From 51d693b42d106c771ff3ed392d6b343471888c91 Mon Sep 17 00:00:00 2001 From: Joshua Moody Date: Thu, 28 May 2020 16:37:13 -0700 Subject: [PATCH] Add example deployment of nfs on top of a longhorn volume This can be used to support RWX scenarios by exposing the longhorn volume via the nfs provisioner. The nfs-provisioner we use can be found at: https://github.com/kubernetes-incubator/external-storage/tree/master/nfs Signed-off-by: Joshua Moody --- examples/rwx/01-security.yaml | 85 +++++++++++ examples/rwx/02-longhorn-nfs-provisioner.yaml | 143 ++++++++++++++++++ 2 files changed, 228 insertions(+) create mode 100644 examples/rwx/01-security.yaml create mode 100644 examples/rwx/02-longhorn-nfs-provisioner.yaml diff --git a/examples/rwx/01-security.yaml b/examples/rwx/01-security.yaml new file mode 100644 index 0000000..627fc91 --- /dev/null +++ b/examples/rwx/01-security.yaml @@ -0,0 +1,85 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: longhorn-nfs-provisioner +spec: + fsGroup: + rule: RunAsAny + allowedCapabilities: + - DAC_READ_SEARCH + - SYS_RESOURCE + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - secret + - hostPath +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: longhorn-nfs-provisioner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["get"] + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + resourceNames: ["nfs-provisioner"] + verbs: ["use"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: longhorn-nfs-provisioner +subjects: + - kind: ServiceAccount + name: longhorn-nfs-provisioner + namespace: longhorn-system +roleRef: + kind: ClusterRole + name: longhorn-nfs-provisioner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: longhorn-nfs-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: longhorn-nfs-provisioner +subjects: + - kind: ServiceAccount + name: longhorn-nfs-provisioner + namespace: longhorn-system +roleRef: + kind: Role + name: longhorn-nfs-provisioner + apiGroup: rbac.authorization.k8s.io +--- + diff --git a/examples/rwx/02-longhorn-nfs-provisioner.yaml b/examples/rwx/02-longhorn-nfs-provisioner.yaml new file mode 100644 index 0000000..b38bd92 --- /dev/null +++ b/examples/rwx/02-longhorn-nfs-provisioner.yaml @@ -0,0 +1,143 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-nfs-provisioner +--- +kind: Service +apiVersion: v1 +metadata: + name: longhorn-nfs-provisioner + labels: + app: longhorn-nfs-provisioner +spec: + ports: + - name: nfs + port: 2049 + - name: nfs-udp + port: 2049 + protocol: UDP + - name: nlockmgr + port: 32803 + - name: nlockmgr-udp + port: 32803 + protocol: UDP + - name: mountd + port: 20048 + - name: mountd-udp + port: 20048 + protocol: UDP + - name: rquotad + port: 875 + - name: rquotad-udp + port: 875 + protocol: UDP + - name: rpcbind + port: 111 + - name: rpcbind-udp + port: 111 + protocol: UDP + - name: statd + port: 662 + - name: statd-udp + port: 662 + protocol: UDP + selector: + app: longhorn-nfs-provisioner +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: longhorn-nfs-provisioner +spec: + selector: + matchLabels: + app: longhorn-nfs-provisioner + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: longhorn-nfs-provisioner + spec: + serviceAccount: longhorn-nfs-provisioner + containers: + - name: longhorn-nfs-provisioner + image: quay.io/kubernetes_incubator/nfs-provisioner:latest + ports: + - name: nfs + containerPort: 2049 + - name: nfs-udp + containerPort: 2049 + protocol: UDP + - name: nlockmgr + containerPort: 32803 + - name: nlockmgr-udp + containerPort: 32803 + protocol: UDP + - name: mountd + containerPort: 20048 + - name: mountd-udp + containerPort: 20048 + protocol: UDP + - name: rquotad + containerPort: 875 + - name: rquotad-udp + containerPort: 875 + protocol: UDP + - name: rpcbind + containerPort: 111 + - name: rpcbind-udp + containerPort: 111 + protocol: UDP + - name: statd + containerPort: 662 + - name: statd-udp + containerPort: 662 + protocol: UDP + securityContext: + capabilities: + add: + - DAC_READ_SEARCH + - SYS_RESOURCE + args: + - "-provisioner=nfs.longhorn.io" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_NAME + value: longhorn-nfs-provisioner + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: export-volume + mountPath: /export + volumes: + - name: export-volume + persistentVolumeClaim: + claimName: longhorn-nfs-provisioner +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: longhorn-nfs-provisioner # longhorn backing pvc +spec: + storageClassName: longhorn + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "20G" # make this 10% bigger then the workload pvc +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: longhorn-nfs # workload storage class +provisioner: nfs.longhorn.io +parameters: + mountOptions: "vers=4.1"