Persistent Storage in vSphere Supervisor
vSphere Supervisor
Some Kubernetes workloads use persistent storage to store data permanently.
vSphere Supervisor
integrates with Cloud Native
Storage (CNS) to provision persistent storage. To understand how
vSphere Supervisor
uses
persistent storage, refer to the vSphere IaaS Control Plane
Concepts and Planning
and vSphere Storage
documentations.Creating Storage Policies for vSphere Supervisor
vSphere Supervisor
Before you enable
vSphere Supervisor
, you must set up the storage to provision the Kubernetes infrastructure. You achieve this task by creating storage policies to be used in the Supervisor
and namespaces.To automate the creation of a tag-based storage policy, use the VMware® vSphere Management SDK. For more information about how to create a tag-based storage policy through the Web Services API, see the
VMware Storage Policy SDK Programming Guide
and vSphere Web Services SDK Programming Guide
documentations.Optionally, you can use the
vSphere
Automation
APIs to create and add a tag to the datastore.
See the vSphere Tag Service chapter. Currently, you can
create a tag-based storage policy only through the Web Services APIs.Use the
vSphere
Automation
APIs to retrieve the default storage policy of a
specific datastore by calling the
. You can also
retrieve commonly used information about the storage policies available in the get(datastore_ID)
function of the
com.vmware.vcenter.datastore.DefaultPolicy
servicevCenter
Server
instance by
calling the
list()
function of the Policies
service.You can use the storage policies retrieved through the
vSphere
Automation
APIs to perform the following tasks:- Assign the storage policies to theSupervisor. The storage policies set within theSupervisorenable specification ensure that theSupervisorcontrol plane, the ephemeral disks of allvSphere Pods, and the container images are placed on the datastores that the policies represent. See Configuring NSX for vSphere Supervisor.
- Assign the storage policies to thevSphere Namespace. The storage policies associated with a namespace determine which datastores the namespace can access and use for persistent volumes for thevSphere Podand the pods inside aTKGcluster. See Create a vSphere Namespace.
Enabling ReadWriteMany Support
You can enable the ReadWriteMany support in
vSphere Supervisor
and allow multiple pods and applications to mount simultaneously a
single persistent volume. In vSphere 7.0 Update 3, only
TKG
clusters support persistent volumes in ReadWriteMany mode.
When you enable file volume support for vSphere Supervisor
, be aware of the potential security weaknesses:- The volumes are mounted without encryption. The unencrypted data might be accessed while the data transits the network.
- Access Control List (ACL) is used for the file shares to isolate file share access within a supervisor namespace. It might have risk of IP spoofing.
Follow these guidelines for networking:
- Make sure thevSANFile Services is routable from the Workload network and there is no NAT between the Workload network andvSANFile Services IP addresses.
- Use common DNS server forvSANFile Services and the vSphere cluster.
- If yourvSphere SupervisorhasNSXnetworking, use the SNAT IP of the Supervisor namespace and the SNAT IP of theTKGcluster for ACL configuration.
- If you havevSphere Supervisorwith vSphere Distributed Switch (VDS) networking, use theTKGcluster VM IP or the IP of the Supervisor namespace for ACL configuration.
Before you activate the file volume support on a
Supervisor
, you must set up a vSAN
cluster with enabled vSAN
File Service. To configure a vSAN
cluster with enabled vSAN
File Service in the vSphere Client
, see the Configure File Services
topic in the
Administering VMware vSAN
documentation. For more information about how to programmatically achieve this task,
see the vSAN SDKs Programming Guide
documentation. You activate the ReadWriteMany support on a cluster when you enable
vSphere Supervisor
on it, or reconfigure an existing
Supervisor
. See EnablevSphere Supervisor on a Cluster withNSX as the Networking Stack, EnablevSphere Supervisor on a Cluster with the vSphere Networking Stack, and Reconfiguring a Supervisor. Pass the list of vSAN
clusters to be used
for provisioning file volumes by using the
. Currently, you can use only the current vSphere
cluster for provisioning file volumes if it is a setCnsFileConfig(CNSFileConfig cnsFileConfig)
Java methodvSAN
cluster with enabled vSAN
File Service. To deactivate the persistent volumes support on a
Supervisor
, pass an empty list when you set the Cloud Native
Storage persistent storage support for the cluster. After that existing ReadWriteMany
persistent volumes provisioned in the cluster remain unaffected and usable.