Open siggins1 opened 3 years ago
gnarl
commented
3 years ago Hi @siggins1 ,
Can you describe the use case you are wanting to implement in more detail? The Dynamic Export Policy feature restricts traffic to just the K8S nodes where the volume can be mounted. Trident will automatically modify Export Policy rules as K8S nodes are added or removed.
siggins1
commented
3 years ago Chuck, We are migrating data into the okd cluster, but need to mount the nfs volumes from the nodes not currently okd/kubernetes controlled. Without having the ability to manually add export IPs, it is impossible to do this. Specifically we are looking at using netapp XCP, or rsync to copy into the kubernetes nodes.
At the moment we cannot use the dynamic export policy until after the migration is completed. Even then I can see cases where we might want to mount volumes outside of the cluster.
Thanks! Douglas
On Tue, Jan 12, 2021 at 4:22 PM Chuck Fouts notifications@github.com wrote:
Hi @siggins1 https://github.com/siggins1 ,
Can you describe the use case you are wanting to implement in more detail? The Dynamic Export Policy feature restricts traffic to just the K8S nodes where the volume can be mounted. Trident will automatically modify Export Policy rules as K8S nodes are added or removed.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NetApp/trident/issues/503#issuecomment-759015199, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PL53RG4FSVY5VYWCTUUDSZS4Q3ANCNFSM4VZFVTCA .
gnarl
commented
3 years ago Hi Douglas,
You should be able to do this using the autoExportCIDRs field in the backend configuration to specify a list of allowed IP ranges. Let me know if this doesn't work.
siggins1
commented
3 years ago AFAIK and if I understand correctly this is what you are allowing to be exported, but trident doesn't actually export that full CIDR list on a specific PVC.
There is a big difference between allowed to be exported, and actually exported. Let me know if I am understanding this incorrectly. There is no current method to add an IP to an existing claim if the system is not part of the cluster.
If I dont understand this correctly -- understand I am the storage person relaying the information in this article -- I need specific information to relay to the person trying to handle this.
On Wed, Jan 13, 2021 at 3:02 PM Chuck Fouts notifications@github.com wrote:
Hi Douglas,
You should be able to do this using the autoExportCIDRs field in the backend configuration https://netapp-trident.readthedocs.io/en/stable-v20.10/kubernetes/operations/tasks/backends/ontap/ontap-nas/dynamic-export-policies.html?highlight=dynamic to specify a list of allowed IP ranges. Let me know if this doesn't work.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NetApp/trident/issues/503#issuecomment-759706932, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5PL54FCPB23ZY3KQG6RDDSZX34FANCNFSM4VZFVTCA .
wonderland
commented
3 years ago I agree that this would be useful to have. Came across different use cases where volumes as used to exchange data with entities outside the k8s cluster. IOT or edge devices providing data to an app running in k8s, engineers providing or retrieving data to/from an app,...
It would be helpful if at least one could add custom rules to the Trident export policy. Right now, any rules added manually (Ontap CLI, Ansible, ...) will be deleted by Trident eventually. Maybe have a certain ruleindex-range that isn't touched by Trident? Of course, specifying the IPs directly at the k8s side would be preferred but is a bigger feature to implement, I guess?
gnarl
commented
3 years ago @siggins1, you are correct that this is being restricted to just the IPs of the nodes where volumes are mounted. So that isn't going to work for your use case here. We have to balance your request with those customers that want increased security by limiting network access as much as possible.
@wonderland, thanks for providing another use case to consider.
We'll track this as an enhancement request.
Describe the solution you'd like At the moment I am not aware of the ability to add exports to a PVC from another IP address. We would like the ability to add manual IPs via the autoexport function.
Describe alternatives you've considered I've tried adding manual exports via Netapp CLI but those are removed by the autoexport function. The only solution is to go back to manual entirely and exporting all PVCs with the full set of IPs -- this is not ideal!