Create PV with Authentication
IOMesh allows for volume authentication using Kubernetes secret. Authentication is implemented per StorageClass, and it requires configuration of a secret for authentication along with a secret providing authentication information in the StorageClass.
Every time a pod declares the use of an authenticated PVC, the PVC will only be allowed for use if the two secrets match exactly.
Precautions
- Since authentication is implemented through iSCSI CHAP, the secret password must be 12-16 characters long according to the password length requirements of the CHAP protocol.
- To ensure that a StorageClass with configured secrets is accessible only to intended users, Role-Based Access Control (RBAC) is necessary. This is because StorageClass is not an object limited to a specific namespace, and some versions of Kubernetes allow all namespaces to access all StorageClasses.
Procedure
Create a secret for PV authentication.
In the following command, replace
iomesh
with the username,iomesh-system
with the namespace where your IOMesh cluster resides, andabcdefghijklmn
with the password.kubectl create secret generic volume-secret -n iomesh-system --from-literal=username=iomesh --from-literal=password=abcdefghijklmn
Create a secret that provides authentication information. Its username and password remain the same as the secret in step 1.
kubectl create secret generic user-secret -n user-namespace --from-literal=username=iomesh --from-literal=password=abcdefghijklmn
Create a StorageClass. Enable PV authentication and specify the secrets as instructed below.
# Source: authenticate-sc.yaml kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: per-storageclass-auth provisioner: com.iomesh.csi-driver reclaimPolicy: Delete allowVolumeExpansion: true parameters: csi.storage.k8s.io/fstype: "ext4" replicaFactor: "2" thinProvision: "true" # Enable PV authentication. auth: "true" # The secret for PV authentication. csi.storage.k8s.io/controller-publish-secret-name: volume-secret csi.storage.k8s.io/controller-publish-secret-namespace: iomesh-system # The secret that provides authentication information, which will be fetched from the `annotation` field of the PVC. csi.storage.k8s.io/node-stage-secret-name: ${pvc.annotations['iomesh.com/key']} csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace}
kubectl apply -f authenticate-sc.yaml
Field Description csi.storage.k8s.io/controller-publish-secret-name
The secret created in Step 1 for PV authentication. csi.storage.k8s.io/controller-publish-secret-namespace
The namespace where the secret in Step 1 resides. csi.storage.k8s.io/node-stage-secret-name
The secret created in Step 2, which provides authentication information. csi.storage.k8s.io/node-stage-secret-namespace
The namespace where the secret in Step 2 resides. Create a PVC and specify
annotations.iomesh.com/key
with the secret created in Step 2.# Source: authenticate-pvc.yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: user-pvc namespace: user-namespace # Specify the secret created in Step 2. annotations: iomesh.com/key: user-secret spec: storageClassName: per-storageclass-auth accessModes: - ReadWriteOnce resources: requests: storage: 2Gi
kubectl apply -f authenticate-pvc.yaml