Allowing the use of generic ephemeral volumes

Updated 31 Aug 2023

Openshift Container Platform 4.11 introduced support for generic ephemeral volumes. Generic ephemeral volumes are volumes which are backed up by persistent volume and persistent volume claims, instead of to the nodes ephemeral volume storage. These volumes are also tied to lifecycle of a pod.

What are generic ephemeral volumes ?

Generic Ephemeral Volumes are created whenever a pod is created and destroyed with pod, however the backing store for the storage that is used is offered by a storage claim instead of the nodes ephemeral volume storage.

Example: The following pod uses a ephemeral volume backed up by vsphere CSI storage class.

kind: Pod
apiVersion: v1
metadata:
  name: my-app
spec:
  containers:
    - name: my-frontend
      image: busybox:1.28
      volumeMounts:
      - mountPath: "/scratch"
        name: scratch-volume
      command: [ "sleep", "1000000" ]
  volumes:
    - name: scratch-volume
      ephemeral:
        volumeClaimTemplate:
          metadata:
            labels:
              type: my-frontend-volume
          spec:
            accessModes: [ "ReadWriteOnce" ]
            storageClassName: "thin-csi"
            resources:
              requests:
                storage: 1Gi

In 4.11 by users will not be able to use generic ephemeral volumes such as above. They will get the following error messages when trying to create above pod:

Error from server (Forbidden): error when creating "pod.yaml": pods "my-app" is forbidden: unable to validate against any security context constraint

This was caused by a This content is not included.known bug of the OpenShift 4.11 initial release. Red Hat has addressed this issue in OpenShift 4.13. However the fix will only cover the issue for newly deployed clusters, existing clusters will need to take manual steps to resolve the issue.

Creating custom SCC to support the use of generic ephemeral volumes

Copy the default restricted SCC

# oc get scc restricted -o yaml > ephemeral_restricted_scc.yaml

Patch the copied SCC
- Note: Red Hat is providing a This content is not included.patch file(ephemeral_path.yml) to help simplify the creation / modification of an SCC policy to facilitate the workaround.
```
# oc patch -f ephemeral_restricted_scc.yaml --local --patch-file ephemeral_patch.yml --type merge -o yaml > patched_scc.yaml
```
Create an SCC that supports ephemeral volumes
```
# oc create -f patched_scc.yaml
```

Assigning custom SCC to specific namespace

The newly created SCC (above) also needs to be assigned to specific namespace via following command, so as only pods that are in that namespace can have access to this new SCC:

# oc adm policy add-scc-to-group <scc_name>  system:serviceaccounts:<serviceaccount_namespace>

This should allow users in that namespace to create pods that use generic ephemeral volumes.

SBR

Product(s)

Red Hat OpenShift Container Platform

Category

Learn more

Components

storage

Article Type

General