openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
858ec7700b8b3ead8f1fa1ef2ce3aaedfc4ccd7a
openshift-docs/modules/persistent-storage-csi-external-controllers.adoc
Steven Smith 858ec7700b 4
2022-12-15 20:24:36 +00:00

45 lines
2.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * storage/container_storage_interface/persistent_storage-csi.adoc
// * microshift_storage/container_storage_interface_microshift/microshift-persistent-storage-csi.adoc
[id="external-csi-contollers_{context}"]
= External CSI controllers
External CSI Controllers is a deployment that deploys one or more pods
with five containers:
* The snapshotter container watches `VolumeSnapshot` and `VolumeSnapshotContent` objects and is responsible for the creation and deletion of `VolumeSnapshotContent` object.
* The resizer container is a sidecar container that watches for `PersistentVolumeClaim` updates and triggers `ControllerExpandVolume` operations against a CSI endpoint if you request more storage on `PersistentVolumeClaim` object.
* An external CSI attacher container translates `attach` and `detach`
calls from {product-title} to respective `ControllerPublish` and
`ControllerUnpublish` calls to the CSI driver.
* An external CSI provisioner container that translates `provision` and
`delete` calls from {product-title} to respective `CreateVolume` and
`DeleteVolume` calls to the CSI driver.
* A CSI driver container
The CSI attacher and CSI provisioner containers communicate with the CSI
driver container using UNIX Domain Sockets, ensuring that no CSI
communication leaves the pod. The CSI driver is not accessible from
outside of the pod.
[NOTE]
====
`attach`, `detach`, `provision`, and `delete` operations typically require
the CSI driver to use credentials to the storage backend. Run the CSI
controller pods on infrastructure nodes so the credentials are never leaked
to user processes, even in the event of a catastrophic security breach
on a compute node.
====
[NOTE]
====
The external attacher must also run for CSI drivers that do not support
third-party `attach` or `detach` operations. The external attacher will
not issue any `ControllerPublish` or `ControllerUnpublish` operations to
the CSI driver. However, it still must run to implement the necessary
{product-title} attachment API.
====
View Git Blame Copy Permalink