Mounting Volumes on Privileged Pods

    You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see

    Persistent volumes can be mounted to pods with the privileged security context constraint (SCC) attached.

    Prerequisites

    • An existing Gluster volume.

    • glusterfs-fuse installed on all hosts.

    • Definitions for GlusterFS:

      • : gluster-endpoints-service.yaml and gluster-endpoints.yaml

      • Persistent volumes: gluster-pv.yaml

      • : gluster-pvc.yaml

    • A user with the cluster-admin role binding. For this guide, that user is called .

    Creating the PersistentVolume makes the storage accessible to users, regardless of projects.

    1. As the admin, create the service, endpoint object, and persistent volume:

    2. Verify that the objects were created:

      1. $ oc get svc
      2. NAME              CLUSTER_IP      EXTERNAL_IP   PORT(S)   SELECTOR   AGE
      3. gluster-cluster   172.30.151.58   <none>        1/TCP     <none>     24s
      1. NAME              ENDPOINTS                           AGE
      2. gluster-cluster   192.168.59.102:1,192.168.59.103:1   2m
      1. $ oc get pv
      2. NAME                     LABELS    CAPACITY   ACCESSMODES   STATUS      CLAIM     REASON    AGE
      3. gluster-default-volume   <none>    2Gi        RWX           Available                       2d

    Creating a Regular User

    Adding a regular user to the privileged SCC (or to a group given access to the SCC) allows them to run privileged pods:

    1. As the admin, add a user to the SCC:

      1. $ oc adm policy add-scc-to-user privileged <username>

    2. Log in as the regular user:

    3. Then, create a new project:

      1. $ oc new-project <project_name>

    1. As a regular user, create the PersistentVolumeClaim to access the volume:

      1. $ oc create -f gluster-pvc.yaml -n <project_name>

    2. Example 1. Pod Definition

      2. id: gluster-S3-pvc
      3. kind: Pod
      4. metadata:
      5.   name: gluster-nginx-priv
      6. spec:
      7.   containers:
      8.     - name: gluster-nginx-priv
      9.       volumeMounts:
      10.         - mountPath: /mnt/gluster (1)
      11.           name: gluster-volume-claim
      12.       securityContext:
      14.   volumes:
      15.     - name: gluster-volume-claim
      16.       persistentVolumeClaim:
      17.         claimName: gluster-claim (2)
      1Volume mount within the pod.
      2The gluster-claim must reflect the name of the PersistentVolume.

    3. Upon pod creation, the mount directory is created and the volume is attached to that mount point.

      As regular user, create a pod from the definition:

      1. $ oc create -f gluster-S3-pod.yaml

    4. Verify that the pod created successfully:

      It can take several minutes for the pod to create.

    Verifying the Setup

    1. Export the pod configuration:

      1. $ oc get -o yaml --export pod <pod_name>

    2. Examine the output. Check that openshift.io/scc has the value of privileged:

      Example 2. Export Snippet

      1. metadata:
      2.   annotations:
      3.     openshift.io/scc: privileged

    Verifying the Mount

    1. Access the pod and check that the volume is mounted:

      1. $ oc rsh <pod_name>