Quobyte CSI requires Quobyte Management API access. The API access can be granted with user
credentials (username/password) or API and Webconsole access key. Further, (optionally) you can
protect volume mount from unexpected/malicious access with File System access key.
Requires Quobyte version 3.1 or later
To enable volume mount protection:
- Quobyte client(s) must be deployed access key options
- For containerized Quobyte client, see example client
- For systemd Quobyte client, add the following lines to the client config file
enable-access-contexts no-default-permissions
- If mount.quobyte command used, add
--enable-access-contextsand--no-default-permissionsoptions to the command line.
- Quobyte CSI driver must be deployed with
enableAccessKeyMounts: true
The following examples use imported Quobyte access keys and should only be used for testing. For production usage, you should create relevant access keys through Quobyte web console -> My Quobyte -> My Access Keys or other means such as qmgmt, management API and then update your secrets with the access key information.
The following examples requires:
- Quobyte tenant
csi-test - Quobyte user
csi-driveras member of tenantcsi-test - Quobyte user
csi-drivermust have a primary group.
To import access keys, you need qmgmt available on the node. Additionally, you need to set
API_URL environment variable with Quobyte API Url.
API_URL="<your-quobyte-cluster-api-url>"-
Import Quobyte API access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/api_access_keys.csv -
Create API secret with the imported API access key information
kubectl apply -f example/access_keys/quobyte-api-secret.yaml
-
Import Quobyte mount/file system access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/mount_access_keys.csv -
Create mount secret with the imported mount access key information
kubectl apply -f example/access_keys/quobyte-mount-secret.yaml
-
Create a storage class with the
quobyte-api-secretandquobyte-mount-secretsecretskubectl apply -f example/access_keys/storage-class-api-and-mount-secret.yaml
-
Create PVC with the storage class
api-and-mount-secret-storage-classaccess keyskubectl apply -f example/access_keys/pvc-api-and-mount-secret.yaml
-
Create Nginx pod using the above PVC
kubectl apply -f example/access_keys/nginx-api-and-mount-secret.yaml
-
Once the pod is running, copy the index file to the deployed nginx pod
kubectl cp example/index.html nginx-api-and-mount-secret:/usr/share/nginx/html/
-
Access the home page served by nginx pod from the command line
curl http://$(kubectl get pods nginx-api-and-mount-secret -o yaml | grep ' podIP:' | awk '{print $2}'):80
-
Import Quobyte All uses access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/all_uses_access_keys.csv -
Create a secret with the imported API access key information
kubectl create -f example/access_keys/quobyte-generic-secret.yaml
-
Create the storage class with the
quobyte-generic-secretsecretkubectl apply -f example/access_keys/storage-class-generic-secret.yaml
-
Create PVC with the storage class
api-and-mount-secret-storage-classaccess keyskubectl apply -f example/access_keys/pvc-generic-secret.yaml
-
-
Create Nginx pod using the above PVC
kubectl apply -f example/access_keys/nginx-generic-secret.yaml
-
Once the pod is running, copy the index file to the deployed nginx pod
kubectl cp example/index.html nginx-generic-secret:/usr/share/nginx/html/
-
Access the home page served by nginx pod from the command line
curl http://$(kubectl get pods nginx-generic-secret -o yaml | grep ' podIP:' | awk '{print $2}'):80
NOTE:
-
If your k8s secret contains
user:andpassword:, Quobyte CSI driver uses this information to access Quobyte management API. -
If tenant-name/volume-name is provided for pre-provisioned volume PV, you must provide "all uses" access key as mount secret. Alternatively, you could use volume-uuid and more restrictive "file system/mount" access key in the secret.