openshift · gouthampacha · Sep 17, 2025 · Sep 17, 2025 · maxwelldb · Sep 17, 2025
diff --git a/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc b/modules/persistent-storage-csi-manila-dynamic-provisioning.adoc
@@ -14,7 +14,7 @@ You can use the same pod and persistent volume claim (PVC) definitions on-premis
 
 [IMPORTANT]
 ====
-By default the access-rule assigned to a volume is set to 0.0.0.0/0. To limit the clients that can mount the persistent volume (PV), create a new storage class with an IP or a subnet mask in the `nfs-shareClient` storage class parameter.
+By default, the access rule that is assigned to a volume is `0.0.0.0/0`, which allows access from all IPv4 clients. To limit client access, create custom storage classes that use specific client IP addresses or subnets. For more information, see "Customizing Manila share access rules".
 ====
 
 [NOTE]

diff --git a/modules/persistent-storage-csi-manila-share-access-rules.adoc b/modules/persistent-storage-csi-manila-share-access-rules.adoc
@@ -0,0 +1,105 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-manila.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-manila-share-access-rules_{context}"]
+= Customizing Manila share access rules
+
+By default, {product-title} creates Manila storage classes that provide access to all IPv4 clients. To limit client access, define custom storage classes that use specific client IP addresses or subnets by using the `nfs-ShareClient` parameter.
+
+.Prerequisites
+
+* {rh-openstack-first} is deployed with appropriate Manila share infrastructure.
+* You have cluster administrator privileges.
+
+.Procedure
+
+. Create a YAML file for your custom storage class based on the following example:
++
+.Example custom storage class file
+[source,yaml]
+----
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: csi-manila-gold-restricted <1>
+provisioner: manila.csi.openstack.org
+parameters:
+  type: gold <2>
+  nfs-ShareClient: "10.0.0.0/24,192.168.1.100" <3>
+  csi.storage.k8s.io/provisioner-secret-name: manila-csi-secret
+  csi.storage.k8s.io/provisioner-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/controller-expand-secret-name: manila-csi-secret
+  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/node-stage-secret-name: manila-csi-secret
+  csi.storage.k8s.io/node-stage-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/node-publish-secret-name: manila-csi-secret
+  csi.storage.k8s.io/node-publish-secret-namespace: openshift-manila-csi-driver
+allowVolumeExpansion: true
+----
++
+<1> A descriptive name for your custom storage class.
+<2> The Manila share type. This type must match an existing share type in your {rh-openstack} environment.
+<3> Comma-separated list of IP addresses or CIDR subnets that are allowed to access the NFS shares. In this example, access is restricted to the `10.0.0.0/24` subnet and the specific IP address is `192.168.1.100`.
+
+. Apply the storage class from the file by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f custom-manila-storageclass.yaml
+----
+
+. Verify that the storage class was created by running the following command:
++
+[source,terminal]
+----
+$ oc get storageclass csi-manila-gold-restricted
+----
+
+. Create a persistent volume claim (PVC) that uses the custom storage class based on the following example:
++
+.Example PVC file
+[source,yaml]
+----
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-manila-restricted
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: csi-manila-gold-restricted <1>
+----
++
+<1> The name of your custom storage class that has restricted access.
+
+. Apply the PVC from the file by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f pvc-manila-restricted.yaml
+----
+
+[NOTE]
+====
+The `nfs-ShareClient` parameter accepts various formats:
+
+* Single IP address: `192.168.1.100`
+* CIDR subnet: `10.0.0.0/24`
+* Multiple entries: `10.0.0.0/24,192.168.1.100,172.16.0.0/16`
+
+Ensure that the specified IP addresses or subnets include the {product-title} cluster nodes to allow proper mounting of the persistent volumes.
+====
+
+[IMPORTANT]
+====
+When using custom storage classes with restricted access rules, ensure that:
+
+* The specified IP addresses or subnets include all {product-title} nodes that need to access the storage.
+* The Manila service in {rh-openstack} supports the share type specified in the storage class.
+* Network connectivity exists between the allowed clients and the Manila share servers.
+====
diff --git a/storage/container_storage_interface/persistent-storage-csi-manila.adoc b/storage/container_storage_interface/persistent-storage-csi-manila.adoc
@@ -24,6 +24,8 @@ include::modules/persistent-storage-csi-manila-limitations.adoc[leveloffset=+1]
 
 include::modules/persistent-storage-csi-manila-dynamic-provisioning.adoc[leveloffset=+1]
 
+include::modules/persistent-storage-csi-manila-share-access-rules.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 .Additional resources
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
-Original file line number
+Diff line change
@@ Expand Up @@
     [IMPORTANT]
     ====
-    By default the access-rule assigned to a volume is set to 0.0.0.0/0. To limit the clients that can mount the persistent volume (PV), create a new storage class with an IP or a subnet mask in the `nfs-shareClient` storage class parameter.
+    By default, the access rule that is assigned to a volume is `0.0.0.0/0`, which allows access from all IPv4 clients. To limit client access, create custom storage classes that use specific client IP addresses or subnets. For more information, see "Customizing Manila share access rules".
     ====
     [NOTE]
@@ Expand Down @@