Update README.md

andyzhangx · web-flow · commit c0ad7222d6a9 · 2024-07-12T16:16:26.000+08:00
diff --git a/deploy/example/blobfuse-mi/README.md b/deploy/example/blobfuse-mi/README.md
@@ -1,42 +1,30 @@
-# Mount an azure blob storage
-
-In case you have the requirement, that your AKS cluster has to access a blob storage with kubelet identity or a dedicated user-assigned managed identity, the following solution will do this.
-
-You can also use a different managed-identity for different persistent volumes (f.e. you have a pod, that should just have write access to some objects while having another pod, that should have write access everywhere.)
+# blobfuse mount with managed identity
 
+This article demonstrates the process of utilizing blobfuse mount with either a dedicated user-assigned managed identity or kubelet identity.
 
 ## Before you begin
+ - Make sure the managed identity has `Storage Blob Data Owner` role to the storage account
+ > here is an example that uses Azure CLI commands to assign the `Storage Blob Data Owner` role to the managed identity for the storage account. If the storage account is created by the driver(dynamic provisoning), then you need to grant `Storage Blob Data Owner` role to the resource group where the storage account is located
 
-- The Azure CLI version 2.37.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
-
-- Install the aks-preview Azure CLI extension version 0.5.85 or later.
-
-- Ensure, that you are authenticated or run `az login` 
-
-- Run `az account set --subscription "mysubscription"` to select the right subscription
-
-- Create a storage account container(optional in dynamic provisioning), e.g.
     ```bash
-    resourcegroup="blobfuse-mi"
-    storageaccountname="myaksblob"
-    az storage account create -g "$resourcegroup" -n "$storageaccountname" --access-tier Hot  --sku Standard_LRS
-    az storage container create -n mycontainer --account-name "$storageaccountname" --public-access off
+    kloid="$(az identity list -g "$resourcegroup" --query "[?name == 'managedIdentityName'].principalId" -o tsv)"
+    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
+    az role assignment create --assignee-object-id "$kloid" --role "Storage Blob Data Owner" --scope "$said"
     ```
 
-- Get the clientID for `AzureStorageIdentityClientID`. If you use kubelet identity, the identity name is `blobfuse-mi-agentpool`, and the resourcegroup is node resourcegroup, or you can use a dedicated user-assigned managed identity
+
+ - Retrieve the clientID for `AzureStorageIdentityClientID`. If you are using kubelet identity, the identity will be named {aks-cluster-name}-agentpool and located in the node resource group.
     ```bash
-    az identity list -g "$resourcegroup" --query "[?name == '$identityname'].clientId" -o tsv
+    AzureStorageIdentityClientID=`az identity list -g "$resourcegroup" --query "[?name == '$identityname'].clientId" -o tsv`
     ```
     
-## dynamic provisioning in an existing resource group
-
-1. Grant cluster system assigned identity(control plane identity) `Storage Account Contributor` role to resource group, if mount in an existing storage account, then should also grant identities to storage account
+## dynamic provisioning
+- Ensure that the system-assigned identity of your cluster control plane has the `Storage Account Contributor role` for the storage account.
+ > if the storage account is created by the driver, then you need to grant `Storage Account Contributor` role to the resource group where the storage account is located
 
-1. Grant kubelet identity `Storage Blob Data Owner` role to resource group to mount blob storage, if mount in an existing storage account, then should also grant identity to storage account
+ > AKS cluster control plane identity already has `Contributor` role on the node resource group by default.
 
-1. Create a storage class in an existing resource group
-    - Option#1 create storage account by CSI driver, will create a new storage account when `storageAccount` and `containerName` are not provided.
-    - Option#2 use your own storage account, set storage account name for `storageAccount`, you can also set an existing container name for `containerName` if you want to mount an existing container.
+1. Create a storage class
     ```yml
     apiVersion: storage.k8s.io/v1
     kind: StorageClass
@@ -46,9 +34,9 @@ You can also use a different managed-identity for different persistent volumes (
     parameters:
       skuName: Premium_LRS 
       protocol: fuse
-      resourceGroup: EXISTING_RESOURCE_GROUP_NAME
-      storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, if use existing storage account
-      containerName: EXISTING_CONTAINER_NAME # optional, if use existing container
+      resourceGroup: EXISTING_RESOURCE_GROUP_NAME   # optional, node resource group if it's not provided
+      storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, driver will create a new account if it's not provided
+      containerName: EXISTING_CONTAINER_NAME # optional, driver will create a new container if it's not provided
       AzureStorageAuthType: MSI
       AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
     reclaimPolicy: Delete
@@ -66,79 +54,21 @@ You can also use a different managed-identity for different persistent volumes (
       - --cache-size-mb=1000  # Default will be 80% of available memory, eviction will happen beyond that.
     ```
 
-1. Create application
-    - Create a statefulset with volume mount
+1. create a statefulset with blobfuse volume mount
       ```console
       kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/statefulset.yaml
       ```
 
-    - Execute `df -h` command in the container
-      ```console
-      kubectl exec -it statefulset-blob-0 -- df -h
-      ```
-      <pre>
-      Filesystem      Size  Used Avail Use% Mounted on
-      ...
-      blobfuse         14G   41M   13G   1% /mnt/blob
-      ...
-      </pre>
-
-## static provisioning(use an existing storage account)
-### Option#1: grant kubelet identity access to storage account
-
-1. Give kubelet identity access to storage account
-    ```bash
-    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
-    kloid="$(az identity list -g "$aksnprg" --query "[?name == 'blobfuse-mi-agentpool'].principalId" -o tsv)"
-    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
-    az role assignment create --assignee-object-id "$kloid" --role "Storage Blob Data Owner" --scope "$said"
-    ```
-
-1. Get the clientID of kubelet identity
-    ```bash
-    az identity list -g "$aksnprg" --query "[?name == 'blobfuse-mi-agentpool'].clientId" -o tsv
-    ```
-
-### Option#2: grant a dedicated user-assigned managed identity access to storage account
-You can use a dedicated user-assigned managed identity to mount the storage.
-
-1. Create user-assigned managed identity and give access to storage account
-    ```bash
-    az identity create -n myaksblobmi -g "$resourcegroup"
-    miioid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].principalId" -o tsv)"
-    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
-    az role assignment create --assignee-object-id "$miioid" --role "Storage Blob Data Owner" --scope "$said"
-    ```
-
-1. Assign the user-assigned managed identity to the AKS vm scale set (system nodepool)
-    ```bash
-    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
-    aksnp="$(az vmss list -g "$aksnprg" --query "[?starts_with(name, 'aks-nodepool1-')].name" -o tsv)"
-    miid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].id" -o tsv)"
-    az vmss identity assign -g "$aksnprg" -n "$aksnp" --identities "$miid"
-    ```
-
-1. Get the clientID of your user-assigned managed identity
-    ```bash
-    az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi'].clientId" -o tsv
-    ```
-
-### Mount the azure blob storage
-
-1. Create storage class
-    ```console
-    kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/storageclass-blobfuse.yaml
-    ```
-
-1. Create PV and set clientID for ``AzureStorageIdentityClientID``. Please also check ``resourceGroup`` and ``storageAccount``.
+## static provisioning(bring your own storage account and blob container)
+1. Create PV with specified account name, blob container and AzureStorageIdentityClientID
     ```yml
     apiVersion: v1
     kind: PersistentVolume
     metadata:
       name: pv-blob
     spec:
       capacity:
-        storage: 10Gi
+        storage: 100Gi
       accessModes:
         - ReadWriteMany
       persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
@@ -148,91 +78,19 @@ You can use a dedicated user-assigned managed identity to mount the storage.
         - --file-cache-timeout-in-seconds=120
       csi:
         driver: blob.csi.azure.com
-        readOnly: false
         # make sure this volumeid is unique in the cluster
         # `#` is not allowed in self defined volumeHandle
         volumeHandle: pv-blob
         volumeAttributes:
           protocol: fuse
-          resourceGroup: blobfuse-mi
-          storageAccount: myaksblob
-          containerName: mycontainer
+          resourceGroup: EXISTING_RESOURCE_GROUP_NAME   # optional, node resource group if it's not provided
+          storageAccount: EXISTING_STORAGE_ACCOUNT_NAME
+          containerName: EXISTING_CONTAINER_NAME
           AzureStorageAuthType: MSI
           AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
     ```
 
-1. Create PVC and a deployment with volume mount
+1. create a pvc and a deployment with blobfuse volume mount
     ```console
     kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/deployment.yaml
-    # check pod
-    kubectl get pods
-    ```
-
-## how to add another pv with a dedicated user-assigned identity?
-
-1. Create another user-assigned managed identity and give access to storage account
-    ```bash
-    az identity create -n myaksblobmi2 -g "$resourcegroup"
-    miioid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].principalId" -o tsv)"
-    said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
-    az role assignment create --assignee-object-id "$miioid" --role "Storage Blob Data Reader" --scope "$said"
-    ```
-
-1. Assign the user-assigned managed identity to the AKS vm scale set (system nodepool)
-    ```bash
-    aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
-    aksnp="$(az vmss list -g "$aksnprg" --query "[?starts_with(name, 'aks-nodepool1-')].name" -o tsv)"
-    miid="$(az identity list -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].id" -o tsv)"
-    az vmss identity assign -g "$aksnprg" -n "$aksnp" --identities "$miid"
-    ```
-
-1. Get the objectID of your user-assigned managed identity
-    ```bash
-    az identity list -g -g "$resourcegroup" --query "[?name == 'myaksblobmi2'].principalId" -o tsv
-    ```
-
-1. Create storage class
-    ```console
-    kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/storageclass-blobfuse.yaml
-    ```
-
-1. Create PV and set objectID for ``AzureStorageIdentityClientID``. \
-   Please also check ``resourceGroup`` and ``storageAccount``.
-    ```yml
-    apiVersion: v1
-    kind: PersistentVolume
-    metadata:
-      name: pv-blob
-    spec:
-      capacity:
-        storage: 10Gi
-      accessModes:
-        - ReadWriteMany
-      persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
-      storageClassName: blob-fuse
-      mountOptions:
-        - -o allow_other
-        - --file-cache-timeout-in-seconds=120
-      csi:
-        driver: blob.csi.azure.com
-        readOnly: false
-        # make sure this volumeid is unique in the cluster
-        # `#` is not allowed in self defined volumeHandle
-        volumeHandle: pv-blob
-        volumeAttributes:
-          protocol: fuse
-          resourceGroup: blobfuse-mi
-          storageAccount: myaksblob
-          containerName: mycontainer
-          AzureStorageAuthType: MSI
-          AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
     ```
-
-1. Create PVC
-    ```console
-    kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/pvc-blob-csi-static.yaml
-    # make sure pvc is created and in Bound status after a while
-    kubectl describe pvc pvc-blob
-    ```
-
-1. Now you can use the persistent volume claim ``pv-blob`` in another deployment.
