The document outlines various storage options and management strategies within a Kubernetes environment, detailing persistent volume claims (PVCs) and persistent volumes (PVs) settings alongside their configurations. It highlights security policies including pod security policies (PSPs) and security context constraints (SCCs) that define conditions for pod acceptance and container behavior. Additionally, it provides examples of Kubernetes pods with specific volume configurations and security contexts, illustrating ownership and SELinux management capabilities.

3. ○

4. Temp Local Network
● emptyDir ● hostPath ● GlusterFS
● CephRBD
● gitRepo
● secret
● flocker
● gcePersistentDisk
● AWS ElasticBlockStore (EBS)
● NFS
● iSCSI
● Fibre Channel
● Cinder

9. ○
○

10. VS.

11. Cattle Storage

13. SALLYBOB
GLOBAL Persistent Volume (PV123) Persistent Volume (PV456)
POD
CLAIM REFERENCE
PERSISTENT VOLUME
CLAIM (PVC001)
POD
CLAIM REFERENCE
PERSISTENT VOLUME
CLAIM (PVC002)
POD
CLAIM REFERENCE
PERSISTENT VOLUME
CLAIM (PVC003)

20. kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: dyn-prov-claim
annotations:
volume.alpha.kubernetes.io/storage-class: aws-ebs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
Available Provisioners:
OpenStack Cinder
kubernetes.io/cinder
AWS Elastic Block Store (EBS)
kubernetes.io/aws-ebs
GCE Persistent Disk (gcePD)
kubernetes.io/gce-pd

21. PROVISION:
● MANUAL
● DYNAMIC
AVAILABLE
BOUND
PV + PVC =
RELEASED
PV + PVC =
FAILURE
POD
CLAIM
REQUEST
CLAIM
DELETED
PENDING
RETAIN PV
(default policy)
volume cannot mount
CrashBackLoop

22. PROVISION:
● MANUAL
● DYNAMIC
AVAILABLE
BOUND
PV + PVC =
RELEASED
PV + PVC =
FAILURE
POD
CLAIM
REQUEST
POD
DELETED
PENDING
FAILURE
RETAIN PV
POD
CLAIM
REQUEST
volume cannot mount
CrashBackLoop
Timing / vague state

24. Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift)
● PSP provides an interface for the security
types but enforcement doesn’t exist today
● No admission controller
SCCs are objects that define a set of conditions that a pod
must run with in order to be accepted into the system. They
allow an administrator to control the following:
1. Running of privileged containers.
2. Capabilities a container can request to be added.
3. Use of host directories as volumes.
4. The SELinux context of the container.
5. The user ID.
6. The use of host namespaces and networking.
7. Allocating an FSGroup that owns the pod’s volumes
8. Configuring allowable supplemental groups
● SCC defined by namespace and can be restricted to
specific users

25. # ls -ld /opt/nfs # on NFS server
drwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs
kind: Pod
metadata:
name: nginx-nfs-test
spec:
containers:
- name: nginx-nfs-test
image: fedora/nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nginx-nfs
mountPath: /usr/share/nginx/html/test
securityContext:
supplementalGroups: [1234]
volumes:
- name: nginx-nfs
persistentVolumeClaim
claimName: nfs-claim

26. Currently the list of volumes which support ownership management
includes:
● AWS Elastic Block Store
● OpenStack Cinder
● GCE Persistent Disk
● iSCSI
● emptyDir
● Ceph RBD
● gitRepo
apiVersion: v1
kind: Pod
metadata:
name: rbd-web
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: ceph-rbd
mountPath: "/usr/share/nginx/html"
securityContext:
fsGroup: 1234
volumes:
- name: ceph-rbd
rbd:
monitors:
- 192.168.122.133:6789
pool: rbd
image: foo
user: admin
secretRef:
name: ceph-secret
fsType: ext4
readOnly: false

27. Currently the list of volumes which support SELinux
management includes:
● AWS Elastic Block Store
● OpenStack Cinder
● GCE Persistent Disk
● iSCSI
● emptyDir
● Ceph RBD
● gitRepo
● Fibre Channel
apiVersion: v1
kind: Pod
metadata:
name: ebs-web
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: ebs-volume
mountPath: "/usr/share/nginx/html"
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
volumes:
- name: ebs-volume
awsElasticBlockStore:
volumeID: <VOLUME ID>