add mount storage doc

Author: umagnus

deploy/example/mountstorage/README.md

@@ -0,0 +1,276 @@
+# Mount an azure blob storage
+
+In case you have the requirement, that your AKS cluster has to access a blob storage with kubelet identity or a dedicated user-assigned managed indentity, the following solution will do this.
+
+You can also use a differnt managed-identity for different persistent volumes (f.e. you have a pod, that should just have write access to some objects while having another pod, that should have write access everywhere.)
+
+
+## Before you begin
+
+- The Azure CLI version 2.37.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+
+- Install the aks-preview Azure CLI extension version 0.5.85 or later.
+
+- Ensure, that you are authenticated or run `az login` 
+
+- Run `az account set --subscription "mysubscription"` to select the right subscription
+
+- Create a storage account container and upload file, e.g.
+    ```bash
+    resourcegroup="aks-fuseblob-mi"
+    storageaccountname="myaksblob"
+    az storage account create -g "$resourcegroup" -n "$storageaccountname" --access-tier Hot  --sku Standard_LRS
+    az storage container create -n mycontainer --account-name "$storageaccountname" --public-access off
+    az storage blob upload \
+        --account-name myaksblob \
+        --container-name mycontainer \
+        --name test.htm \
+        --file test.htm \
+        --auth-mode key --account-key "$(az storage account keys list --account-name "$storageaccountname" --query '[0].value' -o tsv)"
+    ```
+
+## Using kubelet identity
+
+1. Give kubelet identity access to storage account
+    ```bash
+    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
+    kloid="$(az identity list -g "$aksnprg" --query "[?name == 'aks-fuseblob-mi-agentpool'].principalId" -o tsv)"
+    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
+    az role assignment create --assignee-object-id "$kloid" --role "Storage Blob Data Owner" --scope "$said"
+    ```
+
+1. Get the clientID of kubelet identity
+    ```bash
+    az identity list -g "$resourcegroup" --query "[?name == 'aks-fuseblob-mi-agentpool'].clientId" -o tsv
+    ```
+
+## Using a dedicated user-assigned managed indentity
+You can use a dedicated user-assigned managed indentity to mount the storage.
+
+1. Create user-assigned managed identity and give access to storage account
+    ```bash
+    az identity create -n myaksblobmi -g "$resourcegroup"
+    miioid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].principalId" -o tsv)"
+    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
+    az role assignment create --assignee-object-id "$miioid" --role "Storage Blob Data Owner" --scope "$said"
+    ```
+
+1. Assign the user-assigned managed identity to the AKS vm scale set (system nodepool)
+    ```bash
+    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
+    aksnp="$(az vmss list -g "$aksnprg" --query "[?starts_with(name, 'aks-nodepool1-')].name" -o tsv)"
+    miid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].id" -o tsv)"
+    az vmss identity assign -g "$aksnprg" -n "$aksnp" --identities "$miid"
+    ```
+
+1. Get the clientID of your user-assigned managed identity
+    ```bash
+    az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].clientId" -o tsv
+    ```
+
+## Mount the azure blob storage
+
+1. Create a ``volume.yaml`` file and set clientID for ``AzureStorageIdentityClientID``. \
+   Please also check ``resourceGroup`` and ``storageAccount``.
+    ```yml
+    apiVersion: v1
+    kind: PersistentVolume
+    metadata:
+      name: pv-blob1
+    spec:
+      capacity:
+        storage: 10Gi
+      accessModes:
+        - ReadWriteMany
+      persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
+      storageClassName: azureblob-fuse-premium
+      mountOptions:
+        - -o allow_other
+        - --file-cache-timeout-in-seconds=120
+      csi:
+        driver: blob.csi.azure.com
+        readOnly: false
+        # make sure this volumeid is unique in the cluster
+        # `#` is not allowed in self defined volumeHandle
+        volumeHandle: pv-blob1
+        volumeAttributes:
+          protocol: fuse
+          resourceGroup: aks-fuseblob-mi
+          storageAccount: myaksblob
+          containerName: mycontainer
+          AzureStorageAuthType: MSI
+          AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
+    
+    ---
+    
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: pvc-blob1
+    spec:
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: pv-blob1
+      storageClassName: azureblob-fuse-premium
+    ```
+
+1. Create a ``deployment.yaml`` file.
+    ```yml
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: nginx-app1
+      name: nginx-app1
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: nginx-app1
+      template:
+        metadata:
+          labels:
+            app: nginx-app1
+        spec:
+          containers:
+          - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+            name: webapp
+            imagePullPolicy: Always
+            resources: {}
+            ports:
+              - containerPort: 80
+            volumeMounts:
+              - name: pvc-blob1
+                mountPath: /usr/share/nginx/html
+          volumes: 
+            - name: pvc-blob1 
+              persistentVolumeClaim: 
+                claimName:  pvc-blob1
+    status: {}
+    
+    ---
+    
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: nginx-app1
+      labels:
+        run: nginx-app1
+    spec:
+      ports:
+      - port: 80
+        protocol: TCP
+      selector:
+        app: nginx-app1
+      type: LoadBalancer
+    ```
+
+1. Apply the yaml files
+    ```bash
+    # create pv and pvc
+    kubectl apply -f volume.yaml
+    # check it
+    kubectl get pv
+    kubectl get pvc
+
+    # create deployment and service
+    kubectl apply -f deployment.yaml
+    # check it
+    kubectl get pods
+    ```
+
+1. Get the url, that you want to open in the browser
+    ```bash
+    echo "Please surf to: http://$(kubectl get service --field-selector  metadata.name==nginx-app1 -o 'jsonpath={.items[*].status.loadBalancer.ingress[*].ip}')/test.htm"
+    ```
+
+# how to add another pv with a dedicated user-assigned identity?
+
+1. Create another user-assigned managed identity and give access to storage account
+    ```bash
+    az identity create -n myaksblobmi2 -g "$resourcegroup"
+    miioid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].principalId" -o tsv)"
+    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
+    az role assignment create --assignee-object-id "$miioid" --role "Storage Blob Data Reader" --scope "$said"
+    ```
+
+1. Assign the user-assigned managed identity to the AKS vm scale set (system nodepool)
+    ```bash
+    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
+    aksnp="$(az vmss list -g "$aksnprg" --query "[?starts_with(name, 'aks-nodepool1-')].name" -o tsv)"
+    miid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].id" -o tsv)"
+    az vmss identity assign -g "$aksnprg" -n "$aksnp" --identities "$miid"
+    ```
+
+1. Get the objectID of your user-assigned managed identity
+    ```bash
+    az identity list -g -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].principalId" -o tsv
+    ```
+
+1. Create a ``volume2.yaml`` file and set objectID for ``AzureStorageIdentityClientID``. \
+   Please also check ``resourceGroup`` and ``storageAccount``.
+    ```yml
+    apiVersion: v1
+    kind: PersistentVolume
+    metadata:
+      name: pv-blob2
+    spec:
+      capacity:
+        storage: 10Gi
+      accessModes:
+        - ReadWriteMany
+      persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
+      storageClassName: azureblob-fuse-premium
+      mountOptions:
+        - -o allow_other
+        - --file-cache-timeout-in-seconds=120
+      csi:
+        driver: blob.csi.azure.com
+        readOnly: false
+        # make sure this volumeid is unique in the cluster
+        # `#` is not allowed in self defined volumeHandle
+        volumeHandle: pv-blob2
+        volumeAttributes:
+          protocol: fuse
+          resourceGroup: aks-fuseblob-mi
+          storageAccount: myaksblob
+          containerName: mycontainer
+          AzureStorageAuthType: MSI
+          AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
+    
+    ---
+    
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: pvc-blob2
+    spec:
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: pv-blob2
+      storageClassName: azureblob-fuse-premium
+    ```
+
+1. Apply the ``volume2.yaml`` file
+    ```bash
+    # create pv and pvc
+    kubectl apply -f volume2.yaml
+    # check it
+    kubectl get pv
+    kubectl get pvc
+    ```
+
+1. Now you can use the persistent volume claim ``pv-blob2`` in another deployment.
+
+# Security consideration
+You should use at least 2 nodepools (a system and a user node pool) and assign the storage identities just to the user nodepool. Identity needs to be assigned where the pvs are mounted.
+You can use tains to protect the user assigned identity to schedule only authorized pods on the nodepool, that requires the pvs.
+
+
+[install-azure-cli]: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

deploy/example/mountstorage/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx-app1
+  name: nginx-app1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-app1
+  template:
+    metadata:
+      labels:
+        app: nginx-app1
+    spec:
+      containers:
+      - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+        name: webapp
+        imagePullPolicy: Always
+        resources: {}
+        ports:
+          - containerPort: 80
+        volumeMounts:
+          - name: pvc-blob1
+            mountPath: /usr/share/nginx/html
+      volumes: 
+        - name: pvc-blob1 
+          persistentVolumeClaim: 
+            claimName:  pvc-blob1
+status: {}
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-app1
+  labels:
+    run: nginx-app1
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+  selector:
+    app: nginx-app1
+  type: LoadBalancer

deploy/example/mountstorage/test.htm

@@ -0,0 +1,8 @@
+<html>
+    <head>
+        <title>Hello world</title>
+    </head>
+    <body>
+        <h1>Hello world</h1>
+    </body>
+</html>

deploy/example/mountstorage/volume.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-blob1
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
+  storageClassName: azureblob-fuse-premium
+  mountOptions:
+    - -o allow_other
+    - --file-cache-timeout-in-seconds=120
+  csi:
+    driver: blob.csi.azure.com
+    readOnly: false
+    # make sure this volumeid is unique in the cluster
+    # `#` is not allowed in self defined volumeHandle
+    volumeHandle: pv-blob1
+    volumeAttributes:
+      protocol: fuse
+      resourceGroup: aks-fuseblob-mi
+      storageAccount: myaksblob
+      containerName: mycontainer
+      AzureStorageAuthType: MSI
+      AzureStorageIdentityClientID: "xxxxxx-xxxx-xxxxxxxxxxx-xxxxxxx-xxxxx"
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-blob1
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: pv-blob1
+  storageClassName: azureblob-fuse-premium