Quobyte CSI requires Quobyte Management API access. The API access can be granted with user
credentials (username/password) or API and Webconsole access key. Further, (optionally) you can
protect volume mount from unexpected/malicious access with File System access key.
Requires Quobyte version 3.1 or later
To enable volume mount protection:
enable-access-contexts
no-default-permissions
--enable-access-contexts and
--no-default-permissions options to the command line.enableAccessKeyMounts: trueThe following examples use imported Quobyte access keys and should only be used for testing. For production usage, you should create relevant access keys through Quobyte web console -> My Quobyte -> My Access Keys or other means such as qmgmt, management API and then update your secrets with the access key information.
The following examples requires:
csi-testcsi-driver as member of tenant csi-testcsi-driver must have a primary group.To import access keys, you need qmgmt available on the node. Additionally, you need to set
API_URL environment variable with Quobyte API Url.
API_URL="<your-quobyte-cluster-api-url>"
Import Quobyte API access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/api_access_keys.csv
Create API secret with the imported API access key information
kubectl apply -f example/access_keys/quobyte-api-secret.yaml
Import Quobyte mount/file system access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/mount_access_keys.csv
Create mount secret with the imported mount access key information
kubectl apply -f example/access_keys/quobyte-mount-secret.yaml
Create a storage class with the quobyte-api-secret and quobyte-mount-secret secrets
kubectl apply -f example/access_keys/storage-class-api-and-mount-secret.yaml
Create PVC with the storage class api-and-mount-secret-storage-class
access keys
kubectl apply -f example/access_keys/pvc-api-and-mount-secret.yaml
Create Nginx pod using the above PVC
kubectl apply -f example/access_keys/nginx-api-and-mount-secret.yaml
Once the pod is running, copy the index file to the deployed nginx pod
kubectl cp example/index.html nginx-api-and-mount-secret:/usr/share/nginx/html/
Access the home page served by nginx pod from the command line
curl http://$(kubectl get pods nginx-api-and-mount-secret -o yaml | grep ' podIP:' | awk '{print $2}'):80
Import Quobyte All uses access key into your Quobyte Cluster
qmgmt -u $API_URL accesskey import example/access_keys/all_uses_access_keys.csv
Create a secret with the imported API access key information
kubectl create -f example/access_keys/quobyte-generic-secret.yaml
Create the storage class with the quobyte-generic-secret secret
kubectl apply -f example/access_keys/storage-class-generic-secret.yaml
Create PVC with the storage class api-and-mount-secret-storage-class
access keys
kubectl apply -f example/access_keys/pvc-generic-secret.yaml
Create Nginx pod using the above PVC
kubectl apply -f example/access_keys/nginx-generic-secret.yaml
Once the pod is running, copy the index file to the deployed nginx pod
kubectl cp example/index.html nginx-generic-secret:/usr/share/nginx/html/
Access the home page served by nginx pod from the command line
curl http://$(kubectl get pods nginx-generic-secret -o yaml | grep ' podIP:' | awk '{print $2}'):80
NOTE:
If your k8s secret contains user: and password:, Quobyte CSI driver uses this information
to access Quobyte management API.
If tenant-name/volume-name is provided for pre-provisioned volume PV, you must provide “all uses” access key as mount secret. Alternatively, you could use volume-uuid and more restrictive “file system/mount” access key in the secret.