apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-manila
spec:
  accessModes: (1)
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: csi-manila-gold (2)OKD is capable of provisioning persistent volumes (PVs) using the Container Storage Interface (CSI) driver for the OpenStack Manila shared file system service.
Familiarity with persistent storage and configuring CSI volumes is recommended when working with a Container Storage Interface (CSI) Operator and driver.
To create CSI-provisioned PVs that mount to Manila storage assets, OKD installs the Manila CSI Driver Operator and the Manila CSI driver by default on any OpenStack cluster that has the Manila service enabled.
The Manila CSI Driver Operator creates the required storage class that is needed to create PVCs for all available Manila share types. The Operator is installed in the openshift-cluster-csi-drivers namespace.
The Manila CSI driver enables you to create and mount Manila PVs. The driver is installed in the openshift-manila-csi-driver namespace.
Storage vendors have traditionally provided storage drivers as part of Kubernetes. With the implementation of the Container Storage Interface (CSI), third-party providers can instead deliver storage plugins using a standard interface without ever having to change the core Kubernetes code.
CSI Operators give OKD users storage options, such as volume snapshots, that are not possible with in-tree volume plugins.
The following limitations apply to the Manila Container Storage Interface (CSI) Driver Operator:
OpenStack Manila supports many network-attached storage protocols, such as nfs, CIFS, and CEPHFS, and these can be selectively enabled in the OpenStack cloud. The Manila CSI Driver Operator in OKD only supports using the nfs protocol. If nfs is not available and enabled in the underlying OpenStack cloud, you cannot use the Manila CSI Driver Operator to provision storage for OKD.
To take snapshots of persistent volumes (PVs) and revert volumes to snapshots, you must ensure that the Manila share type that you are using supports these features. A Red Hat OpenStack administrator must enable support for snapshots (share type extra-spec snapshot_support) and for creating shares from snapshots (share type extra-spec create_share_from_snapshot_support) in the share type associated with the storage class you intend to use.
Since Manila CSI provides shared file systems for access by multiple readers and multiple writers, it does not support the use of FSGroups. This is true even for persistent volumes created with the ReadWriteOnce access mode. It is therefore important not to specify the fsType attribute in any storage class that you manually create for use with Manila CSI Driver.
| In Red Hat OpenStack Platform 16.x and 17.x, the Shared File Systems service (Manila) with CephFS through nfs fully supports serving shares to OKD through the Manila CSI. However, this solution is not intended for massive scale. Be sure to review important recommendations in CephFS nfs Manila-CSI Workload Recommendations for Red Hat OpenStack Platform. | 
OKD installs a storage class for each available Manila share type.
The YAML files that are created are completely decoupled from Manila and from its Container Storage Interface (CSI) plugin. As an application developer, you can dynamically provision ReadWriteMany (RWX) storage and deploy pods with applications that safely consume the storage using YAML manifests.
You can use the same pod and persistent volume claim (PVC) definitions on-premise that you use with OKD on AWS, GCP, Azure, and other platforms, with the exception of the storage class reference in the PVC definition.
| By default, the access rule that is assigned to a volume is  | 
| Manila service is optional. If the service is not enabled in OpenStack, the Manila CSI driver is not installed and the storage classes for Manila are not created. | 
OpenStack is deployed with appropriate Manila share infrastructure so that it can be used to dynamically provision and mount volumes in OKD.
To dynamically create a Manila CSI volume using the web console:
In the OKD console, click Storage → Persistent Volume Claims.
In the persistent volume claims overview, click Create Persistent Volume Claim.
Define the required options on the resulting page.
Select the appropriate storage class.
Enter a unique name for the storage claim.
Select the access mode to specify read and write access for the PVC you are creating.
| Use RWX if you want the PV that fulfills this PVC to be mounted to multiple pods on multiple nodes in the cluster. | 
Define the size of the storage claim.
Click Create to create the PVC and generate a PV.
To dynamically create a Manila CSI volume using the command-line interface (CLI):
Create and save a file with the PersistentVolumeClaim object described by the following YAML:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-manila
spec:
  accessModes: (1)
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: csi-manila-gold (2)| 1 | Use RWX if you want the PV that fulfills this PVC to be mounted to multiple pods on multiple nodes in the cluster. | 
| 2 | The name of the storage class that provisions the storage back end. Manila storage classes are provisioned by the Operator and have the csi-manila-prefix. | 
Create the object you saved in the previous step by running the following command:
$ oc create -f pvc-manila.yamlA new PVC is created.
To verify that the volume was created and is ready, run the following command:
$ oc get pvc pvc-manilaThe pvc-manila shows that it is Bound.
You can now use the new PVC to configure a pod.
By default, OKD creates Manila storage classes that provide access to all IPv4 clients. To limit client access, you can define custom storage classes that use specific client IP addresses or subnets by using the nfs-ShareClient parameter.
| When using custom storage classes with restricted access rules, ensure that: 
 | 
OpenStack is deployed with appropriate Manila share infrastructure.
Access to a cluster with administrator privileges.
Create a YAML file for your custom storage class based on the following example:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-manila-gold-restricted (1)
provisioner: manila.csi.openstack.org
parameters:
  type: gold (2)
  nfs-ShareClient: "10.0.0.0/24,192.168.1.100" (3)
  csi.storage.k8s.io/provisioner-secret-name: manila-csi-secret
  csi.storage.k8s.io/provisioner-secret-namespace: openshift-manila-csi-driver
  csi.storage.k8s.io/controller-expand-secret-name: manila-csi-secret
  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-manila-csi-driver
  csi.storage.k8s.io/node-stage-secret-name: manila-csi-secret
  csi.storage.k8s.io/node-stage-secret-namespace: openshift-manila-csi-driver
  csi.storage.k8s.io/node-publish-secret-name: manila-csi-secret
  csi.storage.k8s.io/node-publish-secret-namespace: openshift-manila-csi-driver
allowVolumeExpansion: true| 1 | Descriptive name for your custom storage class. | 
| 2 | The Manila share type. This type must match an existing share type in your OpenStack environment. | 
| 3 | Comma-separated list of IP addresses or CIDR subnets allowed to access the nfs shares. The nfs-ShareClientparameter accepts various formats:
 | 
Apply the storage class from the file by running the following command:
$ oc apply -f custom-manila-storageclass.yamlVerify that the storage class was created by running the following command:
$ oc get storageclass csi-manila-gold-restrictedNAME                 		    PROVISIONER                RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
csi-manila-gold-restricted	manila.csi.openstack.org   Delete          Immediate           true                   43mCreate a persistent volume claim (PVC) that uses the custom storage class based on the following example:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-manila-restricted
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: csi-manila-gold-restricted (1)| 1 | The name of your custom storage class that has restricted access. In this example, the name is csi-manila-gold-restricted. | 
Apply the PVC from the file by running the following command:
$ oc apply -f pvc-manila-restricted.yaml