○

Temp Local Network

● emptyDir ● hostPath ● GlusterFS

● CephRBD
● gitRepo
● secret
● flocker
● gcePersistentDisk
● AWS ElasticBlockStore (EBS)
● NFS
● iSCSI
● Fibre Channel
● Cinder
○

○
VS.
Cattle Storage
GLOBAL Persistent Volume (PV123) Persistent Volume (PV456)

BOB SALLY
POD
POD POD

CLAIM REFERENCE
CLAIM REFERENCE PERSISTENT VOLUME
CLAIM REFERENCE
CLAIM (PVC002)
PERSISTENT VOLUME PERSISTENT VOLUME
CLAIM (PVC001) CLAIM (PVC003)
 Available Provisioners:
kind: PersistentVolumeClaim
apiVersion: v1
OpenStack Cinder
metadata:
kubernetes.io/cinder
name: dyn-prov-claim
annotations:
AWS Elastic Block Store (EBS)
volume.alpha.kubernetes.io/storage-class: aws-ebs kubernetes.io/aws-ebs
spec:
accessModes: GCE Persistent Disk (gcePD)
- ReadWriteOnce kubernetes.io/gce-pd
resources:
requests:
storage: 3Gi
 volume cannot mount

CrashBackLoop

FAILURE
CLAIM
PROVISION: DELETED
● MANUAL RELEASED
BOUND
● DYNAMIC PENDING PV + PVC =
PV + PVC =
AVAILABLE POD
CLAIM
REQUEST

RETAIN PV
(default policy)
 volume cannot mount

CrashBackLoop

FAILURE
POD
PROVISION: DELETED
● MANUAL RELEASED
BOUND
● DYNAMIC PENDING PV + PVC =
PV + PVC =
AVAILABLE POD
CLAIM
REQUEST
POD
CLAIM
Timing / vague state
REQUEST

FAILURE
RETAIN PV
Pod Security Policy (Upstream)
● PSP provides an interface for the security
types but enforcement doesn’t exist today
● No admission controller
Security Context Constraints (SCC) (OpenShift)
SCCs are objects that define a set of conditions that a pod
must run with in order to be accepted into the system. They
allow an administrator to control the following:
1. Running of privileged containers.
2. Capabilities a container can request to be added.
3. Use of host directories as volumes.
4. The SELinux context of the container.
5. The user ID.
6. The use of host namespaces and networking.
7. Allocating an FSGroup that owns the pod’s volumes
8. Configuring allowable supplemental groups
● SCC defined by namespace and can be restricted to
specific users
 kind: Pod
# ls -ld /opt/nfs # on NFS server metadata:
drwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs name: nginx-nfs-test
spec:
containers:
- name: nginx-nfs-test
image: fedora/nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nginx-nfs
mountPath: /usr/share/nginx/html/test
securityContext:
supplementalGroups: [1234]
volumes:
- name: nginx-nfs
persistentVolumeClaim
claimName: nfs-claim
Currently the list of volumes which support ownership management apiVersion: v1
kind: Pod
includes:
metadata:
● AWS Elastic Block Store name: rbd-web
● OpenStack Cinder spec:
containers:
● GCE Persistent Disk
- name: web
● iSCSI image: nginx
● emptyDir ports:
- name: web
● Ceph RBD containerPort: 80
● gitRepo volumeMounts:
- name: ceph-rbd
mountPath: "/usr/share/nginx/html"
securityContext:
fsGroup: 1234
volumes:
- name: ceph-rbd
rbd:
monitors:
- 192.168.122.133:6789
pool: rbd
image: foo
user: admin
secretRef:
name: ceph-secret
fsType: ext4
readOnly: false
Currently the list of volumes which support SELinux apiVersion: v1
management includes: kind: Pod
● AWS Elastic Block Store metadata:
● OpenStack Cinder name: ebs-web
● GCE Persistent Disk spec:
● iSCSI containers:
- name: web
● emptyDir
image: nginx
● Ceph RBD ports:
● gitRepo - name: web
● Fibre Channel containerPort: 80
volumeMounts:
- name: ebs-volume
mountPath: "/usr/share/nginx/html"
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
volumes:
- name: ebs-volume
awsElasticBlockStore:
volumeID: <VOLUME ID>