --resource-group $RESOURCE_GROUP | ||
| export USER_ASSIGNED_CLIENT_ID="$(az identity show -g $RESOURCE_GROUP --name $UAMI --query 'clientId' -o tsv)" | ||
| export IDENTITY_TENANT=$(az aks show --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --query identity.tenantId -o tsv) | ||
| export ACCOUNT_SCOPE=$(az storage account show --name $ACCOUNT --query id -o tsv) | ||
| # please retry if you meet `Cannot find user or service principal in graph database` error, it may take a while for the identity to propagate | ||
| az role assignment create --role "Storage Account Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE | ||
| ``` | ||
|
|
||
| ### 4. Create service account on AKS | ||
| ``` | ||
| export SERVICE_ACCOUNT_NAME=<your sa name> | ||
| export SERVICE_ACCOUNT_NAMESPACE=<your sa namespace> | ||
| cat <<EOF | kubectl apply -f - | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: ${SERVICE_ACCOUNT_NAME} | ||
| namespace: ${SERVICE_ACCOUNT_NAMESPACE} | ||
| EOF | ||
| ``` | ||
|
|
||
| ### 5. Create the federated identity credential between the managed identity, service account issuer, and subject using the `az identity federated-credential create` command. | ||
| ``` | ||
| export FEDERATED_IDENTITY_NAME=<your federated identity name> | ||
| export AKS_OIDC_ISSUER="$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "oidcIssuerProfile.issuerUrl" -o tsv)" | ||
| az identity federated-credential create --name $FEDERATED_IDENTITY_NAME \ | ||
| --identity-name $UAMI \ | ||
| --resource-group $RESOURCE_GROUP \ | ||
| --issuer $AKS_OIDC_ISSUER \ | ||
| --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME} | ||
| ``` | ||
|
|
||
| ## option#1: static provision with PV | ||
| ``` | ||
| cat <<EOF | kubectl apply -f - | ||
| apiVersion: v1 | ||
| kind: PersistentVolume | ||
| metadata: | ||
| annotations: | ||
| pv.kubernetes.io/provisioned-by: blob.csi.azure.com | ||
| name: pv-blob | ||
| spec: | ||
| capacity: | ||
| storage: 10Gi | ||
| accessModes: | ||
| - ReadWriteMany | ||
| persistentVolumeReclaimPolicy: Retain | ||
| storageClassName: blob-fuse | ||
| mountOptions: | ||
| - -o allow_other | ||
| - --file-cache-timeout-in-seconds=120 | ||
| csi: | ||
| driver: blob.csi.azure.com | ||
| # make sure volumeid is unique for every storage blob container in the cluster | ||
| # the # character is reserved for internal use, the / character is not allowed | ||
| volumeHandle: unique_volume_id | ||
| volumeAttributes: | ||
| storageaccount: $ACCOUNT # required | ||
| containerName: $CONTAINER # required | ||
| clientID: $USER_ASSIGNED_CLIENT_ID # required | ||
| resourcegroup: $STORAGE_RESOURCE_GROUP # optional, specified when the storage account is not under AKS node resource group(which is prefixed with "MC_") | ||
| # tenantID: $IDENTITY_TENANT #optional, only specified when workload identity and AKS cluster are in different tenant | ||
| # subscriptionid: $SUBSCRIPTION #optional, only specified when workload identity and AKS cluster are in different subscription | ||
| --- | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: statefulset-blob | ||
| labels: | ||
| app: nginx | ||
| spec: | ||
| serviceName: statefulset-blob | ||
| replicas: 1 | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: nginx | ||
| spec: | ||
| serviceAccountName: $SERVICE_ACCOUNT_NAME #required, Pod does not use this service account has no permission to mount the volume | ||
| nodeSelector: | ||
| "kubernetes.io/os": linux | ||
| containers: | ||
| - name: statefulset-blob | ||
| image: mcr.microsoft.com/oss/nginx/nginx:1.19.5 | ||
| command: | ||
| - "/bin/bash" | ||
| - "-c" | ||
| - set -euo pipefail; while true; do echo $(date) >> /mnt/blob/outfile; sleep 1; done | ||
| volumeMounts: | ||
| - name: persistent-storage | ||
| mountPath: /mnt/blob | ||
| readOnly: false | ||
| updateStrategy: | ||
| type: RollingUpdate | ||
| selector: | ||
| matchLabels: | ||
| app: nginx | ||
| volumeClaimTemplates: | ||
| - metadata: | ||
| name: persistent-storage | ||
| spec: | ||
| storageClassName: blob-fuse | ||
| accessModes: ["ReadWriteMany"] | ||
| resources: | ||
| requests: | ||
| storage: 10Gi | ||
| EOF | ||
| ``` | ||
|
|
||
| ## option#2: Pod with ephemeral inline volume | ||
| ``` | ||
| cat <<EOF | kubectl apply -f - | ||
| kind: Pod | ||
| apiVersion: v1 | ||
| metadata: | ||
| name: nginx-blobfuse-inline-volume | ||
| spec: | ||
| serviceAccountName: $SERVICE_ACCOUNT_NAME #required, Pod does not use this service account has no permission to mount the volume | ||
| nodeSelector: | ||
| "kubernetes.io/os": linux | ||
| containers: | ||
| - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5 | ||
| name: nginx-blobfuse | ||
| command: | ||
| - "/bin/bash" | ||
| - "-c" | ||
| - set -euo pipefail; while true; do echo $(date) >> /mnt/blobfuse/outfile; sleep 1; done | ||
| volumeMounts: | ||
| - name: persistent-storage | ||
| mountPath: "/mnt/blobfuse" | ||
| readOnly: false | ||
| volumes: | ||
| - name: persistent-storage | ||
| csi: | ||
| driver: blob.csi.azure.com | ||
| volumeAttributes: | ||
| storageaccount: $ACCOUNT # required | ||
| containerName: $CONTAINER # required | ||
| clientID: $USER_ASSIGNED_CLIENT_ID # required | ||
| resourcegroup: $STORAGE_RESOURCE_GROUP # optional, specified when the storage account is not under AKS node resource group(which is prefixed with "MC_") | ||
| # tenantID: $IDENTITY_TENANT # optional, only specified when workload identity and AKS cluster are in different tenant | ||
| # subscriptionid: $SUBSCRIPTION # optional, only specified when workload identity and AKS cluster are in different subscription | ||
| EOF | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters