Dynamic Provisioning of FlashBlade File Systems

Use PX-CSI to dynamically provision file-based volumes backed by FlashBlade file systems. This page walks you through creating a StorageClass, provisioning a PersistentVolumeClaim (PVC), and mounting it to a pod.

When PX-CSI is deployed, the following StorageClass objects are automatically created. You can use these directly or create custom StorageClass configurations:

kubectl get storageclass

NAME                        PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
px-fa-direct-access         pxd.portworx.com   Delete          Immediate           true                   4d17h
px-fb-direct-access-nfsv3   pxd.portworx.com   Delete          Immediate           true                   4d17h
px-fb-direct-access-nfsv4   pxd.portworx.com   Delete          Immediate           true                   4d17h

(Optional) Create a custom StorageClass

Define a custom StorageClass that specifies the backend ("pure_file"), NFS configuration, and optional topology rules.

important

FlashBlade exports use root_squash by default. If your pod sets an fsGroup, this may result in permission errors (e.g., permission denied, lchown failed).

To prevent this:

• If you are not using secure multi-tenancy, set the parameters.pure_export_rules field to *(rw,no_root_squash) in the StorageClass object.
• If you are using secure multi-tenancy, set the parameters.pure_nfs_export_rules_access field to no_squash in the StorageClass object.

Example StorageClass specifications:

FlashBlade without secure multi-tenancy

To configure a single NFS endpoint, use the following StorageClass specification:

Note: If CSI topology is not enabled, you can omit the allowedTopologies section.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: portworx-csi-fb
provisioner: pxd.portworx.com
parameters:
  backend: "pure_file"
  # pure_nfs_endpoint: "<nfs-endpoint-1>" # use this if you want to use a nfs endpoint different from the one specified in pure.json
  # pure_nfs_server: "<nfs-server>" # use this if you want to use a nfs server different from the default "_array_server"
  # pure_nfs_policy: "<nfs-policy>" # If you are using `pure_nfs_server`, you must also specify `pure_nfs_policy`. If the specified policy does not exist, PX-CSI creates one with default values. 
  # Note that `pure_nfs_policy` and `pure_export_rules` are mutually exclusive.
  pure_export_rules: "*(rw)" 
mountOptions:
  - nfsvers=3
  - tcp
  # - xprtsec=tls  # Optional: enable NFS over TLS (requires `pure_nfs_policy` that references an export rule with TLS enabled, and Linux kernel 6.12 or later with nfs-utils, ktls-util, and openssl on worker nodes)
allowVolumeExpansion: true
allowedTopologies:
  - matchLabelExpressions:
    - key: topology.portworx.io/zone
      values:
        - <zone-1>
    - key: topology.portworx.io/region
      values:
        - <region-1>

FlashBlade with secure multi-tenancy

info

FlashBlade with secure multi-tenancy requires PX-CSI 26.2.0 or later and Purity 4.6.1 or later.

FlashBlade with secure multi-tenancy (using Realms) provides isolated credentials and resource boundaries. When you use this feature, specify an NFS export policy and server that exist within the Realm.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: px-fb-direct-access-realm
provisioner: pxd.portworx.com
parameters:
  backend: "pure_file" 
  pure_nfs_server: <nfs-server> # Required, nfs server created within the Realm
  pure_nfs_endpoint: "<nfs-endpoint-of-server>" # use this field if you want to use a nfs endpoint different from the one specified in pure.json
  pure_nfs_policy: "<nfs-policy>" # Required. If the specified policy name does not exist on the FlashBlade array, PX-CSI creates the policy.
  pure_nfs_export_rules_client: "<client-ip>" # Optional, enter the client as an IP address (IPv6 or IPv4), host name in short or FQDN form (including wildcards), subnet in CIDR notation, netgroup (Active Directory, LDAP, or NIS), or anonymous (*).
  pure_nfs_export_rules_access: "root-squash" # Optional, Access mode: root-squash | all-squash | no-squash
reclaimPolicy: Delete
mountOptions:
  - nfsvers=3 # NFSVers: 3, 4.1
  - tcp
  # - xprtsec=tls  # Optional: enable NFS over TLS (requires `pure_nfs_policy` that references an export rule with TLS enabled, and Linux kernel 6.12 or later with nfs-utils, ktls-util, and openssl on worker nodes)
allowVolumeExpansion: true

important

• Specify both pure_nfs_policy and pure_nfs_server.
• The NFS server must exist within the Realm specified in pure.json.
• PX-CSI automatically creates the NFS export policy and rules if they don't exist. For pre-existing policies, ensure that at least one export rule exists.
• Parameters pure_nfs_policy and pure_export_rules are mutually exclusive.
• Valid values for pure_nfs_export_rules_access: root-squash, all-squash, no-squash.

FlashBlade//EXA

FlashBlade//EXA uses node group-based provisioning instead of traditional size-based provisioning. To provision volumes on FlashBlade//EXA, you must specify the pure_fb_node_group parameter and configure the required protocol and feature settings.

• When pure_fb_node_group is specified, the volume is provisioned on FlashBlade//EXA using node groups. The storage size in the PVC is not used for provisioning but is still required for Kubernetes validation.

• For FlashBlade//EXA to work correctly, the following parameters are required:

  • pure_fb_node_group: Must specify the node group name
  • pure_fb_nfsv4_1_enabled: Must be set to "true"
  • pure_fb_nfsv3_enabled: Must be set to "false"
  • pure_fb_snapshot_directory_enabled: Must be set to "false"
  • pure_fb_hard_limit_enabled: Must be set to "false"

• For HPC workloads, use nconnect=16 in mountOptions to enable multiple TCP connections for improved performance.

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    name: portworx-csi-fb-exa
  provisioner: pxd.portworx.com
  parameters:
    backend: "pure_file"
    pure_fb_node_group: "group-05"  # Required for FlashBlade//EXA
    pure_export_rules: "*(rw,no_root_squash)"
    pure_fb_nfsv3_enabled: "false"  # Required for FlashBlade//EXA
    pure_fb_nfsv4_1_enabled: "true"  # Required for FlashBlade//EXA
    pure_fb_snapshot_directory_enabled: "false"  # Required for FlashBlade//EXA
    pure_fb_hard_limit_enabled: "false"  # Required for FlashBlade//EXA
    pure_fb_fast_remove_directory_enabled: "true"  # Optional: enables automatic directory deletion
  mountOptions:
    - nfsvers=4.1
    - nconnect=16  # Enables multiple TCP connections for HPC workloads
  allowVolumeExpansion: true
  allowedTopologies:
    - matchLabelExpressions:
      - key: topology.portworx.io/zone
        values:
          - <zone-1>
      - key: topology.portworx.io/region
        values:
          - <region-1>

tip

For a complete list of StorageClass parameters, see the StorageClass reference.

note

To enable NFS over TLS for FlashBlade file systems, add xprtsec=tls to mountOptions and specify pure_nfs_policy that references an export rule with TLS enabled. For instructions on creating NFS export policies and rules, see Creating NFS Export Policies and Rules in the FlashBlade Admin Guide. This requires Purity version 4.6.0 or later. Worker nodes must run Linux kernel 6.12 or later with nfs-utils, ktls-util (tlshd), and openssl installed.

Ensure unique topology labels for FlashBlade

To ensure successful PVC creation, verify that the labels in the allowedTopologies section uniquely identify a single FlashBlade endpoint from the pure.json file.

For example, if you specify topology.portworx.io/zone: <zone-1> in the StorageClass and multiple FlashBlades are listed in the pure.json file, Portworx CSI will fail to create PVCs for FlashBlade Direct Access volumes and display the following error message:

Events:
Type     Reason                Age               From                                                                               Message
----     ------                ----              ----                                                                               -------
Normal   Provisioning          1s (x4 over 10s)  pxd.portworx.com_px-csi-ext-6f77f7c664-xxxx                                        External provisioner is provisioning volume for claim "default/pure-multiple-nfs"
Warning  ProvisioningFailed    1s (x4 over 9s)   pxd.portworx.com_px-csi-ext-6f77f7c664-xxx                                         failed to provision volume with StorageClass "portworx-multiple-nfs": rpc error: code = Internal desc = Failed to create volume: multiple storage backends match volume provisioner, unable to determine which backend the provided NFSEndpoint matches to
Normal   ExternalProvisioning  0s (x3 over 10s)  persistentvolume-controller                                                        Waiting for a volume to be created either by the external provisioner 'pxd.portworx.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.

Apply the StorageClass

Apply the StorageClass specification using the command:

kubectl apply -f <storageclass.yml>

storageclass.storage.k8s.io/portworx-csi-fb created

Create a PVC

1. Once the StorageClass is created, you can create PVCs to request storage for your application.

   note

   The Pure export rules for accessing FlashBlade are defined by the specified accessModes in the PVC specification. *(rw): This rule applies to ReadWriteOnce, ReadWriteMany, and ReadWriteOncePod PVC access modes. It allows clients to perform both read and write operations on the storage. *(ro): This rule applies to ReadOnlyMany PVC access mode. It ensures that the storage can only be accessed in read-only mode, preventing modifications to the data.

   Example PVC specification:

   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: <pure-fb-pvc>
   spec:
     accessModes:
       - ReadWriteMany
     resources:
       requests:
         storage: 10Gi
     storageClassName: <portworx-csi-fb> # Use the name of the StorageClass you created

   tip

   For a complete list of PersistentVolumeClaim fields and annotations, see the PersistentVolumeClaim reference.

2. Apply this YAML to your cluster:

   kubectl apply -f <pvc.yml>

Mount the PVC to a Pod

1. After creating PVCs, mount them to an application Pod to make the storage available.

   Example Pod specification:

   kind: Pod
   apiVersion: v1
   metadata:
     name: nginx-pod
     labels:
       app: nginx
   spec:
     volumes:
     - name: pure-nfs
       persistentVolumeClaim:
         claimName: <pure-fb-pvc> # Use the name of the PVC you created
     containers:
     - name: nginx
       image: nginx
       volumeMounts:
       - name: pure-nfs
         mountPath: /data
       ports:
       - containerPort: 80

2. (Optional) To control pod scheduling based on node labels, add the nodeAffinity field to the Pod specification. For example:

   spec:
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
             - key: topology.portworx.io/zone
               operator: In
               values:
               - zone-0
             - key: topology.portworx.io/region
               operator: In
               values:
               - region-0

Verify Pod status

Monitor the Pod’s status to ensure it is running and connected to the volume:

watch kubectl get pods

Once the Pod is Running, verify it can access the FlashBlade volume mounted at /data.