From fbdc704a57792ad349b8a409c360daf40d5b31ed Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Tue, 16 Aug 2022 14:19:26 -0600 Subject: [PATCH 1/5] blog: CSI Inline Volumes goes GA --- .../2022-08-16-csi-inline-volumes-ga.md | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md diff --git a/content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md b/content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md new file mode 100644 index 0000000000000..46399b5189c28 --- /dev/null +++ b/content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md @@ -0,0 +1,98 @@ +--- +layout: blog +title: "Kubernetes 1.25: CSI Inline Volumes have graduated to GA" +date: 2022-08-16 +slug: csi-inline-volumes-ga +--- + +**Author:** Jonathan Dobson (Red Hat) + +CSI Inline Volumes were introduced as an alpha feature in Kubernetes 1.15 and have been beta since 1.16. We are happy to announce that this feature has graduated to General Availability (GA) status in Kubernetes 1.25. + +CSI Inline Volumes are similar to other ephemeral volume types, such as `configMap`, `downwardAPI` and `secret`. The important difference is that the storage is provided by a CSI driver, which allows the use of ephemeral storage provided by third-party vendors. The volume is defined as part of the pod spec and follows the lifecycle of the pod, meaning the volume is created once the pod is scheduled and destroyed when the pod is destroyed. + +## What's new in 1.25? + +There are a couple of new bug fixes related to this feature in 1.25, and the [CSIInlineVolume feature gate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/) has been locked to `True` with the graduation to GA. There are no new API changes, so users of this feature during beta should not notice any significant changes aside from these bug fixes. + +- [#89290 - CSI inline volumes should support fsGroup](https://github.com/kubernetes/kubernetes/issues/89290) +- [#79980 - CSI volume reconstruction does not work for ephemeral volumes](https://github.com/kubernetes/kubernetes/issues/79980) + +## When to use this feature + +CSI inline volumes are meant for simple local volumes that should follow the lifecycle of the pod. They may be useful for providing secrets, configuration data, or other special-purpose storage to the pod from a CSI driver. + +A CSI driver is not suitable for inline use when: +- The volume needs to persist longer than the lifecycle of a pod +- Volume snapshots, cloning, or volume expansion are required +- The CSI driver requires `volumeAttributes` that should be restricted to an administrator + +## How to use this feature + +In order to use this feature, the `CSIDriver` spec must explicitly list `Ephemeral` as one of the supported `volumeLifecycleModes`. Here is a simple example from the [CSI host-path driver](https://github.com/kubernetes-csi/csi-driver-host-path). + +``` +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: hostpath.csi.k8s.io +spec: + volumeLifecycleModes: + - Persistent + - Ephemeral + podInfoOnMount: true + fsGroupPolicy: File +``` + +Any pod spec may then reference that CSI driver to create an inline volume, as in this example. + +``` +kind: Pod +apiVersion: v1 +metadata: + name: my-csi-app-inline +spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.hostpath.csi/node + operator: Exists + containers: + - name: my-frontend + image: busybox + volumeMounts: + - mountPath: "/data" + name: my-csi-volume + command: [ "sleep", "1000000" ] + volumes: + - name: my-csi-volume + csi: + driver: hostpath.csi.k8s.io +``` + +If the driver supports any volume attributes, these may also be provided as part of the pod spec. + +``` + csi: + driver: example.csi.k8s.io + volumeAttributes: + foo: bar +``` + +## Security Considerations + +Special consideration should be given to which CSI drivers may be used as inline volumes. `volumeAttributes` are typically controlled through the `StorageClass`, and may contain attributes that should remain restricted to the cluster administrator. Allowing a CSI driver to be used for inline ephmeral volumes means that any user with permission to create pods may also provide `volumeAttributes` to the driver through a pod spec. + +Cluster administrators may choose to remove `Ephemeral` from `volumeLifecycleModes` in the CSIDriver spec to prevent the driver from being used as an inline ephemeral volume, or use an [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to restrict how the driver is used. + +## References + +For more information on this feature, see: + +- [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volumes) +- [CSI documentation](https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html) +- [KEP-596](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/596-csi-inline-volumes/README.md) +- [Beta blog post for CSI Inline Volumes](https://kubernetes.io/blog/2020/01/21/csi-ephemeral-inline-volumes/) + From 4deaa6fdbce2c9db765cd8ce991de8201a49c260 Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Tue, 16 Aug 2022 15:15:08 -0600 Subject: [PATCH 2/5] CSI Inline Volumes: update blog date --- ...inline-volumes-ga.md => 2022-08-29-csi-inline-volumes-ga.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename content/en/blog/_posts/{2022-08-16-csi-inline-volumes-ga.md => 2022-08-29-csi-inline-volumes-ga.md} (99%) diff --git a/content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md similarity index 99% rename from content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md rename to content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md index 46399b5189c28..f3eeae5e507e9 100644 --- a/content/en/blog/_posts/2022-08-16-csi-inline-volumes-ga.md +++ b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md @@ -1,7 +1,7 @@ --- layout: blog title: "Kubernetes 1.25: CSI Inline Volumes have graduated to GA" -date: 2022-08-16 +date: 2022-08-29 slug: csi-inline-volumes-ga --- From 53c6ce99e506116b4cb63c3d97181c87a2380f35 Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Fri, 19 Aug 2022 16:11:50 -0600 Subject: [PATCH 3/5] CSI Inline Volumes: add example use cases --- .../en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md index f3eeae5e507e9..3c627e9cdd8b3 100644 --- a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md +++ b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md @@ -81,6 +81,14 @@ If the driver supports any volume attributes, these may also be provided as part foo: bar ``` +## Example Use Cases + +Two existing CSI drivers that support the `Ephemeral` volume lifecycle mode are the Secrets Store CSI Driver and the Cert-Manager CSI Driver. + +The [Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) allows users to mount secrets from external secret stores into a pod as an inline volume. This can be useful when the secrets are stored in an external managed service or Vault instance. + +The [Cert-Manager CSI Driver](https://github.com/cert-manager/csi-driver) works along with [cert-manager](https://cert-manager.io/) to seamlessly request and mount certificate key pairs into a pod. This allows the certificates to be renewed and updated in the application pod automatically. + ## Security Considerations Special consideration should be given to which CSI drivers may be used as inline volumes. `volumeAttributes` are typically controlled through the `StorageClass`, and may contain attributes that should remain restricted to the cluster administrator. Allowing a CSI driver to be used for inline ephmeral volumes means that any user with permission to create pods may also provide `volumeAttributes` to the driver through a pod spec. From f89fffd242c4cf50f14784a4923b42f301e6edb8 Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Tue, 23 Aug 2022 20:59:37 -0600 Subject: [PATCH 4/5] CSI Inline Volumes: apply suggestions from code review Co-authored-by: Tim Bannister --- content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md index 3c627e9cdd8b3..2b62e5a0560d3 100644 --- a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md +++ b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md @@ -72,11 +72,11 @@ spec: driver: hostpath.csi.k8s.io ``` -If the driver supports any volume attributes, these may also be provided as part of the pod spec. +If the driver supports any volume attributes, you can provide these as part of the `spec` for the Pod as well: ``` csi: - driver: example.csi.k8s.io + driver: block.csi.vendor.example volumeAttributes: foo: bar ``` @@ -93,7 +93,7 @@ The [Cert-Manager CSI Driver](https://github.com/cert-manager/csi-driver) works Special consideration should be given to which CSI drivers may be used as inline volumes. `volumeAttributes` are typically controlled through the `StorageClass`, and may contain attributes that should remain restricted to the cluster administrator. Allowing a CSI driver to be used for inline ephmeral volumes means that any user with permission to create pods may also provide `volumeAttributes` to the driver through a pod spec. -Cluster administrators may choose to remove `Ephemeral` from `volumeLifecycleModes` in the CSIDriver spec to prevent the driver from being used as an inline ephemeral volume, or use an [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to restrict how the driver is used. +Cluster administrators may choose to omit (or remove) `Ephemeral` from `volumeLifecycleModes` in the CSIDriver spec to prevent the driver from being used as an inline ephemeral volume, or use an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/) to restrict how the driver is used. ## References From e0c9f4312a08e9013f20dbefa8bc2442537afce5 Mon Sep 17 00:00:00 2001 From: Jonathan Dobson Date: Tue, 23 Aug 2022 21:24:08 -0600 Subject: [PATCH 5/5] CSI Inline Volumes: secret store csi driver example --- .../2022-08-29-csi-inline-volumes-ga.md | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md index 2b62e5a0560d3..ef2a12315c586 100644 --- a/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md +++ b/content/en/blog/_posts/2022-08-29-csi-inline-volumes-ga.md @@ -29,19 +29,18 @@ A CSI driver is not suitable for inline use when: ## How to use this feature -In order to use this feature, the `CSIDriver` spec must explicitly list `Ephemeral` as one of the supported `volumeLifecycleModes`. Here is a simple example from the [CSI host-path driver](https://github.com/kubernetes-csi/csi-driver-host-path). +In order to use this feature, the `CSIDriver` spec must explicitly list `Ephemeral` as one of the supported `volumeLifecycleModes`. Here is a simple example from the [Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver). ``` apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: - name: hostpath.csi.k8s.io + name: secrets-store.csi.k8s.io spec: + podInfoOnMount: true + attachRequired: false volumeLifecycleModes: - - Persistent - Ephemeral - podInfoOnMount: true - fsGroupPolicy: File ``` Any pod spec may then reference that CSI driver to create an inline volume, as in this example. @@ -52,24 +51,21 @@ apiVersion: v1 metadata: name: my-csi-app-inline spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.hostpath.csi/node - operator: Exists containers: - name: my-frontend image: busybox volumeMounts: - - mountPath: "/data" - name: my-csi-volume + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true command: [ "sleep", "1000000" ] volumes: - - name: my-csi-volume + - name: secrets-store-inline csi: - driver: hostpath.csi.k8s.io + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "my-provider" ``` If the driver supports any volume attributes, you can provide these as part of the `spec` for the Pod as well: