OpenShift Shared Resource CSI Driver
The OpenShift Shared Resource CSI Driver allows Secrets
and ConfigMaps
to be
shared across Kubernetes namespaces in a controlled manner. This CSI driver
ensures that the entity (ServiceAccount) accessing the shared Secret or ConfigMap
has permission to do so before mounting the data as a volume into the requesting
Pod.
This CSI driver only supports the Ephemeral
volume lifecycle mode.
It also requires the following during operation:
podInfoOnMount: true
fsGroupPolicy: File
attachRequired: false
Getting Started
The easiest way to use the Shared Resource CSI Driver is to deploy OpenShift
v4.10 or higher, and enable the
Tech Preview Features.
How To Use
-
Create a Secret
or ConfigMap
that you wish to share in a "source" namespace.
apiVersion: v1
kind: ConfigMap
metadata:
name: shared-config
namespace: default # This can be any desired "source" namespace
data:
config.txt: "Hello world!"
-
Create a SharedSecret
or SharedConfigMap
instance to make your resource shareable:
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedConfigMap
metadata:
name: share-default-config
spec:
configMapRef:
name: shared-config
namespace: default
-
Grant the desired SeviceAccount
in the "target" namespace permission to use the shared resource above:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: use-shared-default-config
namespace: app-namespace # This is the "target" namespace
rules:
- apiGroups:
- sharedresource.openshift.io
resources:
- sharedconfigmaps
resourceNames:
- share-default-config
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: use-shared-default-config
namespace: app-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-shared-default-config
subjects:
- kind: ServiceAccount
name: default
namespace: app-namespace
-
Mount the shared resource into a Pod
(or other resource that accepts CSI
Volumes):
apiVersion: v1
kind: Pod
metadata:
name: example-shared-config
namespace: app-namespace
spec:
...
serviceAccountName: default
volumes:
- name: shared-config
csi:
readOnly: true # required to be true
driver: csi.sharedresource.openshift.io
volumeAttributes:
sharedConfigMap: share-default-config
See also:
Features
- ServiceAccounts must have the
use
permission to mount the respective
SharedSecret
or SharedConfigMap
. Volumes fail to mount otherwise - see
FAQ for more details.
- Automatic sync of the shared resource data (Secret/ConfigMap) into the mounting
Pod
.
- Automatic removal/restoration of shared resource data if the Pod's RBAC
permissions change at runtime.
- Automatic removal/restoration of shared resource data if the backing
Secret/ConfigMap is deleted/re-created.
- Survival of shared resource data with CSI driver restarts/upgrades.
- Multiple
SharedSecret
/SharedConfig
volumes within a Pod
. Also supports
nested volume mounts within a container.
- Reserve a cluster-scoped share name to a specific
Secret
or ConfigMap
.
The following CSI interfaces are implemented:
- Identity Service: GetPluginInfo, GetPluginCapabilities, Probe
- Node Service: NodeGetInfo, NodeGetCapabilities, NodePublishVolume, NodeUnpublishVolume
- Controller Service: not implemented.
NOTE: see CSI Volume Specifics for restrictions around these features for read-only Volumes.
FAQ
Please refer to the FAQ Guide for commonly asked questions.
Development
See the development guide on how to build and test locally.