#Access to NFS volume outside k8s cluster

Our client want to have standard ReadOnlyMany access from his namespace and want RW access outside the cluster. Is it possible to add ACL that would allow to mount particular volume by host that is not manage by trident? As far i remember if i edit trident export policy changes would be over-written.

You can create your custom export policy and just apply it on your backend config by default for all volumes

interesting, but that would apply for al svm volumes. Don't think it's acceptable in my case.

What about creating pv at k8s level and create snapmirror relation with that volume as destination?

client will get access dedicated access to snapmirror primary and destination would be mounted by tridnet

https://docs.netapp.com/us-en/trident/trident-reference/objects.html#kubernetes-persistentvolumeclaim-objects

you can add an annotation on your pvc to specify a custom export policy

probably simpler

but i loose super important fact that export policy is manage by trident, so adding or removing new k8s worker is transparent

I'd need manage it by myself which is not possible.

yeah, these are your options, not much else that can be done. I mean you could add a CIFS share and access the data via that, or you could create a flexclone (maybe even in a different SVM) and access the data that way, but if you want to access the same data read/write via NFS, those are your options

what about snapmirror? keep source on another svm and import dstination to trident?

how would you do updates in the source then?

source mounted via manual export policy to dedicated host, snapmirror to trident manage volume on another SVM

qustion is if i'm able to import that destination volume

it would be DP, read-only type

according doc

Trident can import RW (read-write) type ONTAP volumes only. DP (data protection) type volumes are SnapMirror destination volumes. You should break the mirror relationship before importing the volume into Trident.

can i breake, import and re-establish mirror? 🙂

no

I mean yes you can but the volume will be DP again I think your application will probably not like that

@midnight leaf, What is the problem you are trying to solve? What's the use case?

i need read-only for k8s access , so probably may be a tricky solution 🙂

@timid raft there is application at k8s that need read-only access to small 10g volumes of shared data from multiple pods. Those data need to be manage from host outside the cluster via NFS.

i know that s3 may be better solution for that use case, but there is dependency loop in our services and we want to avoid it

Trident doesn't really have a read-only method for dealing with NFS. Is there enough of an OS inside the contianers in the pod to mount the NFS inside the container?

You can do an unmanged import of the existing volume into Trident and it will keep the volume name and Trident won't do anything more than attach/mount and unmount/detach it.
https://docs.netapp.com/us-en/trident/trident-use/vol-import.html#overview-and-considerations

you would still need to manually create a matching export-policy with the correct rules for both clusters and attach that to the volume I guess

Just tested below.

1. Create standard snapmirror relation (destination on trident svm)
2. Break snapmirror
3. Import destination volume using tridentctl
4. Resync snapmirror
5. Mount source volume on any host
6. Destination volume manage by trident/k8s

Destination has trident storage policy assigned. So win-win. But i hope we wont use that on production 🙂

but you will only have access to old data though (until you update the mirror)

yes, snapmirror run with scheduled updates after re-sync. As expected.