Red Hat Training

A Red Hat training course is available for OpenShift Container Platform

Chapter 36. Deploying External Persistent Volume Provisioners

36.1. Overview


The external provisioner for AWS EFS on OpenShift Container Platform is a Technology Preview feature. Technology Preview features are not supported with Red Hat production service-level agreements (SLAs) and might not be functionally complete, and Red Hat does not recommend using them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information, see Red Hat Technology Preview Features Support Scope.

An external provisioner is an application that enables dynamic provisioning for a particular storage provider. External provisioners can run alongside the provisioner plug-ins provided by OpenShift Container Platform and are configured in a similar way as the StorageClass objects are configured, as described in the Dynamic Provisioning and Creating Storage Classes section. Since these provisioners are external, you can deploy and update them independently of OpenShift Container Platform.

36.2. Before You Begin

An Ansible Playbook is also available to deploy and upgrade external provisioners.


Before proceeding, familiarize yourself with the Configuring Cluster Metrics and the Configuring Cluster Logging sections.

36.2.1. External Provisioners Ansible Role

The OpenShift Ansible openshift_provisioners role configures and deploys external provisioners using the variables from the Ansible inventory file. You must specify which provisioners to install by overriding their respective install variables to true.

36.2.2. External Provisioners Ansible Variables

Following is a list of role variables that apply to all provisioners for which the install variable is true.

Table 36.1. Ansible Variables



If true, deploy all provisioners that have their respective install variables set as true, otherwise, remove them.


The prefix for the component images. For example, with openshift3/efs-provisioner:v3.6, set prefix openshift3/.


The version for the component images. For example, with openshift3/efs-provisioner:v3.6, set version as v3.6.


The project to deploy provisioners in. Defaults to openshift-infra.

36.2.3. AWS EFS Provisioner Ansible Variables

The AWS EFS provisioner dynamically provisions NFS PVs backed by dynamically created directories in a given EFS file system’s directory. You must satisfy the following requirements before the AWS EFS Provisioner Ansible variables can be configured:

  • An IAM user assigned with the AmazonElasticFileSystemReadOnlyAccess policy (or better).
  • An EFS file system in your cluster’s region.
  • Mount targets and security groups such that any node (in any zone in the cluster’s region) can mount the EFS file system by its File system DNS name.

Table 36.2. Required EFS Ansible Variables



The File system ID of the EFS file system, for example: fs-47a2c22e


The Amazon EC2 region for the EFS file system.


The AWS access key of the IAM user (to check that the specified EFS file system exists).


The AWS secret access key of the IAM user (to check that the specified EFS file system exists).

Table 36.3. Optional EFS Ansible Variables



If true, the AWS EFS provisioner is installed or uninstalled according to whether openshift_provisioners_install_provisioners is true or false, respectively. Defaults to false.


The path of the directory in the EFS file system, in which the EFS provisioner will create a directory to back each PV it creates. It must exist and be mountable by the EFS provisioner. Defaults to /persistentvolumes.


The provisioner name that StorageClasses specify. Defaults to


A map of labels to select the nodes where the pod will land. For example: {"node":"infra","region":"west"}.


The supplemental group to give the pod, in case it is needed for permission to write to the EFS file system. Defaults to 65534.

36.3. Deploying the Provisioners

You can deploy all provisioners at once or one provisioner at a time according to the configuration specified in the OpenShift Ansible variables. The following example shows you how to deploy a given provisioner and then create and configure a corresponding StorageClass.

36.3.1. Deploying the AWS EFS Provisioner

The following command sets the directory in the EFS volume to /data/persistentvolumes. This directory must exist in the file system and must be mountable and writeable by the provisioner pod.

$ ansible-playbook -v -i <inventory_file> \
    /usr/share/ansible/openshift-ansible/playbooks/openshift-provisioners/config.yml \
   -e openshift_provisioners_install_provisioners=True \
   -e openshift_provisioners_efs=True \
   -e openshift_provisioners_efs_fsid=fs-47a2c22e \
   -e openshift_provisioners_efs_region=us-west-2 \
   -e openshift_provisioners_efs_aws_access_key_id=AKIAIOSFODNN7EXAMPLE \
   -e openshift_provisioners_efs_aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
   -e openshift_provisioners_efs_path=/data/persistentvolumes AWS EFS Object Definition


kind: StorageClass
  name: slow
provisioner: 1
  gidMin: "40000" 2
  gidMax: "50000" 3

Set this value same as the value of openshift_provisioners_efs_name variable, which defaults to
The minimum value of GID range for the StorageClass. (Optional)
The maximum value of GID range for the StorageClass. (Optional)

Each dynamically provisioned volume’s corresponding NFS directory is assigned a unique GID owner from the range gidMin-gidMax. If it is not specified, gidMin defaults to 2000 and gidMax defaults to 2147483647. Any pod that consumes a provisioned volume via a claim automatically runs with the needed GID as a supplemental group and is able to read & write to the volume. Other mounters that do not have the supplemental group (and are not running as root) will not be able to read or write to the volume. For more information on using the supplemental groups to manage NFS access, see the Group IDs section of NFS Volume Security topic.

36.4. Cleanup

You can remove everything deployed by the OpenShift Ansible openshift_provisioners role by running the following command:

$ ansible-playbook -v -i <inventory_file> \
    /usr/share/ansible/openshift-ansible/playbooks/openshift-provisioners/config.yml \
   -e openshift_provisioners_install_provisioners=False