Kubernetes 1.27: CSI node expand secret support moves to Beta

humblec · humblec · commit b805c1fc1bfe · 2023-04-14T22:06:03.000+05:30
diff --git a/content/en/blog/_posts/2023-04-27-node-expand-secret-moves-beta b/content/en/blog/_posts/2023-04-27-node-expand-secret-moves-beta
@@ -0,0 +1,169 @@
++---
++layout: blog
++title: "Kubernetes 1.27: CSI node expand secret support moves to Beta"
++date: 2023-04-27
++slug: csi-node-expand-secret-support-beta
++ ---
++
++**Author:** Humble Chirammal, Louis Koo
+
+In Kubernetes v1.27, support for authenticating during CSI storage resize operations has moved
+from alpha to beta. That feature was originally introduced as alpha in Kubernetes v1.25. This post
+summarizes the changes that accompany the graduation to beta.
+
+## Authentication secrets for CSI storage resizing
+
+Kubernetes uses [CSI](https://kubernetes-csi.github.io) to integrate with third party storage.
+That integration lets your cluster cluster grow storage volumes created or managed by the CSI driver.
+The authentication secret support for resizes, now beta, lets you expand volumes
+even in scenarios where the expansion operation of the underlying storage has to
+make use of credentials to perform the actual operation in the backend cluster.
+For example, you might need to provide a credential for accessing a SAN/NAS fabric.
+Without this feature,  it was a shortcoming for the CSI drivers to expand a volume at _node_ level
+in cases where the storage component requires authentication for resize operations;
+there was no straightforward way for the CSI driver to receive the credentials as part of the
+node-driven resize.
+
+It is worth mentioning that, it is not only the node level expansion operation which was problematic.
+Within SIG Storage, we have seen use cases like below:
+
+At times, the CSI driver needs to check the actual size of the backend block storage (or image) before proceeding with a node-level filesystem expand operation. This avoids false positive returns from the backend storage cluster during file system expansion.
+When a PersistentVolume represents encrypted block storage (for example using LUKS) you need to provide a passphrase in order to expand the device, and also to make it possible to grow the filesystem on that device.
+
+## What's new in the beta?
+
+With the promotion to beta, the feature is now enabled by default. That means you usually do not need
+to enable the feature gate in the control plane components - which was required for the alpha.
+As part of the graduation to beta, the support has also added in the CSI `external-provisioner` sidecar
+controller.
+You need to be running the external provisioner sidecar controller at v3.3.0 or above to take advantage
+of this feature.
+
+## How do I use authenticated CSI storage resizing?
+
+Assuming all the required components (including CSI driver) are already deployed and running on your cluster,
+and you have a CSI Driver that supports resizing, you can try a `NodeExpansion` operation on a CSI volume.
+
+The credentials for that CSI `NodeExpand` operation can be provided as Kubernetes
+[Secret](/docs/concepts/configuration/secret/) object; you specify which Secret via the
+StorageClass.
+
+Here is an example manifest for a Secret that holds credentials:
+
+manifest for a Secret that holds credentials:
+
+```yaml
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: test-secret
+ namespace: default
+data:
+stringData:
+ username: admin
+ password: t0p-Secret
+
+```
+
+Here's an example manifest for a StorageClass that refers to those credentials:
+
+```yaml
+
+---
+
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+ name: csi-blockstorage-sc
+parameters:
+ csi.storage.k8s.io/node-expand-secret-name: test-secret  # the name of the Secret
+ csi.storage.k8s.io/node-expand-secret-namespace: default # the namespace that the Secret is in
+provisioner: blockstorage.cloudprovider.example
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+```
+
+If the PersistentVolumeClaim (PVC) was created successfully, you can see that configuration
+within the `.spec.csi` field of the PersistentVolume (look for `.spec.csi.nodeExpandSecretRef`).
+Check that it worked by running `kubectl get persistentvolume <pv_name> -o yaml`. You should see something like:
+
+```yaml
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ annotations:
+   pv.kubernetes.io/provisioned-by: blockstorage.cloudprovider.example
+ creationTimestamp: "2023-02-26T13:14:07Z"
+ finalizers:
+ - kubernetes.io/pv-protection
+ name: pvc-95eb531a-d675-49f6-940b-9bc3fde83eb0
+ resourceVersion: “178817"
+ uid: 6fa824d7-8a06-4e0c-b722-d3f897dcbd65
+spec:
+ accessModes:
+ - ReadWriteOnce
+ capacity:
+   storage: 6Gi
+ claimRef:
+   apiVersion: v1
+   kind: PersistentVolumeClaim
+   name: csi-pvc
+   namespace: default
+   resourceVersion: "178817"
+   uid: 95eb531a-d675-49f6-940b-9bc3fde83eb0
+ csi:
+   driver: blockstorage.cloudprovider.example
+   nodeExpandSecretRef:
+     name: test-secret
+     namespace: default
+   volumeAttributes:
+     storage.kubernetes.io/csiProvisionerIdentity: 1648042783218-8081-blockstorage.cloudprovider.example
+   volumeHandle: e21c7809-aabb-11ec-917a-2e2e254eb4cf
+ nodeAffinity:
+   required:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: topology.hostpath.csi/node
+         operator: In
+         values:
+         - racknode01
+ persistentVolumeReclaimPolicy: Delete
+ storageClassName: csi-blockstorage-sc
+ volumeMode: Filesystem
+status:
+ phase: Bound
+
+```
+If you then trigger online storage expansion, the kubelet passes the appropriate credentials to the CSI driver, by loading that Secret and passing the data to the storage driver.
+Here's an example debug log:
+
+```
+
+I0330 03:29:51.966241       1 server.go:101] GRPC call: /csi.v1.Node/NodeExpandVolume
+I0330 03:29:51.966261       1 server.go:105] GRPC request: {"capacity_range":{"required_bytes":7516192768},"secrets":"***stripped***","staging_target_path":"/var/lib/kubelet/plugins/kubernetes.io/csi/blockstorage.cloudprovider.example/f7c62e6e08ce21e9b2a95c841df315ed4c25a15e91d8fcaf20e1c2305e5300ab/globalmount","volume_capability":{"AccessType":{"Mount":{}},"access_mode":{"mode":7}},"volume_id":"e21c7809-aabb-11ec-917a-2e2e254eb4cf","volume_path":"/var/lib/kubelet/pods/bcb1b2c4-5793-425c-acf1-47163a81b4d7/volumes/kubernetes.io~csi/pvc-95eb531a-d675-49f6-940b-9bc3fde83eb0/mount"}
+
+I0330 03:29:51.966360       1 nodeserver.go:459] req:volume_id:"e21c7809-aabb-11ec-917a-2e2e254eb4cf" volume_path:"/var/lib/kubelet/pods/bcb1b2c4-5793-425c-acf1-47163a81b4d7/volumes/kubernetes.io~csi/pvc-95eb531a-d675-49f6-940b-9bc3fde83eb0/mount" capacity_range:<required_bytes:7516192768 > staging_target_path:"/var/lib/kubelet/plugins/kubernetes.io/csi/blockstorage.cloudprovider.example/f7c62e6e08ce21e9b2a95c841df315ed4c25a15e91d8fcaf20e1c2305e5300ab/globalmount" volume_capability:<mount:<> access_mode:<mode:SINGLE_NODE_MULTI_WRITER > > secrets:<key:"XXXXXX" value:"XXXXX" > secrets:<key:"XXXXX" value:"XXXXXX" >
+
+```
+
+## Future plan
+
+Depending on feedback and adoption, the Kubernetes team plans to push the CSI NodeExpandSecret implementation to GA in either 1.28 or 1.29. 
+
+
+## Want to get involved or learn more?
+
+The enhancement proposal includes lots of detail about the history and technical implementation of this feature.
+
+To learn more about StorageClass based dynamic provisioning in Kubernetes, please refer
+to [storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class)
+and to the overall [PersistentVolumes](/docs/concepts/storage/persistent-volumes/) 
+documentation.
+
+Please get involved by joining the Kubernetes Storage SIG (Special Interest Group) to help us enhance this feature. There are a lot of good ideas already and we'd be thrilled to have more!
+
