Unsolved
7 Posts
0
1006
PowerStore CSI - wrong IP in export
We have been doing some POCs using the powerstore CSI driver to see if we can satisfy RWO (block) and RWX (file) off the same array. After some hiccups getting the helm to install, I am doing some testing. I am having issues getting NFS PVCs to actually mount up to pods. I was able to hack together a work around using the external access feature in the my-powerstore-settings.yaml.
The issue is we have a private non-routed VLAN we isolate container NFS traffic to. All of our worker nodes get a bond on the public and private VLANs. When the CSI driver is creating the host access on the export, it is using the public IP. This is resulting in access deny errors when the workers try to access the exports over the private VLAN. Is there any setting we can do to address this? Even if it's just some list on the array with IP's for all worker nodes by default (like how netapp SVMs work) would be fine.
1. Red Hat Enterprise Linux CoreOS 47.83.202106032343-0 (kernel 4.18.0-240.22.1.el8_3.x86_64)
2. RedHat OpenShift 4.7.16
3. CSI-PowerStore 1.4
4. Helm
5. 1.0.4.0.5.006
6. n/a
7. Unsure
8. Unsure
9. Yes
10. Create an export
11. Export created with corect IP
12. PVCs
13.
Name: malpvc01
Namespace: malcolm
StorageClass: powerstore-nfs
Status: Bound
Volume: ocpl01-349d682ba8
Labels:
Annotations: pv.kubernetes.io/bind-completed: yes
pv.kubernetes.io/bound-by-controller: yes
volume.beta.kubernetes.io/storage-provisioner: csi-powerstore.dellemc.com
Finalizers: [kubernetes.io/pvc-protection]
Capacity: 25Gi
Access Modes: RWO
VolumeMode: Filesystem
Mounted By: openshift-php-upload-demo-64bdbccf55-st7r5
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ExternalProvisioning 74m persistentvolume-controller waiting for a volume to be created, either by external provisioner "csi-powerstore.dellemc.com" or manually created by system administrator
Normal Provisioning 74m (x2 over 74m) csi-powerstore.dellemc.com_powerstore-controller-bfc8bc69c-2g872_e7bf2982-0c8e-45dd-8a0e-4e3f59e6dace External provisioner is provisioning volume for claim "malcolm/malpvc01"
Normal ProvisioningSucceeded 74m (x2 over 74m) csi-powerstore.dellemc.com_powerstore-controller-bfc8bc69c-2g872_e7bf2982-0c8e-45dd-8a0e-4e3f59e6dace Successfully provisioned volume ocpl01-349d682ba8
14. Can provide if needed
15. Worker nodes have a bond0 outward facing IP and a bond1 private NFS IP.
Flo_csI
166 Posts
0
July 19th, 2021 00:00
Hi @a malcontent ,
You can use the option `externalAccess` to set the range of IPs to configure in the export : https://dell.github.io/storage-plugin-docs/docs/features/powerstore/#configuring-custom-access-to-nfs-exports
HTH
a malcontent
7 Posts
0
July 19th, 2021 05:00
I saw that feature and tested it. I considered it a hack and not really a good option. One, it has a single IP or a range (i.e. the entire subnet). Doing a single IP doesn't help me. Doing the entire subnet is just bad security. I was hoping for a better solution.
Flo_csI
166 Posts
0
July 29th, 2021 05:00
The CSI Driver for PowerScale/Isilon has an option named `allowedNetwork` where you can put a CIDR address so the driver selects the IP of the node that matches that address and only the matching IPs will be put in the export.
A ticket is opened so PowerStore supports the same.