Skip to content

Latest commit

 

History

History
172 lines (128 loc) · 5.98 KB

azure-files-static-volume-managed-identity.md

File metadata and controls

172 lines (128 loc) · 5.98 KB
Raw

Azure Files Static Persistent Volume using Managed Identity

The Azure Files CSI driver is CSI specification compliant, and used by AKS to manage the lifecycle of Azure file shares attached to pod as PersistentVolume.

In this sample we will statically create PersistentVolume with an existing Azure Files share using managed identity. Managed identities can authorize access to file share from AKS cluster using Azure AD credentials. By using managed identities, you can avoid storing Storage Key as a Kubernetes secret in AKS cluster.

Setup

  1. Set environment defaults.

    SUBSCRIPTION_ID=<my-subsscription-id>
RESOURCE_GROUP=<my-aks-rg>
LOCATION=eastus2
CLUSTER_NAME=<my-aks-cluster>
STORAGE_ACCOUNT=<my-storage-account>
FILE_SHARE=<my-file-share>

  2. Create an AKS cluster with kubernetes version 1.21, CNI network plugin and managed identity enabled.

    az group create \
    --name $RESOURCE_GROUP \
    --location $LOCATION

az aks create \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --enable-managed-identity \
    --network-plugin azure \
    --kubernetes-version 1.21.2

  3. Create a general-purpose storage account and a file share

    az storage account create \
    --resource-group $RESOURCE_GROUP \
    --name $STORAGE_ACCOUNT \
    --location $LOCATION \
    --encryption-services file
az storage share update  \
    --name $FILE_SHARE \
    --account-name $STORAGE_ACCOUNT \
    --quota 1Gi

Create Static Persistent Volume using Kubelet Identity

  1. Get cluster identity used by the AKS cluster agentpools.

    KUBELET_IDENTITY=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query identityProfile.kubeletidentity.objectId -o tsv)

  2. Get storage account resource id.

    STORAGE_RESOURCE_ID=$(az storage account show -g ${RESOURCE_GROUP} -n ${STORAGE_ACCOUNT} --query id -o tsv)

  3. Assign kubelet identity with Storage Account Key Operator Service Role ans Reader roles scoped to the storage account..

    az role assignment create \
    --assignee ${KUBELET_IDENTITY} \
    --role 'Storage Account Key Operator Service Role' \
    --scope ${STORAGE_RESOURCE_ID}

az role assignment create \
    --assignee ${KUBELET_IDENTITY} \
    --role 'Reader' \
    --scope ${STORAGE_RESOURCE_ID}

  4. Review the manifest file manifests/5-azure-files-csi-static-mi.yaml to ensure PersistentVolume has csi section with driver as file.csi.azure.com.

  5. In the manifest replace placeholders ${RESOURCE_GROUP} and ${FILE_SHARE} with the values specified above. Apply the manifest.

    kubectl apply -f manifests/5-azure-files-csi-static-mi.yaml -n csi-test
    OUTPUT:

persistentvolume/azure-file-static-mi created
persistentvolumeclaim/azure-file-static-mi created
deployment.apps/1-azure-file-static-mi created
deployment.apps/2-azure-file-static-mi created

  6. Check whether the resources are provisioned correctly and running.

    kubectl get pod,pv,pvc -n csi-test -l app.kubernetes.io/name=csi-test
    OUTPUT:

NAME                                         READY   STATUS    RESTARTS   AGE
pod/1-azure-file-static-mi-f66f9f956-jtpc8   1/1     Running   0          37s
pod/2-azure-file-static-mi-cfc95bfc5-2jrbr   1/1     Running   0          37s

NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                                STORAGECLASS   REASON   AGE
persistentvolume/pv-azure-file-static-mi   1Gi        RWX            Retain           Bound    csi-test/pvc-azure-file-static-mi                            39s

NAME                                             STATUS   VOLUME                    CAPACITY   ACCESS MODES   STORAGECLASS   AGE
persistentvolumeclaim/pvc-azure-file-static-mi   Bound    pv-azure-file-static-mi   1Gi        RWX                           38s

  7. Verify that persistent volume type is CSI and driver is file.csi.azure.com. Other properties should match the manifest file.

    kubectl describe persistentvolume/pv-azure-file-static-mi -n csi-test

  8. Test the persistent volume for read-write operation on 1st pod. Persistent volume is mounted at /data path.

    kubectl exec -it $(kubectl get pod -n csi-test -l app.kubernetes.io/name=csi-test -o jsonpath='{.items[0].metadata.name}') -n csi-test -- sh

/ # ls
bin        data       dev        etc        home       proc       root       sys        tmp        usr        var
/ # cd data/
/data # echo "Hello world AKS-CSI from Pod 1 !" > csi-test1
/data # ls
csi-test1
/data # cat csi-test1
Hello world AKS-CSI from Pod 1 !
/data # exit

  9. Test the persistent volume for read-write operation on 2nd pod. Persistent volume is mounted at /data path.

    kubectl exec -it $(kubectl get pod -n csi-test -l app.kubernetes.io/name=csi-test -o jsonpath='{.items[1].metadata.name}') -n csi-test -- sh

/ # ls
bin   data  dev   etc   home  proc  root  sys   tmp   usr   var
/ # cd data/
/data # ls
csi-test1
/data # cat csi-test1
Hello world AKS-CSI from Pod 1 !
/data # echo "Hello world AKS-CSI from Pod 2 !" > csi-test2
/data # ls
csi-test1  csi-test2
/data # cat csi-test2
Hello world AKS-CSI from Pod 2 !
/data # exit

Troubleshooting

  • For permission denied error while mounting Azure Files share, refer to the troubleshooting instructions here

Clean-up

Delete the resources created in csi-test namespace.

kubectl delete namespace csi-test

Delete resource group

az group delete --name $RESOURCE_GROUP