Mounting Volumes To Privileged Pods

Overview

Persistent volumes can be mounted to pods with the privileged security context constraint (SCC) attached.

While this topic uses GlusterFS as a sample use-case for mounting volumes onto privileged pods, it can be adapted to use any supported storage plug-in.

Prerequisites

An existing Gluster volume.
glusterfs-fuse installed on all hosts.
Definitions for GlusterFS:
- Endpoints and services: gluster-endpoints-service.yaml and gluster-endpoints.yaml
- Persistent volumes: gluster-pv.yaml
- Persistent volume claims: gluster-pvc.yaml
- Privileged pods: gluster-S3-pod.yaml
A user with the cluster-admin role binding. For this guide, that user is called admin.

Creating the Persistent Volume

Creating the PersistentVolume makes the storage accessible to users, regardless of projects.

As the admin, create the service, endpoint object, and persistent volume:

$ oc create -f gluster-endpoints-service.yaml
$ oc create -f gluster-endpoints.yaml
$ oc create -f gluster-pv.yaml

Verify that the objects were created:

$ oc get svc
NAME              CLUSTER_IP      EXTERNAL_IP   PORT(S)   SELECTOR   AGE
gluster-cluster   172.30.151.58   <none>        1/TCP     <none>     24s

$ oc get ep
NAME              ENDPOINTS                           AGE
gluster-cluster   192.168.59.102:1,192.168.59.103:1   2m

$ oc get pv
NAME                     LABELS    CAPACITY   ACCESSMODES   STATUS      CLAIM     REASON    AGE
gluster-default-volume   <none>    2Gi        RWX           Available                       2d

Creating a Regular User

Adding a regular user to the privileged SCC (or to a group given access to the SCC) allows them to run privileged pods:

As the admin, add a user to the SCC:

$ oc adm policy add-scc-to-user privileged <username>

Log in as the regular user:
```
$ oc login -u <username> -p <password>
```
Then, create a new project:
```
$ oc new-project <project_name>
```

Creating the Persistent Volume Claim

As a regular user, create the PersistentVolumeClaim to access the volume:
```
$ oc create -f gluster-pvc.yaml -n <project_name>
```

Define your pod to access the claim:

Example 1. Pod Definition

apiVersion: v1
id: gluster-S3-pvc
kind: Pod
metadata:
  name: gluster-nginx-priv
spec:
  containers:
    - name: gluster-nginx-priv
      image: fedora/nginx
      volumeMounts:
        - mountPath: /mnt/gluster (1)
          name: gluster-volume-claim
      securityContext:
        privileged: true
  volumes:
    - name: gluster-volume-claim
      persistentVolumeClaim:
        claimName: gluster-claim (2)

1	Volume mount within the pod.
2	The gluster-claim must reflect the name of the PersistentVolume.

Upon pod creation, the mount directory is created and the volume is attached to that mount point.

As regular user, create a pod from the definition:
```
$ oc create -f gluster-S3-pod.yaml
```

Verify that the pod created successfully:

$ oc get pods
NAME                 READY     STATUS    RESTARTS   AGE
gluster-S3-pod   1/1       Running   0          36m

It can take several minutes for the pod to create.

Verifying the Setup

Checking the Pod SCC

Export the pod configuration:

$ oc get -o yaml --export pod <pod_name>

Examine the output. Check that openshift.io/scc has the value of privileged:
Example 2. Export Snippet
metadata: annotations: openshift.io/scc: privileged

Verifying the Mount

Access the pod and check that the volume is mounted:
```
$ oc rsh <pod_name>
[root@gluster-S3-pvc /]# mount
```

Examine the output for the Gluster volume:

Example 3. Volume Mount

192.168.59.102:gv0 on /mnt/gluster type fuse.gluster (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

Mounting Volumes on Privileged Pods