- Documentation
- OKD
- Container Security Guide
- Attached Storage
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
You are viewing documentation for a release that is no longer maintained. To view the documentation for the most recent version, see the latest OKD docs.
- About
- What's New?
- Getting Started
- Architecture
- Container Security Guide
- Installing Clusters
- Upgrading Clusters
- Configuring Clusters
- Overview
- Setting up the Registry
- Setting up a Router
- Deploying Red Hat CloudForms
- Master and Node Configuration
- OpenShift Ansible Broker Configuration
- Adding Hosts to an Existing Cluster
- Loading the Default Image Streams and Templates
- Configuring Custom Certificates
- Redeploying Certificates
- Configuring Authentication and User Agent
- Syncing groups with LDAP
- Configuring LDAP failover
- Configuring the SDN
- Configuring Nuage SDN
- Configuring Kuryr SDN
- Configuring for AWS
- Configuring for Red Hat Virtualization
- Configuring for OpenStack
- Configuring for Google Compute Engine
- Configuring for Azure
- Configuring for VMWare vSphere
- Configuring Local Volumes
- Configuring Persistent Storage
- Overview
- Using NFS
- Using GlusterFS
- Using OpenStack Cinder
- Using Ceph RBD
- Using AWS Elastic Block Store
- Using GCE Persistent Disk
- Using iSCSI
- Using Fibre Channel
- Using Azure Disk
- Using Azure File
- Using FlexVolume
- Using VMware vSphere volumes for persistent storage
- Using Local Volume
- Using Container Storage Interface (CSI)
- Using OpenStack Manila shares
- Dynamic Provisioning and Creating Storage Classes
- Volume Security
- Selector-Label Volume Binding
- Enabling Controller-managed Attachment and Detachment
- Persistent Volume Snapshots
- Persistent Storage Examples
- Overview
- Sharing an NFS PV Across Two Pods
- Using Ceph RBD for Persistent Storage
- Using Ceph RBD for dynamic provisioning
- Complete Example Using GlusterFS
- Complete Example Using GlusterFS for Dynamic Provisioning
- Mounting Volumes To Privileged Pods
- Switching an Integrated OpenShift Container Registry to GlusterFS
- Binding Persistent Volumes by Label
- Using StorageClasses for Dynamic Provisioning
- Using StorageClasses for Existing Legacy Storage
- Configuring Azure Blob Storage for Integrated Docker Registry
- Configuring Ephemeral Storage
- Working with HTTP Proxies
- Configuring Global Build Defaults and Overrides
- Configuring Pipeline Execution
- Configuring Route Timeouts
- Configuring Native Container Routing
- Routing from Edge Load Balancers
- Aggregating Container Logs
- Aggregate Logging Sizing Guidelines
- Enabling Cluster Metrics
- Customizing the Web Console
- Deploying External Persistent Volume Provisioners
- Day Two Operations Guide
- Cluster Administration
- Overview
- Managing Nodes
- Restoring your cluster
- Replacing a master host
- Managing Users
- Managing Projects
- Managing Pods
- Managing Networking
- Configuring Service Accounts
- Managing Role-based Access Control
- Image Policy
- Image Signatures
- Scoped Tokens
- Monitoring Images
- Managing Security Context Constraints
- Scheduling
- Setting Quotas
- Setting Multi-Project Quotas
- Setting Limit Ranges
- Pruning objects
- Extending the Kubernetes API with Custom Resources
- Garbage Collection
- Allocating Node Resources
- Opaque Integer Resources
- Node Problem Detector
- Overcommitting
- Assigning Unique External IPs for Ingress Traffic
- Out of Resource Handling
- Monitoring and Debugging Routers
- High Availability
- IPtables
- Securing Builds by Strategy
- Restricting Application Capabilities Using Seccomp
- Sysctls
- Encrypting Data at Datastore Layer
- Encrypting traffic between nodes with IPsec
- Building Dependency Trees
- Replacing a failed etcd member
- Restoring etcd quorum
- Troubleshooting Networking
- Diagnostics Tool
- Idling Applications
- Analyzing Cluster Capacity
- Disabling Features using Feature Gates
- Kuryr SDN Administration
- Scaling and Performance Guide
- Overview
- Recommended Installation Practices
- Recommended Host Practices
- Optimizing Compute Resources
- Optimizing Persistent Storage
- Optimizing Ephemeral Storage
- Network Optimization
- Routing Optimization
- Scaling Cluster Metrics
- Cluster Limits
- Using Cluster Loader
- Using CPU Manager
- Managing Huge Pages
- Optimizing On GlusterFS Storage
- CLI Reference
- Developer Guide
- Overview
- Application Life Cycle Management
- Authentication
- Authorization
- Projects
- Migrating Applications
- Tutorials
- Builds
- Deployments
- Templates
- Opening a Remote Shell to Containers
- Service Accounts
- Managing Images
- Quotas and Limit Ranges
- Injecting Information into Pods Using Pod Presets
- Getting Traffic into a Cluster
- Routes
- Integrating External Services
- Using Device Manager
- Using Device Plug-ins
- Secrets
- ConfigMaps
- Downward API
- Projected Volumes
- Using Daemonsets
- Pod Autoscaling
- Managing Volumes
- Using Persistent Volumes
- Expanding Persistent Volumes
- Executing Remote Commands
- Copying Files
- Port Forwarding
- Shared Memory
- Application Health
- Events
- Managing Environment Variables
- Jobs
- OpenShift Pipeline
- Cron Jobs
- Create from URL
- Creating an object from a custom resource definition
- Application memory sizing
- Creating Images
- Using Images
- Ansible Playbook Bundle Development Guide
- REST API Reference
- Overview
- Examples
- /api/v1
- v1.APIResourceList
- v1.APIVersions
- v1.Binding
- v1.ComponentStatus
- v1.ConfigMap
- v1.Endpoints
- v1.Event
- v1.LimitRange
- v1.Namespace
- v1.Node
- v1.PersistentVolume
- v1.PersistentVolumeClaim
- v1.Pod
- v1.PodTemplate
- v1.ReplicationController
- v1.ResourceQuota
- v1.Secret
- v1.SecurityContextConstraints
- v1.Service
- v1.ServiceAccount
- /apis/v1
- /apis/apps/v1beta1
- /apis/autoscaling/v1
- /apis/batch/v1
- /apis/batch/v2alpha1
- /apis/extensions/v1beta1
- /apis/policy/v1beta1
- /apis/authentication.k8s.io/v1
- /apis/authentication.k8s.io/v1beta1
- /apis/authorization.k8s.io/v1
- /apis/authorization.k8s.io/v1beta1
- /apis/rbac.authorization.k8s.io/v1beta1
- /apis/certificates.k8s.io/v1beta1
- /apis/networking.k8s.io/v1
- /apis/storage.k8s.io/v1
- /apis/storage.k8s.io/v1beta1
- /apis/apps.openshift.io/v1
- /apis/authorization.openshift.io/v1
- /apis/build.openshift.io/v1
- /apis/image.openshift.io/v1
- /apis/network.openshift.io/v1
- /apis/oauth.openshift.io/v1
- /apis/project.openshift.io/v1
- /apis/quota.openshift.io/v1
- /apis/route.openshift.io/v1
- /apis/security.openshift.io/v1
- /apis/template.openshift.io/v1
- /apis/user.openshift.io/v1
- /oapi/v1
- v1.AppliedClusterResourceQuota
- v1.Build
- v1.BuildConfig
- v1.ClusterNetwork
- v1.ClusterResourceQuota
- v1.ClusterRole
- v1.ClusterRoleBinding
- v1.DeploymentConfig
- v1.DeploymentConfigRollback
- v1.EgressNetworkPolicy
- v1.Group
- v1.HostSubnet
- v1.Identity
- v1.Image
- v1.ImageSignature
- v1.ImageStream
- v1.ImageStreamImage
- v1.ImageStreamImport
- v1.ImageStreamMapping
- v1.ImageStreamTag
- v1.LocalResourceAccessReview
- v1.LocalSubjectAccessReview
- v1.NetNamespace
- v1.OAuthAccessToken
- v1.OAuthAuthorizeToken
- v1.OAuthClient
- v1.OAuthClientAuthorization
- v1.PodSecurityPolicyReview
- v1.PodSecurityPolicySelfSubjectReview
- v1.PodSecurityPolicySubjectReview
- v1.ProcessedTemplate
- v1.Project
- v1.ProjectRequest
- v1.ResourceAccessReview
- v1.Role
- v1.RoleBinding
- v1.RoleBindingRestriction
- v1.Route
- v1.SelfSubjectRulesReview
- v1.SubjectAccessReview
- v1.SubjectRulesReview
- v1.Template
- v1.User
- v1.UserIdentityMapping
×
Attached Storage
Persistent Volume Plug-ins
Containers are useful for both stateless and stateful applications. Protecting attached storage is a key element of securing stateful services.
OKD provides plug-ins for multiple types of storage, including NFS, AWS Elastic Block Stores (EBS), GCE Persistent Disks, GlusterFS, iSCSI, RADOS (Ceph) and Cinder. Data in transit is encrypted via HTTPS for all OKD components communicating with each other.
You can mount PersistentVolume (PV) on a host in any way supported by your
storage type. Different types of storage have different capabilities and each
PV’s access modes are set to the specific modes supported by that particular
volume.
For example, NFS can support multiple read/write clients, but a specific NFS PV
might be exported on the server as read-only. Each PV has its own set of access
modes describing that specific PV’s capabilities, such as ReadWriteOnce,
ReadOnlyMany, and ReadWriteMany.
Further Reading
-
OKD Architecture: Additional Concepts → Storage
-
OKD Configuring Clusters: Configuring Persistent Storage → Volume Security
Shared Storage
For shared storage providers like NFS, Ceph, and Gluster, the PV registers its group ID (GID) as an annotation on the PV resource. Then, when the PV is claimed by the pod, the annotated GID is added to the supplemental groups of the pod, giving that pod access to the contents of the shared storage.
Further Reading
-
OKD Configuring Clusters
Block Storage
For block storage providers like AWS Elastic Block Store (EBS), GCE Persistent Disks, and iSCSI, OKD uses SELinux capabilities to secure the root of the mounted volume for non-privileged pods, making the mounted volume owned by and only visible to the container with which it is associated.