If you chose to run the provisioner in Kubernetes you may need to grant it authorization to make the API requests and syscalls it needs to. Creating PersistentVolumes is normally an administrator's responsibility and the authorization policies of Kubernetes & OpenShift will by default deny a pod the authorization to make such API requests and syscalls. A Kubernetes RBAC API request denial looks like this:
E0124 20:10:01.475115 1 reflector.go:199] github.com/kubernetes-incubator/nfs-provisioner/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.StorageClass: the server does not allow access to the requested resource (get storageclasses.storage.k8s.io)
Find out what authorization plugin or policy implementation your cluster uses, if any, and follow one of the below sections.
Your cluster may have PSPs (Pod Security Policies) and/or RBAC (Role-Based Access Control) enabled. You should probably take advantage of both if you want to use one or the other at all but if your cluster has only one enabled:
-
PSP: you need only create the PSP
$ kubectl create -f deploy/kubernetes/auth/psp.yaml podsecuritypolicy "nfs-provisioner" created
-
RBAC: ignore the step where you create the PSP, the
ClusterRolewill still work even if the PSP doesn't exist
RBAC doesn't have a bootstrap ClusterRole with the permissions nfs-provisioner needs so you need to create a ClusterRole that lists the permissions plus a ClusterRoleBinding that grants the permissions to the service account the nfs-provisioner pod will be assigned.
Create the service account. Later, you will have to ensure the pod template of the deployment/statefulset/daemonset specifies this service account.
$ kubectl create -f deploy/kubernetes/auth/serviceaccount.yaml
serviceaccounts/nfs-provisionerCreate the PSP.
$ kubectl create -f deploy/kubernetes/auth/psp.yaml
serviceaccounts/nfs-provisionerdeploy/kubernetes/auth/clusterrole.yaml lists all the permissions nfs-provisioner needs.
Create the ClusterRole.
$ kubectl create -f deploy/kubernetes/auth/clusterrole.yaml
clusterrole "nfs-provisioner-runner" createddeploy/kubernetes/auth/clusterrolebinding.yaml binds the "nfs-provisioner" service account in namespace default to your ClusterRole. Edit the service account name and namespace accordingly if you are not in the namespace default or named the service account something other than "nfs-provisioner".
Create the ClusterRoleBinding.
$ kubectl create -f deploy/kubernetes/auth/clusterrolebinding.yaml
clusterrolebinding "run-nfs-provisioner" createdRemember: later, you will have to ensure the pod template of the deployment/statefulset/daemonset specifies the service account you created.
OpenShift by default has both authorization policies and security context constraints that deny an nfs-provisioner pod its needed permissions, so you need to create a new ClusterRole and SCC for your pod to use.
Create the service account. Later, you will have to ensure the pod template of the deployment/statefulset/daemonset specifies this service account.
$ oc create -f deploy/kubernetes/auth/serviceaccount.yaml
serviceaccount "nfs-provisioner" created
deploy/kubernetes/auth/openshift-scc.yaml defines an SCC for your nfs-provisioner pod to validate against.
Create the SCC.
$ oc create -f deploy/kubernetes/auth/openshift-scc.yaml
securitycontextconstraints "nfs-provisioner" createdAdd the nfs-provisioner service account to the SCC. Change the service account name and namespace accordingly if you are not in the namespace default or named the service account something other than "nfs-provisioner".
$ oadm policy add-scc-to-user nfs-provisioner system:serviceaccount:default:nfs-provisionerdeploy/kubernetes/auth/openshift-clusterrole.yaml lists all the permissions nfs-provisioner needs.
Create the ClusterRole.
$ oc create -f deploy/kubernetes/auth/openshift-clusterrole.yaml
clusterrole "nfs-provisioner-runner" createdAdd the ClusterRole to the nfs-provisioner service account. Change the service account name and namespace accordingly if you are not in the namespace default or named the service account something other than "nfs-provisioner".
$ oadm policy add-cluster-role-to-user nfs-provisioner-runner system:serviceaccount:default:nfs-provisionerRemember: later, you will have to ensure the pod template of the deployment/statefulset/daemonset specifies the service account you created.
Now that you have finished authorizing the provisioner, go to Deployment for info on how to deploy it.