Enabling users to connect to external SMB storage volumes

To enable users to connect to remote SMB storage volumes from IBM Cloud Pak® for Data a cluster administrator must install the SMB CSI Driver for Kubernetes to enable the cluster to communicate with your remote SMB volumes. Then the administrator must create a cluster role and cluster role binding to grant the meta-api the appropriate permissions to provision persistent volumes.

Before you begin

This feature requires SMB Version 3.0 or later.

About this task

Permissions you need for this task
You must be a cluster administrator.
When you need to complete this task
Complete this task only if you want to enable Cloud Pak for Data users to connect to storage volumes on an SMB file share server.
Note: The External SMB option is always visible on the New storage volume page. However, if you do not complete this task, users cannot connect to SMB storage volumes from the New storage volume page or through the Volumes API.

Procedure

To enable users to connect to a remote SMB storage volume:

  1. Log on to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete this task:
    oc login OpenShift_URL:port
  2. Install the SMB CSI Driver for Kubernetes (csi-smb-driver) on the cluster. For details, see the readme for the driver.

    The csi-smb-driver is provided by the Kubernetes CSI organization, which provides Kubernetes specific Constainer-Storage-Interface (CSI) components.

  3. Run the following command to create the required cluster role and cluster role binding for the meta-api.
    Tip: The same role binding is required to use external NFS storage volumes. If you already completed Enabling users to create NFS storage volumes, this role binding already exists.
    cat <<EOF | oc apply -f -
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      # "namespace" omitted. ClusterRoles are not scoped to a namespace.
      name: ibm-zen-volumes-cluster-role
    rules:
    - apiGroups: [""]
      #
      # at the HTTP level, the name of the resource for accessing Secret
      # objects is "secrets"
      resources: ["persistentvolumes"]
      verbs: ["create", "get", "list", "patch", "update", "watch", "delete", "use"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: ibm-zen-volumes-cluster-role-binding
    subjects:
    - kind: ServiceAccount
      name: ibm-zen-operator-serviceaccount
      namespace: ibm-common-services    # The namespace where the IBM Cloud Pak foundational services are installed
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: ibm-zen-volumes-cluster-role
    EOF