The Azure File StorageClass uses secrets to store the Azure storage account name and the storage account key that are required to create an Azure Files share. These permissions are created as part of the following procedure.
-
Define a ClusterRole that allows access to create and view secrets:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: # name: system:azure-cloud-provider name: <persistent-volume-binder-role> (1) rules: - apiGroups: [''] resources: ['secrets'] verbs: ['get','create']
-
The name of the ClusterRole to view and create secrets.
-
-
Add the ClusterRole to the ServiceAccount:
$ oc adm policy add-cluster-role-to-user <persistent-volume-binder-role> system:serviceaccount:kube-system:persistent-volume-binder
-
Create the Azure File StorageClass:
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: <azure-file> (1) provisioner: kubernetes.io/azure-file parameters: location: eastus (2) skuName: Standard_LRS (3) storageAccount: <storage-account> (4) reclaimPolicy: Delete volumeBindingMode: Immediate
-
Name of the StorageClass. The PersistentVolumeClaim uses this StorageClass for provisioning the associated PersistentVolumes.
-
Location of the Azure storage account, such as
eastus. Default is empty, meaning that a new Azure storage account will be created in the {product-title} cluster’s location. -
SKU tier of the Azure storage account, such as
Standard_LRS. Default is empty, meaning that a new Azure storage account will be created with theStandard_LRSSKU. -
Name of the Azure storage account. If a storage account is provided, then
skuNameandlocationare ignored. If no storage account is provided, then the StorageClass searches for any storage account that is associated with the resource group for any accounts that match the definedskuNameandlocation.
-