7. Deploying Trident¶
The guidelines in this section provide recommendations for Trident installation with various Kubernetes configurations and considerations. As with all the other recommendations in this guide, each of these suggestions should be carefully considered to determine if it’s appropriate and will provide benefit to your deployment.
7.1. Supported Kubernetes cluster architectures¶
Trident is supported with the following Kubernetes architectures.
Kubernetes Cluster Architectures Supported Default Install Single master, compute Yes Yes Multiple master, compute Yes Yes Master, etcd, compute Yes Yes Master, infrastructure, compute Yes Yes
7.2. Trident installation modes¶
Three ways to install Trident are discussed in this chapter.
Normal install mode
Installing Trident on a Kubernetes cluster will result in the Trident installer:
- Fetching the container images over the Internet.
- Creating a deployment and/or node daemonset which spin up Trident pods on all eligible nodes in the Kubernetes cluster.
A standard installation such as this can be performed in two different ways:
tridentctl installto install Trident.
- Using the Trident Operator. You can deploy Trident Operator either manually or by using Helm.
This mode of installing is the easiest way to install Trident and works for most environments that do not impose network restrictions. The Deploying guide will help you get started.
Offline install mode
In many organizations, production and development environments do not have access to public repositories for pulling and posting images as these environments are completely secured and restricted. Such environments only allow pulling images from trusted private repositories.
To perform an air-gapped installation of Trident:
--image-registryflag can be used when invoking
tridentctl installto point to a private image registry that contains the required CSI sidecar images. Additionally,
--trident-imagemust point to the Trident Autosupport and Trident container image paths, respectively.
# Install Trident from a private image registry for Kubernetes 1.17 $ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE registry.internal-domain.com/sig-storage/csi-provisioner v2.1.1 93d588bf66c4 6 hours ago 51.7MB registry.internal-domain.com/sig-storage/csi-attacher v3.1.0 03ce9595bf92 6 hours ago 49.2MB registry.internal-domain.com/sig-storage/csi-resizer v1.1.0 a8fe79377034 6 hours ago 49.2MB registry.internal-domain.com/sig-storage/csi-snapshotter v3.0.3 000846ee5335 6 hours ago 47.8MB registry.internal-domain.com/sig-storage/csi-node-driver-registrar v2.1.0 ef2b13b2a066 6 hours ago 19.7MB registry.internal-domain.com/netapp/trident 21.07.0 0de972eb1c6f 6 hours ago 93.1MB registry.internal-domain.com/netapp/trident-autosupport 21.01 8122afeecc7a 5 months ago 40.2MB $ tridentctl install --image-registry=registry.internal-domain.com --trident-image=registry.internal-domain.com/netapp/trident:21.07.0 --autosupport-image=registry.internal-domain.com/netapp/trident-autosupport:21.01
If installing with the Trident Operator, specify
imageRegistryshould point to the private image registry that contains the CSI sidecar container images.
tridentImageshould be set to the path of the Trident container image hosted on the private registry.
autosupportImageshould be set to the path of the Trident Autosupport image hosted on the private registry.
# List the container images present in the private image registry $ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE registry.internal-domain.com/sig-storage/csi-provisioner v2.1.1 93d588bf66c4 6 hours ago 51.7MB registry.internal-domain.com/sig-storage/csi-attacher v3.1.0 03ce9595bf92 6 hours ago 49.2MB registry.internal-domain.com/sig-storage/csi-resizer v1.1.0 a8fe79377034 6 hours ago 49.2MB registry.internal-domain.com/sig-storage/csi-snapshotter v3.0.3 000846ee5335 6 hours ago 47.8MB registry.internal-domain.com/sig-storage/csi-node-driver-registrar v2.1.0 ef2b13b2a066 6 hours ago 19.7MB registry.internal-domain.com/netapp/trident 21.07.0 0de972eb1c6f 6 hours ago 93.1MB registry.internal-domain.com/netapp/trident-autosupport 21.01 8122afeecc7a 5 months ago 40.2MB # Examine the contents of TridentOrchestrator $ cat tridentorchestrator_cr.yaml apiVersion: trident.netapp.io/v1 kind: TridentOrchestrator metadata: name: trident spec: imageRegistry: registry.internal-domain.com tridentImage: registry.internal-domain.com/netapp/trident:21.07.0 autosupportImage: registry.internal-domain.com/netapp/trident-autosupport:21.01 namespace: trident $ kubectl create -f tridentorchestrator_cr.yaml -n trident tridentorchestrator.trident.netapp.io/trident created
To customize your installation further, you can use
tridentctl to generate the manifests
for Trident’s resources. This includes the deployment, daemonset, service account and the cluster
role that Trident creates as part of its installation.
The Customized Installation section talks about the options available
for performing a custom Trident install.
Remote install mode
Trident can be installed on a Kubernetes cluster from a remote machine.
To do a remote install, install the appropriate version of
on the remote machine from where you would be installing Trident. Copy
the configuration files from the Kubernetes cluster and set the KUBECONFIG
environment variable on the remote machine. Initiate a
kubectl get nodes
command to verify you can connect to the required Kubernetes cluster.
Complete the Trident deployment from the remote machine using the normal
7.3. CRDs for maintaining Trident’s state¶
The 19.07 release of Trident introduces a set of Custom Resource Definitions(CRDs) for maintaining Trident’s stateful information. CRDs are a Kubernetes construct used to group a set of similar objects together and classify them as user-defined resources. This translates to Trident no longer needing a dedicated etcd and a PV that it needs to use on the backend storage. All stateful objects used by Trident will be CRD objects that are present in the Kubernetes cluster’s etcd.
7.3.1. Things to keep in mind about Trident’s CRDs¶
- When Trident is installed, a set of CRDs are created and can be used like any other resource type.
- When upgrading from a previous version of Trident (one that used etcd to maintain state), the Trident installer will migrate data from the etcd key-value data store and create corresponding CRD objects.
- Downgrading to a previous Trident version is not recommended.
- When uninstalling Trident using the
tridentctl uninstallcommand, Trident pods are deleted but the created CRDs will not be cleaned up. Refer to the Uninstalling Guide to understand how Trident can be completely removed and reconfigured from scratch.
- Since the CRD objects that are used by Trident are stored in the Kubernetes cluster’s etcd, Trident disaster recovery workflows will be different when compared to previous versions of Trident.
7.4. Trident Upgrade/Downgrade Process¶
7.4.1. Upgrading Trident¶
If you are looking to upgrade to the latest version of Trident, the Upgrade section provides a complete overview of the upgrade process.
7.5. Recommendations for all deployments¶
7.5.1. Deploy Trident to a dedicated namespace¶
Namespaces provide administrative separation between different applications and are a barrier for resource sharing, for example, a PVC from one namespace cannot be consumed from another. Trident provides PV resources to all namespaces in the Kubernetes cluster and consequently leverages a service account which has elevated privileges.
Additionally, access to the Trident pod may enable a user to access storage system credentials and other sensitive information. It is important to ensure that application users and management applications do not have the ability to access the Trident object definitions or the pods themselves.
7.5.2. Use quotas and range limits to control storage consumption¶
Kubernetes has two features which, when combined, provide a powerful mechanism for limiting the resource consumption by applications. The storage quota mechanism allows the administrator to implement global, and storage class specific, capacity and object count consumption limits on a per-namespace basis. Further, using a range limit will ensure that the PVC requests must be within both a minimum and maximum value before the request is forwarded to the provisioner.
These values are defined on a per-namespace basis, which means that each namespace will need to have values defined which fall in line with their resource requirements. An example of how to leverage quotas can be found on netapp.io.