Starting with the vSphere 7.0 Update 3 release, vSphere with Tanzu supports persistent volumes in ReadWriteMany mode. With the ReadWriteMany support, a single volume can be mounted simultaneously by multiple pods or applications running in a cluster. vSphere with Tanzu uses vSAN File Services to provide file shares for the ReadWriteMany persistent volumes.
Considerations for ReadWriteMany Persistent Volumes
When you enable ReadWriteMany support for persistent volumes in vSphere with Tanzu, keep in mind the following considerations.
- In vSphere 7.0 Update 3, only Tanzu Kubernetes clusters support persistent volumes in ReadWriteMany mode.
- When you enable file volume support for vSphere with Tanzu, be aware of the potential security weaknesses:
- The volumes are mounted without encryption. The unencrypted data might be accessed while the data transits the network.
- Access Control Lists (ACLs) is used for the file shares to isolate file share access within a supervisor namespace. It might have risk of IP spoofing.
- Follow these guidelines for networking:
- Make sure the vSAN File Services is routable from the Workload network and there is no NAT between the Workload network and vSAN File Services IP addresses.
- Use common DNS server for vSAN File Services and the vSphere cluster.
- If your vSphere with Tanzu has NSX-T data center networking, use the SNAT IP of the Supervisor namespace and the SNAT IP of the Tanzu Kubernetes cluster for ACL configuration.
- If you have vSphere with Tanzu with vSphere Distributed Switch (VDS) networking, use the Tanzu Kubernetes cluster VM IP or the IP of the Supervisor namespace for ACL configuration.
- If after enabling file volume support, you later deactivate it, existing ReadWriteMany persistent volumes that you provisioned in the cluster remain unaffected and usable. You will not be able to create new ReadWriteMany persistent volumes.
Workflow for Enabling ReadWriteMany Support for Persistent Volumes
Follow this process to enable ReadWriteMany support for persistent volumes.
- A vSphere administrator sets up a vSAN cluster with configured vSAN File Services. Configure File Services.
- A vSphere administrator activates file volume support when enabling the Workload Management platform.
- A DevOps engineer provisions a persistent volume setting the PVC
Several pods can be provisioned with the same PVC.See Provision a Dynamic Persistent Volume for a Stateful Application.