parameter names are case-insensitive
| Name | Meaning | Example | Mandatory | Default value |
|---|---|---|---|---|
| skuName | Azure storage account type (alias: storageAccountType) |
Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS |
No | Standard_LRS |
| location | Azure location | eastus, westus, etc. |
No | if empty, driver will use the same location name as current k8s cluster |
| resourceGroup | Azure resource group name | existing resource group name | No | if empty, driver will use the same resource group name as current k8s cluster |
| storageAccount | specify Azure storage account name | STORAGE_ACCOUNT_NAME | - No for blobfuse mount - Yes for NFSv3 mount |
- For blobfuse mount: if empty, driver will find a suitable storage account that matches skuName in the same resource group; if a storage account name is provided, storage account must exist. - For NFSv3 mount, storage account name must be provided |
| protocol | specify blobfuse mount or NFSv3 mount | fuse, nfs |
No | fuse |
| containerName | specify the existing container name | existing container name | No | if empty, driver will create a new container name, starting with pvc-fuse for blobfuse or pvc-nfs for NFSv3 |
| server | specify Azure storage account server address | existing server address, e.g. accountname.privatelink.blob.core.windows.net |
No | if empty, driver will use default accountname.blob.core.windows.net or other sovereign cloud account address |
| allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | true,false |
No | false |
| storageEndpointSuffix | specify Azure storage endpoint suffix | core.windows.net |
No | if empty, driver will use default storage endpoint suffix according to cloud environment, e.g. core.windows.net |
| tags | tags would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | "" |
| --- | Following parameters are only for blobfuse | --- | --- | |
| storeAccountKey | whether store account key to k8s secret Note: false means driver would leverage kubelet identity to get account key |
true,false |
No | true |
| secretName | specify secret name to store account key | No | ||
| secretNamespace | specify the namespace of secret to store account key | default,kube-system, etc |
No | default |
| isHnsEnabled | enable Hierarchical namespace for Azure DataLake storage account |
true,false |
No | false |
fsGroupsecurityContext setting
Blobfuse driver does not honor fsGroup securityContext setting, instead user could use -o gid=1000 in mountoptions to set ownership, check here for more mountoptions.
-
Azure DataLake storage account support
- set
isHnsEnabled: "true"in storage class parameter to create ADLS account by driver. - mount option
--use-adls=truemust be specified to enable blobfuse access ADLS account.
- set
-
account tags format created by dynamic provisioning
k8s-azure-created-by: azure
- file share name format created by dynamic provisioning(example)
pvc-92a4d7f2-f23b-4904-bad4-2cbfcff6e388
blobfuse read account key or SAS token from key vault example
blobfuse Managed Identity and Service Principal Name auth example
| Name | Meaning | Available Value | Mandatory | Default value |
|---|---|---|---|---|
| volumeAttributes.resourceGroup | Azure resource group name | existing resource group name | No | if empty, driver will use the same resource group name as current k8s cluster |
| volumeAttributes.storageAccount | existing storage account name | existing storage account name | Yes | |
| volumeAttributes.containerName | existing container name | existing container name | Yes | |
| volumeAttributes.protocol | specify blobfuse mount or NFSv3 mount | fuse, nfs |
No | fuse |
| --- | Following parameters are only for blobfuse | --- | --- | |
| volumeAttributes.secretName | secret name that stores storage account name and key(only applies for SMB) | No | ||
| volumeAttributes.secretNamespace | secret namespace | default,kube-system, etc |
No | default |
| nodeStageSecretRef.name | secret name that stores(check below examples):azurestorageaccountkeyazurestorageaccountsastokenmsisecretazurestoragespnclientsecret |
existing Kubernetes secret name | No | |
| nodeStageSecretRef.namespace | secret namespace | k8s namespace | Yes | |
| --- | Following parameters are only for NFS vnet setting | --- | --- | |
| vnetResourceGroup | specify vnet resource group where virtual network is | existing resource group name | No | if empty, driver will use the vnetResourceGroup value in azure cloud config file |
| vnetName | virtual network name | existing virtual network name | No | if empty, driver will use the vnetName value in azure cloud config file |
| subnetName | subnet name | existing subnet name of the agent node | No | if empty, driver will use the subnetName value in azure cloud config file |
| --- | Following parameters are only for feature: blobfuse Managed Identity and Service Principal Name auth | --- | --- | |
| volumeAttributes.AzureStorageAuthType | Authentication Type | Key, SAS, MSI, SPN |
No | Key |
| volumeAttributes.AzureStorageIdentityClientID | Identity Client ID | No | ||
| volumeAttributes.AzureStorageIdentityObjectID | Identity Object ID | No | ||
| volumeAttributes.AzureStorageIdentityResourceID | Identity Resource ID | No | ||
| volumeAttributes.MSIEndpoint | MSI Endpoint | No | ||
| volumeAttributes.AzureStorageSPNClientID | SPN Client ID | No | ||
| volumeAttributes.AzureStorageSPNTenantID | SPN Tenant ID | No | ||
| volumeAttributes.AzureStorageAADEndpoint | AADEndpoint | No | ||
| --- | Following parameters are only for feature: blobfuse read account key or SAS token from key vault | --- | --- | |
| volumeAttributes.keyVaultURL | Azure Key Vault DNS name | existing Azure Key Vault DNS name | No | |
| volumeAttributes.keyVaultSecretName | Azure Key Vault secret name | existing Azure Key Vault secret name | No | |
| volumeAttributes.keyVaultSecretVersion | Azure Key Vault secret version | existing version | No | if empty, driver will use "current version" |
-
Note
- only mounting blobfuse requires account key, and if secret is not provided in PV config, driver would try to get
azure-storage-account-{accountname}-secretin the pod namespace, if not found, driver would try using kubelet identity to get account key directly using Azure API. - mounting blob storage NFSv3 does not need account key, it requires storage account configured with same vnet with agent node.
- blobfuse does not support private link well, check details here
- only mounting blobfuse requires account key, and if secret is not provided in PV config, driver would try to get
-
create a Kubernetes secret for
nodeStageSecretRef.name
kubectl create secret generic azure-secret --from-literal=azurestorageaccountname="xxx" --from-literal azurestorageaccountkey="xxx" --type=Opaque
kubectl create secret generic azure-secret --from-literal=azurestorageaccountname="xxx" --from-literal azurestorageaccountsastoken="xxx" --type=Opaque
kubectl create secret generic azure-secret --from-literal msisecret="xxx" --type=Opaque
kubectl create secret generic azure-secret --from-literal azurestoragespnclientsecret="xxx" --type=Opaque