Skip to content

Latest commit

 

History

History
163 lines (144 loc) · 16.3 KB

driver-parameters.md

File metadata and controls

163 lines (144 loc) · 16.3 KB

Driver Parameters

parameter names are case-insensitive

required permissions for CSI driver controller
 # To grant permissions for following actions, you need to assign both "Storage Account Contributor" 
 # and "Storage Blob Data Contributor" roles to the CSI driver controller.
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/*/delete
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/containers/delete
Microsoft.Storage/operations/read
# this is only necessary if the driver creates the storage account with a private endpoint:
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
Microsoft.Network/privateDnsZones/write
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsOperationStatuses/read
Microsoft.Network/locations/operations/read

Dynamic Provisioning

blobfuse example

nfs example

Name Meaning Example Mandatory Default value
skuName Azure storage account type (alias: storageAccountType) Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS No Standard_LRS
location Azure location eastus, westus, etc. No if empty, driver will use the same location name as current k8s cluster
resourceGroup Azure resource group name existing resource group name No if empty, driver will use the same resource group name as current k8s cluster
storageAccount specify Azure storage account name STORAGE_ACCOUNT_NAME No When a specific storage account name is not provided, the driver will look for a suitable storage account that matches the account settings within the same resource group. If it fails to find a matching storage account, it will create a new one. However, if a storage account name is specified, the storage account must already exist.
protocol specify blobfuse, blobfuse2 or NFSv3 mount fuse, fuse2, nfs No fuse
networkEndpointType specify network endpoint type for the storage account created by driver. If privateEndpoint is specified, a private endpoint will be created for the storage account. For other cases, a service endpoint will be created for nfs protocol by default. "",privateEndpoint No ``
for AKS cluster, make sure cluster Control plane identity (that is, your AKS cluster name) is added to the Contributor role in the resource group hosting the VNet
storageEndpointSuffix specify Azure storage endpoint suffix core.windows.net, core.chinacloudapi.cn, etc No if empty, driver will use default storage endpoint suffix according to cloud environment, e.g. core.windows.net
containerName specify the existing container(directory) name existing container name No if empty, driver will create a new container name, starting with pvc-fuse for blobfuse or pvc-nfs for NFSv3
containerNamePrefix specify Azure storage directory prefix created by driver can only contain lowercase letters, numbers, hyphens, and length should be less than 21 No
server specify Azure storage account server address existing server address, e.g. accountname.blob.core.chinacloudapi.cn No if empty, driver will use the default Azure storage account server address based on cloud provider config
accessTier Access tier for storage account Standard account can choose Hot or Cool, and Premium account can only choose Premium No empty(use default setting for different storage account types)
allowBlobPublicAccess Allow or disallow public access to all blobs or containers for storage account created by driver true,false No false
allowSharedKeyAccess Allow or disallow shared key access for storage account created by driver (only applicable for NFS mount or blobfuse mount with managed identity) true,false No true
requireInfraEncryption specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver true,false No false
storageEndpointSuffix specify Azure storage endpoint suffix core.windows.net, core.chinacloudapi.cn, etc No if empty, driver will use default storage endpoint suffix according to cloud environment
tags tags would be created in newly created storage account tag format: 'foo=aaa,bar=bbb' No ""
matchTags whether matching tags when driver tries to find a suitable storage account true,false No false
useDataPlaneAPI specify whether use data plane API for blob container create/delete, this could solve the SRP API throttling issue since data plane API has almost no limit, while it would fail when there is firewall or vnet setting on storage account true,false No false
--- Following parameters are only for blobfuse --- ---
subscriptionID specify Azure subscription ID in which blob storage directory will be created Azure subscription ID No if not empty, resourceGroup must be provided
storeAccountKey Should the storage account key be stored in a Kubernetes secret
(Note: if set to false, the driver will use the kubelet identity to obtain the account key)
true,false No true
getLatestAccountKey whether getting the latest account key based on the creation time, this driver would get the first key by default true,false No false
secretName specify secret name to store account key No
secretNamespace specify the namespace of secret to store account key default,kube-system, etc No pvc namespace
isHnsEnabled enable Hierarchical namespace for Azure DataLake storage account true,false No false
--- Following parameters are only for NFS protocol --- ---
mountPermissions mounted folder permissions. The default is 0777, if set as 0, driver will not perform chmod after mount 0777 No
vnetResourceGroup specify vnet resource group where virtual network is existing resource group name No if empty, driver will use the vnetResourceGroup value in azure cloud config file
vnetName virtual network name existing virtual network name No if empty, driver will use the vnetName value in azure cloud config file
subnetName subnet name existing subnet name(s) of the agent node, if you want to update service endpoints on multiple subnets, separate them using a comma (,) No if empty, driver will use the subnetName value in azure cloud config file
softDeleteBlobs Enable soft delete for blobs, specify the days to retain deleted blobs "7" No Soft Delete Blobs is disabled if empty
softDeleteContainers Enable soft delete for containers, specify the days to retain deleted containers "7" No Soft Delete Containers is disabled if empty
enableBlobVersioning Enable blob versioning, can't enabled when protocol is nfs or isHnsEnabled is true true,false No versioning for blobs is disabled if empty
  • fsGroup securityContext setting

Blobfuse driver does not honor fsGroup securityContext setting, instead user could use -o gid=1000 in mountOptions to set ownership, check here for more mountoptions.

  • To support an Azure DataLake storage account when using blobfuse mount, you'll need to do the following:

    • To create an ADLS account using the driver in dynamic provisioning, specify isHnsEnabled: "true" in the storage class parameters.
    • To enable blobfuse access to an ADLS account in static provisioning, specify the mount option --use-adls=true in the persistent volume.
  • account tags format created by dynamic provisioning

k8s-azure-created-by: azure
  • file share name format created by dynamic provisioning(example)
pvc-92a4d7f2-f23b-4904-bad4-2cbfcff6e388
  • VolumeID(volumeHandle) is the identifier for the volume handled by the driver, format of VolumeID: rg#accountName#containerName#uuid#secretNamespace#subscriptionID

uuid, secretNamespace, subscriptionID are optional

Static Provisioning(bring your own storage container)

blobfuse example

nfs example

blobfuse read account key or SAS token from key vault example

blobfuse Managed Identity and Service Principal Name auth example

Name Meaning Available Value Mandatory Default value
volumeHandle Specify a value the driver can use to uniquely identify the storage blob container in the cluster. A recommended way to produce a unique value is to combine the globally unique storage account name and container name: {account-name}_{container-name}. Yes
volumeAttributes.subscriptionID specify Azure subscription ID where blob storage directory is located Azure subscription ID No if not empty, resourceGroup must be provided
volumeAttributes.resourceGroup Azure resource group name existing resource group name No if empty, driver will use the same resource group name as current k8s cluster
volumeAttributes.storageAccount existing storage account name existing storage account name Yes
volumeAttributes.containerName existing container name existing container name Yes
volumeAttributes.protocol specify blobfuse, blobfuse2 or NFSv3 mount (blobfuse2 is still in Preview) fuse, fuse2, nfs No fuse
volumeAttributes.server specify Azure storage account server address existing server address, e.g. accountname.privatelink.blob.core.windows.net No if empty, driver will use default accountname.blob.core.windows.net or other sovereign cloud account address
volumeAttributes.storageEndpointSuffix specify Azure storage endpoint suffix core.windows.net, core.chinacloudapi.cn, etc No if empty, driver will use default storage endpoint suffix according to cloud environment
--- Following parameters are only for blobfuse --- ---
volumeAttributes.secretName secret name that stores storage account name and key(only applies for SMB) No
volumeAttributes.secretNamespace secret namespace default,kube-system, etc No pvc namespace
volumeAttributes.getLatestAccountKey whether getting the latest account key based on the creation time, this driver would get the first key by default true,false No false
nodeStageSecretRef.name secret name that stores(check below examples):
azurestorageaccountkey
azurestorageaccountsastoken
msisecret
azurestoragespnclientsecret
existing Kubernetes secret name No
nodeStageSecretRef.namespace secret namespace k8s namespace Yes
--- Following parameters are only for NFS protocol --- ---
volumeAttributes.mountPermissions mounted folder permissions 0777 No
volumeAttributes.fsGroupChangePolicy indicates how volume's ownership will be changed by the driver, pod securityContext.fsGroupChangePolicy is ignored OnRootMismatch(by default), Always, None No OnRootMismatch
--- Following parameters are only for feature: blobfuse Managed Identity and Service Principal Name auth --- ---
volumeAttributes.AzureStorageAuthType Authentication Type Key, SAS, MSI, SPN No Key
volumeAttributes.AzureStorageIdentityClientID Identity Client ID No
volumeAttributes.AzureStorageIdentityObjectID Identity Object ID (deprecated) No
volumeAttributes.AzureStorageIdentityResourceID Identity Resource ID No
volumeAttributes.MSIEndpoint MSI Endpoint No
volumeAttributes.AzureStorageSPNClientID SPN Client ID No
volumeAttributes.AzureStorageSPNTenantID SPN Tenant ID No
volumeAttributes.AzureStorageAADEndpoint AADEndpoint No
--- Following parameters are only for feature: blobfuse read account key or SAS token from key vault --- ---
volumeAttributes.keyVaultURL Azure Key Vault DNS name existing Azure Key Vault DNS name No
volumeAttributes.keyVaultSecretName Azure Key Vault secret name existing Azure Key Vault secret name No
volumeAttributes.keyVaultSecretVersion Azure Key Vault secret version existing version No if empty, driver will use current version
  • create a Kubernetes secret for nodeStageSecretRef.name
kubectl create secret generic azure-secret --from-literal=azurestorageaccountname="xxx" --from-literal azurestorageaccountkey="xxx" --type=Opaque
kubectl create secret generic azure-secret --from-literal=azurestorageaccountname="xxx" --from-literal azurestorageaccountsastoken="xxx" --type=Opaque
kubectl create secret generic azure-secret --from-literal msisecret="xxx" --type=Opaque
# azurestoragespnclientid, azurestoragespntenantid field setting in secret is only supported from v1.21.3
kubectl create secret generic azure-secret --from-literal azurestoragespnclientsecret="xxx" azurestoragespnclientid="xxx" azurestoragespntenantid="xxx" --type=Opaque

Tips

  • mounting blobfuse requires account key, if nodeStageSecretRef field is not provided in PV config, azure file driver would try to get azure-storage-account-{accountname}-secret in the pod namespace first, if that secret does not exist, it would get account key by Azure storage account API directly using kubelet identity (make sure kubelet identity has reader access to the storage account).
  • mounting blob storage NFSv3 does not need account key, NFS mount access is configured by following setting:
    • Firewalls and virtual networks: select Enabled from selected virtual networks and IP addresses with same vnet as agent node
  • blobfuse cache(--tmp-path mount option)
    • By default, the blobfuse cache is located in the /mnt directory. If the VM SKU provides a temporary disk, the /mnt directory is mounted on the temporary disk. However, if the VM SKU does not provide a temporary disk, the /mnt directory is mounted on the OS disk.
    • with blobfuse-proxy deployment (default on AKS), user could set --tmp-path= mount option to specify a different cache directory
  • Mount Azure blob storage with managed identity
  • Blobfuse Performance and caching
    • --disable-writeback-cache=true: disallow libfuse to buffer write requests if you must strictly open files in O_WRONLY or O_APPEND mode
  • Blobfuse CLI Flag Options v1 & v2

containerName parameter supports following pv/pvc metadata conversion

if containerName value contains following strings, it would be converted into corresponding pv/pvc name or namespace

  • ${pvc.metadata.name}
  • ${pvc.metadata.namespace}
  • ${pv.metadata.name}