0

I have a kubernetes cluster on baremetal.

I need a CIFS dynamic PV provisionner restricted to a specific namespace. I only want user/pod that have access to namespace_a to be able to store on PV provisioned on CIFS shared_a.

Is there any existing solution available?

Any alternative that would allow me to provision dynamically PV that are backed by a samba nas share while keeping namespace isolation?

Thanks

ThatChrisGuy
  • 559
  • 2
  • 7
  • 23

1 Answers1

0

By design PersistentVolumes are not namespaced objects but PersistentVolumeClaim are.

To achieve isolation between namespace and Persistent Volume you can bind PV to PVC. It is one-to-one mapping and it "reserves" volume to specific PVC.

You have to specify claimRef in PersistentVolume's spec field:

ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv1
[...]
spec:
[...]
  claimRef:
    name: claim
    namespace: default

And in PVC:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: claim
spec:
[...]
  volumeName: pv1
kool
  • 3,214
  • 1
  • 10
  • 26
  • Could a dynamic provisioner do this binding automatically? Upon PVC with volumeName, generate a PV with claimRef to bind to the PVC. – ThatChrisGuy Nov 25 '19 at 14:23