Update workload-identity-static-pv-mount.md

kubernetes-sigs · Jan 8, 2024 · bfd8358 · bfd8358
1 parent d28d57b
commit bfd8358
Showing 1 changed file with 42 additions and 3 deletions.
diff --git a/docs/workload-identity-static-pv-mount.md b/docs/workload-identity-static-pv-mount.md
@@ -1,5 +1,8 @@
 # workload identity support on static provisioning
  - supported from v1.23.3
+
+This feature is specifically designed for blobfuse mount and is not available for NFS mount as NFS mount does not require credentials. There is a standalone blobfuse mount for every pod, it may cause performance issues when multiple pods are present on a single node.
+
 ## Prerequisites
 ### 1. Create a cluster with oidc-issuer enabled and get the credential
 
@@ -10,12 +13,12 @@ export CLUSTER_NAME=<your cluster name>
 export REGION=<your region>
 ```
 
-### 2. Create a new storage account and container
+### 2. Bring your own storage account and storage container
 Following the [documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli) to create a new storage account and container or use your own. And export following environment variables:
 ```
 export STORAGE_RESOURCE_GROUP=<your storage account resource group>
 export ACCOUNT=<your storage account name>
-export CONTAINER=<your container name>
+export CONTAINER=<your storage container name>
 ```
 
 ### 3. Create managed identity and role assignment
@@ -56,7 +59,7 @@ az identity federated-credential create --name $FEDERATED_IDENTITY_NAME \
 --issuer $AKS_OIDC_ISSUER \
 --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}
 ```
-
+## option#1: static provision with PV
 ```
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
@@ -132,3 +135,39 @@ spec:
             storage: 10Gi
 EOF
 ```
+
+## option#2: Pod with ephemeral inline volume
+```
+cat <<EOF | kubectl apply -f -
+kind: Pod
+apiVersion: v1
+metadata:
+  name: nginx-blobfuse-inline-volume
+spec:
+  serviceAccountName: $SERVICE_ACCOUNT_NAME  #required, Pod does not use this service account has no permission to mount the volume
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-blobfuse
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/blobfuse/outfile; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/blobfuse"
+          readOnly: false
+  volumes:
+    - name: persistent-storage
+      csi:
+        driver: blob.csi.azure.com
+        volumeAttributes:
+          storageaccount: $ACCOUNT # required
+          containerName: $CONTAINER  # required
+          clientID: $USER_ASSIGNED_CLIENT_ID # required
+          resourcegroup: $STORAGE_RESOURCE_GROUP # optional, specified when the storage account is not under AKS node resource group(which is prefixed with "MC_")
+          # tenantID: $IDENTITY_TENANT  # optional, only specified when workload identity and AKS cluster are in different tenant
+          # subscriptionid: $SUBSCRIPTION # optional, only specified when workload identity and AKS cluster are in different subscription
+EOF
+```