7. Deploying Trident

The guidelines in this section provide recommendations for Trident installation with various Kubernetes configurations and considerations. As with all the other recommendations in this guide, each of these suggestions should be carefully considered to determine if it’s appropriate and will provide benefit to your deployment.

7.1. Supported Kubernetes cluster architectures

Trident is supported with the following Kubernetes architectures.

Kubernetes Cluster Architectures Supported Default Install
Single master, compute Yes Yes
Multiple master, compute Yes Yes
Master, etcd, compute Yes Yes
Master, infrastructure, compute Yes Yes

7.2. Trident installation modes

Three ways to install Trident are discussed in this chapter.

Normal install mode

Installing Trident on a Kubernetes cluster will result in the Trident installer:

  1. Fetching the container images over the Internet.
  2. Creating a deployment and/or node daemonset which spin up Trident pods on all eligible nodes in the Kubernetes cluster.

A standard installation such as this can be performed in two different ways:

  1. Using tridentctl install to install Trident.
  2. Using the Trident Operator. You can deploy Trident Operator either manually or by using Helm.

This mode of installing is the easiest way to install Trident and works for most environments that do not impose network restrictions. The Deploying guide will help you get started.

Offline install mode

In many organizations, production and development environments do not have access to public repositories for pulling and posting images as these environments are completely secured and restricted. Such environments only allow pulling images from trusted private repositories.

To perform an air-gapped installation of Trident, you can use the --image-registry flag when invoking tridentctl install to point to a private image registry. If installing with the Trident Operator, you can alternatively specify spec.imageRegistry in your TridentOrchestrator. This registry must contain the Trident image, (obtained here), the Trident Autosupport image (obtained here), and the CSI sidecar images as required by your Kubernetes version.

To customize your installation further, you can use tridentctl to generate the manifests for Trident’s resources. This includes the deployment, daemonset, service account and the cluster role that Trident creates as part of its installation. The Customized Installation section talks about the options available for performing a custom Trident install.


If you are using a private image repository, you should add /k8scsi for Kubernetes versions earlier than 1.17 or /sig-storage for Kubernetes versions later than 1.17 to the end of the private registry URL. When using a private registry while installing Trident using tridentctl, you should use --trident-image and --autosupport-image in conjunction with --image-registry. If you are installing Trident using the Trident operator, ensure that the orchestrator CR includes tridentImage and autosupportImage in the installation parameters.

Remote install mode

Trident can be installed on a Kubernetes cluster from a remote machine. To do a remote install, install the appropriate version of kubectl on the remote machine from where you would be installing Trident. Copy the configuration files from the Kubernetes cluster and set the KUBECONFIG environment variable on the remote machine. Initiate a kubectl get nodes command to verify you can connect to the required Kubernetes cluster. Complete the Trident deployment from the remote machine using the normal installation steps.

7.3. Trident Installation on Mirantis Kubernetes Engine (MKE) 3.1

Mirantis Kubernetes Engine (formerly Universal Control Plane (UCP)) is the cluster management layer that sits on top of Mirantis Container Runtime (formerly Docker Engine - Enterprise). Once deployed, administrators interact with their cluster via MKE instead of each node’s individual engines. Because MKE supports both Kubernetes and Docker via a web UI or CLI, administrators can use either a Kubernetes YAMLs or Docker Compose files to deploy images from the centralized location. It also provides cluster-wide monitoring of deployed containers, services, and pods.

Installing Trident for Kubernetes on MKE-managed nodes is similar to installing Trident on Kubernetes. Refer to the following documentation for instructions on how to install Trident for Kubernetes.

7.4. Deploying Trident as an enhanced CSI Provisioner

Trident provides a CSI frontend that can be used to install Trident as a CSI provisioner. Available exclusively for Kubernetes 1.13 and above, this allows Trident to absorb standardized features like snapshots while still retaining its ability to innovate on the storage model.

To setup Trident as a CSI provisioner, refer to the Deployment Guide. Ensure that the required Feature Gates are enabled. After deploying, you should consider Upgrading existing PVs to CSI volumes if you would like to use new features such as On-demand snapshots.

7.5. CRDs for maintaining Trident’s state

The 19.07 release of Trident introduces a set of Custom Resource Definitions(CRDs) for maintaining Trident’s stateful information. CRDs are a Kubernetes construct used to group a set of similar objects together and classify them as user-defined resources. This translates to Trident no longer needing a dedicated etcd and a PV that it needs to use on the backend storage. All stateful objects used by Trident will be CRD objects that are present in the Kubernetes cluster’s etcd.

7.5.1. Things to keep in mind about Trident’s CRDs

  1. When Trident is installed, a set of CRDs are created and can be used like any other resource type.
  2. When upgrading from a previous version of Trident (one that used etcd to maintain state), the Trident installer will migrate data from the etcd key-value data store and create corresponding CRD objects.
  3. Downgrading to a previous Trident version is not recommended.
  4. When uninstalling Trident using the tridentctl uninstall command, Trident pods are deleted but the created CRDs will not be cleaned up. Refer to the Uninstalling Guide to understand how Trident can be completely removed and reconfigured from scratch.
  5. Since the CRD objects that are used by Trident are stored in the Kubernetes cluster’s etcd, Trident disaster recovery workflows will be different when compared to previous versions of Trident.

7.6. Trident Upgrade/Downgrade Process

7.6.1. Upgrading Trident

If you are looking to upgrade to the latest version of Trident, the Upgrade section provides a complete overview of the upgrade process.

7.6.2. Downgrading Trident

Downgrading to a previous release is not recommended. If you choose to downgrade, ensure that the PV used by the previous Trident installation is available.

Refer to the Troubleshooting section to understand what happens when a downgrade is attempted.

7.7. Recommendations for all deployments

7.7.1. Deploy Trident to a dedicated namespace

Namespaces provide administrative separation between different applications and are a barrier for resource sharing, for example, a PVC from one namespace cannot be consumed from another. Trident provides PV resources to all namespaces in the Kubernetes cluster and consequently leverages a service account which has elevated privileges.

Additionally, access to the Trident pod may enable a user to access storage system credentials and other sensitive information. It is important to ensure that application users and management applications do not have the ability to access the Trident object definitions or the pods themselves.

7.7.2. Use quotas and range limits to control storage consumption

Kubernetes has two features which, when combined, provide a powerful mechanism for limiting the resource consumption by applications. The storage quota mechanism allows the administrator to implement global, and storage class specific, capacity and object count consumption limits on a per-namespace basis. Further, using a range limit will ensure that the PVC requests must be within both a minimum and maximum value before the request is forwarded to the provisioner.

These values are defined on a per-namespace basis, which means that each namespace will need to have values defined which fall in line with their resource requirements. An example of how to leverage quotas can be found on netapp.io.

7.8. Deploying Trident to OpenShift

OpenShift uses Kubernetes for the underlying container orchestrator. Consequently, the same recommendations will apply when using Trident with Kubernetes or OpenShift. However, there are some minor additions when using OpenShift which should be taken into consideration.

7.8.1. Deploy Trident to infrastructure nodes (OpenShift 3.11)

Trident is a core service to the OpenShift cluster, provisioning and managing the volumes used across all projects. Consideration should be given to deploying Trident to the infrastructure nodes in order to provide the same level of care and concern.

To deploy Trident to the infrastructure nodes, the project for Trident must be created by an administrator using the oc adm command. This prevents the project from inheriting the default node selector, which forces the pod to execute on compute nodes.

# create the project which Trident will be deployed to using
# the non-default node selector
oc adm new-project <project_name> --node-selector="region=infra"

# deploy Trident using the project name
tridentctl install -n <project_name>

The result of the above command is that any pod deployed to the project will be scheduled to nodes which have the tag “region=infra”. This also removes the default node selector used by other projects which schedule pods to nodes which have the label “node-role.kubernetes.io/compute=true”.