From 67ff01d38be5071ff6d51c68d2bba315326037c8 Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Wed, 17 Sep 2025 08:55:03 -0700 Subject: [PATCH 1/2] OSASINFRA-3718: Draft content Add documentation for manila csi changes to allow multiple access rules --- ...orage-csi-manila-dynamic-provisioning.adoc | 2 +- ...storage-csi-manila-share-access-rules.adoc | 107 ++++++++++++++++++ .../persistent-storage-csi-manila.adoc | 2 + 3 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 modules/persistent-storage-csi-manila-share-access-rules.adoc diff --git a/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc b/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc index 228c429034c9..9bfb282d662a 100644 --- a/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc +++ b/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc @@ -14,7 +14,7 @@ You can use the same pod and persistent volume claim (PVC) definitions on-premis [IMPORTANT] ==== -By default the access-rule assigned to a volume is set to 0.0.0.0/0. To limit the clients that can mount the persistent volume (PV), create a new storage class with an IP or a subnet mask in the `nfs-shareClient` storage class parameter. +By default the access-rule assigned to a volume is set to 0.0.0.0/0, which allows access from all IPv4 clients. For enhanced security, it is recommended to create custom storage classes with specific client IP addresses or subnets. See xref:../../storage/container_storage_interface/persistent-storage-csi-manila.adoc#persistent-storage-csi-manila-share-access-rules_persistent-storage-csi-manila[Customizing Manila share access rules] for detailed instructions and examples. ==== [NOTE] diff --git a/modules/persistent-storage-csi-manila-share-access-rules.adoc b/modules/persistent-storage-csi-manila-share-access-rules.adoc new file mode 100644 index 000000000000..bc090efed40a --- /dev/null +++ b/modules/persistent-storage-csi-manila-share-access-rules.adoc @@ -0,0 +1,107 @@ +// Module included in the following assemblies: +// +// * storage/container_storage_interface/persistent-storage-csi-manila.adoc + +:_mod-docs-content-type: PROCEDURE +[id="persistent-storage-csi-manila-share-access-rules_{context}"] += Customizing Manila share access rules + +By default, {product-title} creates Manila storage classes that provide access to all IPv4 clients (0.0.0.0/0). For enhanced security, it is recommended that OpenShift administrators define custom storage classes with specific client IP addresses or subnets using the `nfs-ShareClient` parameter. + +.Prerequisites + +* {rh-openstack} is deployed with appropriate Manila share infrastructure. +* You have cluster administrator privileges. + +.Procedure + +To create a custom storage class with restricted share access: + +. Create a YAML file for your custom storage class: ++ +.custom-manila-storageclass.yaml +[source,yaml] +---- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: csi-manila-gold-restricted <1> +provisioner: manila.csi.openstack.org +parameters: + type: gold <2> + nfs-ShareClient: "10.0.0.0/24,192.168.1.100" <3> + csi.storage.k8s.io/provisioner-secret-name: manila-csi-secret + csi.storage.k8s.io/provisioner-secret-namespace: openshift-manila-csi-driver + csi.storage.k8s.io/controller-expand-secret-name: manila-csi-secret + csi.storage.k8s.io/controller-expand-secret-namespace: openshift-manila-csi-driver + csi.storage.k8s.io/node-stage-secret-name: manila-csi-secret + csi.storage.k8s.io/node-stage-secret-namespace: openshift-manila-csi-driver + csi.storage.k8s.io/node-publish-secret-name: manila-csi-secret + csi.storage.k8s.io/node-publish-secret-namespace: openshift-manila-csi-driver +allowVolumeExpansion: true +---- ++ +<1> A descriptive name for your custom storage class. +<2> The Manila share type. This should match an existing share type in your OpenStack environment. +<3> Comma-separated list of IP addresses or CIDR subnets that are allowed to access the NFS shares. In this example, access is restricted to the `10.0.0.0/24` subnet and the specific IP address `192.168.1.100`. + +. Apply the storage class: ++ +[source,terminal] +---- +$ oc apply -f custom-manila-storageclass.yaml +---- + +. Verify that the storage class was created: ++ +[source,terminal] +---- +$ oc get storageclass csi-manila-gold-restricted +---- + +. Create a PVC that uses the custom storage class: ++ +.pvc-manila-restricted.yaml +[source,yaml] +---- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-manila-restricted +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: csi-manila-gold-restricted <1> +---- ++ +<1> Reference to your custom storage class with restricted access. + +. Apply the PVC: ++ +[source,terminal] +---- +$ oc apply -f pvc-manila-restricted.yaml +---- + +[NOTE] +==== +The `nfs-ShareClient` parameter accepts various formats: + +* Single IP address: `192.168.1.100` +* CIDR subnet: `10.0.0.0/24` +* Multiple entries: `10.0.0.0/24,192.168.1.100,172.16.0.0/16` + +Ensure that the specified IP addresses or subnets include the {product-title} cluster nodes to allow proper mounting of the persistent volumes. +==== + +[IMPORTANT] +==== +When using custom storage classes with restricted access rules, ensure that: + +* The specified IP addresses or subnets include all {product-title} nodes that need to access the storage. +* The Manila service in {rh-openstack} supports the share type specified in the storage class. +* Network connectivity exists between the allowed clients and the Manila share servers. +==== diff --git a/storage/container_storage_interface/persistent-storage-csi-manila.adoc b/storage/container_storage_interface/persistent-storage-csi-manila.adoc index 1b155341de12..c7f11717bdd9 100644 --- a/storage/container_storage_interface/persistent-storage-csi-manila.adoc +++ b/storage/container_storage_interface/persistent-storage-csi-manila.adoc @@ -24,6 +24,8 @@ include::modules/persistent-storage-csi-manila-limitations.adoc[leveloffset=+1] include::modules/persistent-storage-csi-manila-dynamic-provisioning.adoc[leveloffset=+1] +include::modules/persistent-storage-csi-manila-share-access-rules.adoc[leveloffset=+1] + [role="_additional-resources"] .Additional resources * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes] From c29082e446bc3298515422246539dbdbc5104dbd Mon Sep 17 00:00:00 2001 From: Max Bridges Date: Wed, 17 Sep 2025 15:47:30 -0400 Subject: [PATCH 2/2] Apply suggestions from writer review --- ...orage-csi-manila-dynamic-provisioning.adoc | 2 +- ...storage-csi-manila-share-access-rules.adoc | 26 +++++++++---------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc b/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc index 9bfb282d662a..207ec9b43128 100644 --- a/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc +++ b/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc @@ -14,7 +14,7 @@ You can use the same pod and persistent volume claim (PVC) definitions on-premis [IMPORTANT] ==== -By default the access-rule assigned to a volume is set to 0.0.0.0/0, which allows access from all IPv4 clients. For enhanced security, it is recommended to create custom storage classes with specific client IP addresses or subnets. See xref:../../storage/container_storage_interface/persistent-storage-csi-manila.adoc#persistent-storage-csi-manila-share-access-rules_persistent-storage-csi-manila[Customizing Manila share access rules] for detailed instructions and examples. +By default, the access rule that is assigned to a volume is `0.0.0.0/0`, which allows access from all IPv4 clients. To limit client access, create custom storage classes that use specific client IP addresses or subnets. For more information, see "Customizing Manila share access rules". ==== [NOTE] diff --git a/modules/persistent-storage-csi-manila-share-access-rules.adoc b/modules/persistent-storage-csi-manila-share-access-rules.adoc index bc090efed40a..2b73307de9f2 100644 --- a/modules/persistent-storage-csi-manila-share-access-rules.adoc +++ b/modules/persistent-storage-csi-manila-share-access-rules.adoc @@ -6,20 +6,18 @@ [id="persistent-storage-csi-manila-share-access-rules_{context}"] = Customizing Manila share access rules -By default, {product-title} creates Manila storage classes that provide access to all IPv4 clients (0.0.0.0/0). For enhanced security, it is recommended that OpenShift administrators define custom storage classes with specific client IP addresses or subnets using the `nfs-ShareClient` parameter. +By default, {product-title} creates Manila storage classes that provide access to all IPv4 clients. To limit client access, define custom storage classes that use specific client IP addresses or subnets by using the `nfs-ShareClient` parameter. .Prerequisites -* {rh-openstack} is deployed with appropriate Manila share infrastructure. +* {rh-openstack-first} is deployed with appropriate Manila share infrastructure. * You have cluster administrator privileges. .Procedure -To create a custom storage class with restricted share access: - -. Create a YAML file for your custom storage class: +. Create a YAML file for your custom storage class based on the following example: + -.custom-manila-storageclass.yaml +.Example custom storage class file [source,yaml] ---- apiVersion: storage.k8s.io/v1 @@ -42,26 +40,26 @@ allowVolumeExpansion: true ---- + <1> A descriptive name for your custom storage class. -<2> The Manila share type. This should match an existing share type in your OpenStack environment. -<3> Comma-separated list of IP addresses or CIDR subnets that are allowed to access the NFS shares. In this example, access is restricted to the `10.0.0.0/24` subnet and the specific IP address `192.168.1.100`. +<2> The Manila share type. This type must match an existing share type in your {rh-openstack} environment. +<3> Comma-separated list of IP addresses or CIDR subnets that are allowed to access the NFS shares. In this example, access is restricted to the `10.0.0.0/24` subnet and the specific IP address is `192.168.1.100`. -. Apply the storage class: +. Apply the storage class from the file by running the following command: + [source,terminal] ---- $ oc apply -f custom-manila-storageclass.yaml ---- -. Verify that the storage class was created: +. Verify that the storage class was created by running the following command: + [source,terminal] ---- $ oc get storageclass csi-manila-gold-restricted ---- -. Create a PVC that uses the custom storage class: +. Create a persistent volume claim (PVC) that uses the custom storage class based on the following example: + -.pvc-manila-restricted.yaml +.Example PVC file [source,yaml] ---- apiVersion: v1 @@ -77,9 +75,9 @@ spec: storageClassName: csi-manila-gold-restricted <1> ---- + -<1> Reference to your custom storage class with restricted access. +<1> The name of your custom storage class that has restricted access. -. Apply the PVC: +. Apply the PVC from the file by running the following command: + [source,terminal] ----