Some Kubernetes workloads use persistent storage to store data permanently. vSphere with Tanzu integrates with Cloud Native Storage (CNS) to provision persistent storage.

To understand how vSphere with Tanzu uses persistent storage, refer to the vSphere with Tanzu Concepts and Planning and vSphere Storage documentations.

Creating Storage Policies for vSphere with Tanzu

Before you enable vSphere with Tanzu, you must set up the storage to provision the Kubernetes infrastructure. You achieve this task by creating storage policies to be used in the Supervisor and namespaces.

To automate the creation of a tag-based storage policy, use the VMware® vSphere Management SDK. For more information about how to create a tag-based storage policy through the Web Services API, see the VMware Storage Policy SDK Programming Guide and vSphere Web Services SDK Programming Guide documentations.

Optionally, you can use the vSphere Automation APIs to create and add a tag to the datastore. See the vSphere Tag Service chapter. Currently, you can create a tag-based storage policy only through the Web Services APIs.

Use the vSphere Automation APIs to retrieve the default storage policy of a specific datastore by calling the get(datastore_ID) function of the com.vmware.vcenter.datastore.DefaultPolicy service. You can also retrieve commonly used information about the storage policies available in the vCenter Server instance by calling the list() function of the Policies service.

You can use the storage policies retrieved through the vSphere Automation APIs to perform the following tasks:

  • Assign the storage policies to the Supervisor. The storage policies set within the Supervisor enable specification ensure that the Supervisor control plane, the ephemeral disks of all vSphere Pods, and the container images are placed on the datastores that the policies represent. See Configuring NSX for vSphere with Tanzu.

  • Assign the storage policies to the vSphere Namespace. The storage policies associated with a namespace determine which datastores the namespace can access and use for persistent volumes for the vSphere Pod and the pods inside a Tanzu Kubernetes cluster. See Create a vSphere Namespace.

Enabling ReadWriteMany Support

You can enable the ReadWriteMany support in vSphere with Tanzu and allow multiple pods and applications to mount simultaneously a single persistent volume.

In vSphere 7.0 Update 3, only Tanzu Kubernetes clusters support persistent volumes in ReadWriteMany mode. When you enable file volume support for vSphere with Tanzu, be aware of the potential security weaknesses:
  • The volumes are mounted without encryption. The unencrypted data might be accessed while the data transits the network.
  • Access Control List (ACL) is used for the file shares to isolate file share access within a supervisor namespace. It might have risk of IP spoofing.
Follow these guidelines for networking:
  • Make sure the vSAN File Services is routable from the Workload network and there is no NAT between the Workload network and vSAN File Services IP addresses.
  • Use common DNS server for vSAN File Services and the vSphere cluster.
  • If your vSphere with Tanzu has NSX networking, use the SNAT IP of the Supervisor namespace and the SNAT IP of the Tanzu Kubernetes cluster for ACL configuration.
  • If you have vSphere with Tanzu with vSphere Distributed Switch (VDS) networking, use the Tanzu Kubernetes cluster VM IP or the IP of the Supervisor namespace for ACL configuration.

Before you activate the file volume support on a Supervisor, you must set up a vSAN cluster with enabled vSAN File Service. To configure a vSAN cluster with enabled vSAN File Service in the vSphere Client, see the Configure File Services topic in the Administering VMware vSAN documentation. For more information about how to programmatically achieve this task, see the vSAN SDKs Programming Guide documentation.

You activate the ReadWriteMany support on a cluster when you enable vSphere with Tanzu on it, or reconfigure an existing Supervisor. See Enable vSphere with Tanzu on a Cluster with NSX as the Networking Stack, Enable vSphere with Tanzu on a Cluster with the vSphere Networking Stack, and Reconfiguring a Supervisor. Pass the list of vSAN clusters to be used for provisioning file volumes by using the setCnsFileConfig(CNSFileConfig cnsFileConfig)Java method . Currently, you can use only the current vSphere cluster for provisioning file volumes if it is a vSAN cluster with enabled vSAN File Service.

To deactivate the persistent volumes support on a Supervisor, pass an empty list when you set the Cloud Native Storage persistent storage support for the cluster. After that existing ReadWriteMany persistent volumes provisioned in the cluster remain unaffected and usable.