Persistent storage using AWS Elastic Block Store

OKD supports AWS Elastic Block Store volumes (EBS). You can provision your OKD cluster with persistent storage by using Amazon EC2.

The Kubernetes persistent volume framework allows administrators to provision a cluster with persistent storage and gives users a way to request those resources without having any knowledge of the underlying infrastructure. You can dynamically provision AWS EBS volumes. Persistent volumes are not bound to a single project or namespace; they can be shared across the OKD cluster. Persistent volume claims are specific to a project or namespace and can be requested by users. You can define a KMS key to encrypt container-persistent volumes on AWS.

OKD defaults to using an in-tree, or non-Container Storage Interface (CSI) plug-in to provision AWS EBS storage. In future OKD versions, volumes provisioned using existing in-tree plug-ins are planned for migration to their equivalent CSI driver.

CSI automatic migration should be seamless. Migration does not change how you use all existing API objects, such as persistent volumes, persistent volume claims, and storage classes. For more information about migration, see CSI automatic migration.

After full migration, in-tree plugins will eventually be removed in future versions of OKD.

High-availability of storage in the infrastructure is left to the underlying storage provider.

For OKD, automatic migration from AWS EBS in-tree to the Container Storage Interface (CSI) driver is available as a Technology Preview (TP) feature. With migration enabled, volumes provisioned using the existing in-tree driver are automatically migrated to use the AWS EBS CSI driver. For more information, see CSI automatic migration feature.

Creating the EBS storage class

Storage classes are used to differentiate and delineate storage levels and usages. By defining a storage class, users can obtain dynamically provisioned persistent volumes.

Creating the persistent volume claim

Prerequisites

Storage must exist in the underlying infrastructure before it can be mounted as a volume in OKD.

Procedure

  1. In the OKD console, click StoragePersistent Volume Claims.

  2. In the persistent volume claims overview, click Create Persistent Volume Claim.

  3. Define the desired options on the page that appears.

    1. Select the previously-created storage class from the drop-down menu.

    2. Enter a unique name for the storage claim.

    3. Select the access mode. This selection determines the read and write access for the storage claim.

    4. Define the size of the storage claim.

  4. Click Create to create the persistent volume claim and generate a persistent volume.

Volume format

Before OKD mounts the volume and passes it to a container, it checks that the volume contains a file system as specified by the fsType parameter in the persistent volume definition. If the device is not formatted with the file system, all data from the device is erased and the device is automatically formatted with the given file system.

This verification enables you to use unformatted AWS volumes as persistent volumes, because OKD formats them before the first use.

Maximum number of EBS volumes on a node

By default, OKD supports a maximum of 39 EBS volumes attached to one node. This limit is consistent with the AWS volume limits. The volume limit depends on the instance type.

As a cluster administrator, you must use either in-tree or Container Storage Interface (CSI) volumes and their respective storage classes, but never both volume types at the same time. The maximum attached EBS volume number is counted separately for in-tree and CSI volumes, which means you could have up to 39 EBS volumes of each type.

For information about accessing additional storage options, such as volume snapshots, that are not possible with in-tree volume plug-ins, see AWS Elastic Block Store CSI Driver Operator.

Encrypting container persistent volumes on AWS with a KMS key

Defining a KMS key to encrypt container-persistent volumes on AWS is useful when you have explicit compliance and security guidelines when deploying to AWS.

Prerequisites

  • Underlying infrastructure must contain storage.

  • You must create a customer KMS key on AWS.

Procedure

  1. Create a storage class:

    1. $ cat << EOF | oc create -f -
    2. apiVersion: storage.k8s.io/v1
    3. kind: StorageClass
    4. metadata:
    5.   name: <storage-class-name> (1)
    6. parameters:
    7.   fsType: ext4 (2)
    8.   encrypted: "true"
    9.   kmsKeyId: keyvalue (3)
    10. provisioner: ebs.csi.aws.com
    11. reclaimPolicy: Delete
    12. volumeBindingMode: WaitForFirstConsumer
    13. EOF
    1Specifies the name of the storage class.
    2File system that is created on provisioned volumes.
    3Specifies the full Amazon Resource Name (ARN) of the key to use when encrypting the container-persistent volume. If you do not provide any key, but the encrypted field is set to true, then the default KMS key is used. See Finding the key ID and key ARN on AWS in the AWS documentation.

  2. Create a persistent volume claim (PVC) with the storage class specifying the KMS key:

    1. $ cat << EOF | oc create -f -
    2. apiVersion: v1
    3. kind: PersistentVolumeClaim
    4. metadata:
    5.   name: mypvc
    6. spec:
    7.   accessModes:
    8.     - ReadWriteOnce
    9.   volumeMode: Filesystem
    10.   storageClassName: <storage-class-name>
    11.   resources:
    12.     requests:
    13.       storage: 1Gi
    14. EOF

  3. Create workload containers to consume the PVC:

    1. $ cat << EOF | oc create -f -
    2. kind: Pod
    3. metadata:
    4.   name: mypod
    5. spec:
    6.   containers:
    7.     - name: httpd
    8.       image: quay.io/centos7/httpd-24-centos7
    9.       ports:
    10.         - containerPort: 80
    11.       volumeMounts:
    12.         - mountPath: /mnt/storage
    13.           name: data
    14.   volumes:
    15.     - name: data
    16.       persistentVolumeClaim:
    17.         claimName: mypvc
    18. EOF

Additional resources