×

The Container Storage Interface (CSI) allows OKD to consume storage from storage back ends that implement the CSI interface as persistent storage.

OKD 4 supports version 1.6.0 of the CSI specification.

CSI Architecture

CSI drivers are typically shipped as container images. These containers are not aware of OKD where they run. To use CSI-compatible storage back end in OKD, the cluster administrator must deploy several components that serve as a bridge between OKD and the storage driver.

The following diagram provides a high-level overview about the components running in pods in the OKD cluster.

Architecture of CSI components

It is possible to run multiple CSI drivers for different storage back ends. Each driver needs its own external controllers deployment and daemon set with the driver and CSI registrar.

External CSI controllers

External CSI Controllers is a deployment that deploys one or more pods with five containers:

  • The snapshotter container watches VolumeSnapshot and VolumeSnapshotContent objects and is responsible for the creation and deletion of VolumeSnapshotContent object.

  • The resizer container is a sidecar container that watches for PersistentVolumeClaim updates and triggers ControllerExpandVolume operations against a CSI endpoint if you request more storage on PersistentVolumeClaim object.

  • An external CSI attacher container translates attach and detach calls from OKD to respective ControllerPublish and ControllerUnpublish calls to the CSI driver.

  • An external CSI provisioner container that translates provision and delete calls from OKD to respective CreateVolume and DeleteVolume calls to the CSI driver.

  • A CSI driver container

The CSI attacher and CSI provisioner containers communicate with the CSI driver container using UNIX Domain Sockets, ensuring that no CSI communication leaves the pod. The CSI driver is not accessible from outside of the pod.

attach, detach, provision, and delete operations typically require the CSI driver to use credentials to the storage backend. Run the CSI controller pods on infrastructure nodes so the credentials are never leaked to user processes, even in the event of a catastrophic security breach on a compute node.

The external attacher must also run for CSI drivers that do not support third-party attach or detach operations. The external attacher will not issue any ControllerPublish or ControllerUnpublish operations to the CSI driver. However, it still must run to implement the necessary OKD attachment API.

CSI driver daemon set

The CSI driver daemon set runs a pod on every node that allows OKD to mount storage provided by the CSI driver to the node and use it in user workloads (pods) as persistent volumes (PVs). The pod with the CSI driver installed contains the following containers:

  • A CSI driver registrar, which registers the CSI driver into the openshift-node service running on the node. The openshift-node process running on the node then directly connects with the CSI driver using the UNIX Domain Socket available on the node.

  • A CSI driver.

The CSI driver deployed on the node should have as few credentials to the storage back end as possible. OKD will only use the node plugin set of CSI calls such as NodePublish/NodeUnpublish and NodeStage/NodeUnstage, if these calls are implemented.

CSI drivers supported by OKD

OKD installs certain CSI drivers by default, giving users storage options that are not possible with in-tree volume plugins.

To create CSI-provisioned persistent volumes that mount to these supported storage assets, OKD installs the necessary CSI driver Operator, the CSI driver, and the required storage class by default. For more details about the default namespace of the Operator and driver, see the documentation for the specific CSI Driver Operator.

The following table describes the CSI drivers that are installed with OKD and which CSI features they support, such as volume snapshots, cloning, and resize.

Table 1. Supported CSI drivers and features in OKD
CSI driver CSI volume snapshots CSI cloning CSI resize

AliCloud Disk

-

AWS EBS

-

AWS EFS

-

-

-

Google Compute Platform (GCP) persistent disk (PD)

-

GCP Filestore

IBM VPC Block

[3]

-

[3]

Microsoft Azure Disk

Microsoft Azure Stack Hub

Microsoft Azure File

-

-

OpenStack Cinder

OpenShift Data Foundation

OpenStack Manila

-

-

Red Hat Virtualization (oVirt)

-

-

VMware vSphere

[1]

-

[2]

1.

  • Requires vSphere version 7.0 Update 3 or later for both vCenter Server and ESXi.

  • Does not support fileshare volumes.

2.

  • Offline volume expansion: minimum required vSphere version is 6.7 Update 3 P06

  • Online volume expansion: minimum required vSphere version is 7.0 Update 2.

3.

  • Does not support offline snapshots or resize. Volume must be attached to a running pod.

If your CSI driver is not listed in the preceding tab