Rook v1.8 Storage Enhancements

The Rook v1.8 release is out! v1.8 is another feature-filled release to improve storage for Kubernetes. As always, thanks to the community for all the great support in this journey to support storage workloads in production.

The statistics continue to show Rook community growth since the v1.7 release in August:

• 8.8K to 9.3K Github stars
• 236M to 250M Container downloads
• 6.0K to 6.2K Twitter followers
• 4.5K to 4.8K Slack members

We have a lot of new features for the Ceph storage provider that we hope you’ll be excited about with the v1.8 release! In addition, there are continued improvements under the covers in the CI, which helps us keep up the reliability of our releases.

Updated Minimum Versions

As expected with the evolution of any software and announced in our 1.7 release blog post, we have now updated the following minimum supported versions in 1.8:

• Ceph versions are Octopus (v15) and Pacific (v16), with support for Ceph Nautilus (v14) being removed. In v1.9 we look forward to adding support for Ceph Quincy (v17).
• The minimum supported Kubernetes version is now 1.16.

Flex driver removal

The CSI driver is now required for creating volumes in Rook. Before upgrading to the latest v1.8, users must migrate their Flex-based PVC to Ceph-CSI.

To help simplify this transition, we have created a migration tool. The tool will migrate your Ceph RBD PVCs from Flex to Ceph-CSI. Since the migration is required before updating to v1.8, see the documented migration procedure included with the Rook v1.7.9 release.

Disaster Recovery

Handling disasters at the application level requires support for failover at all levels of the application stack. Storage is central to the failover strategy. We have been working on failover and disaster recovery capability in Rook, the CSI driver, and supported at the data layer by Ceph. This is all coming together to provide significant improvements to support disaster recovery scenarios. Applications can failover across independent K8s clusters, where the data is mirrored across the clusters. Tools and documentation are now available to setup the application mirroring, and perform the fail-over and fail-back for your applications.

Bucket notifications

Ceph added support for the bucket notifications feature some time ago in Nautilus and now we enable their configuration in Rook. Notifications allow sending messages to various endpoints when a new event occurs on a bucket reference.

Setup of those notifications is normally done by sending HTTP requests to the Ceph RGW service, either to create topics pointing to specific endpoints or create bucket notifications based on those topics.

Rook supports the bucket notifications with bucket notification and bucket topic CRDs.

This feature is marked as experimental. Your feedback is welcome so we can declare it stable in v1.9!

Security improvements

One of the themes of this release is security and hardening.

• With fewer open permissions in the RBAC, we reduced the RBAC scope for the lib-bucket-provisioner to the minimum necessary for Rook to operate with lib-bucket-provisioner.
• The operator runs as the new “rook” user with UID 2016 (the year Rook was first released) instead of “root”
• Security scans with Snyk to help reduce the attack surface and restrict permissions

Efforts to restrict the privileges are also continuing into the next release when we are investigating how to truly run the Ceph daemon containers with fewest privileges.

Cluster protection

Rook has a few critical resources it maintains, in particular a secret and config map that are critical to Ceph. We don’t want these resources to be deleted accidentally. To prevent this, we have added a finalizer to these resources so any accidental deletion will be blocked, giving the administrator time to backup and restore these resources.

Cluster-wide encryption

Cluster-wide encryption was introduced in 1.6 and has continued to evolve. As a reminder, cluster-wide encryption allows you to encrypt all your OSD disks transparently, while encryption keys are managed by Rook. Encryption keys can optionally be safely stored in a Key Management System (KMS). Prior to 1.8, only the Vault token-based authentication was supported. Now Rook supports Kubernetes native authentication using a Service Account, allowing a smoother and more integrated experience.

Krew plugin

Krew is the package manager for kubectl plugins. It extends the CLI capabilities of kubectl by allowing extra commands and arguments to be passed. During the 1.8 cycle, we added our own Rook plugin to run Ceph commands without the need for a toolbox running. The only thing you need is a Rook-Ceph operator running and the plugin handles the rest. Interacting with the Ceph cluster has never been easier. Today, it is limited to forwarding Ceph commands but we are planning and adding more capabilities.

We would love feedback on this new plugin. What functionality would you like to see added? Let us know!

Improving Onboarding

Contributions are important to us regardless of their level (documentation, code, bug reports, feature requests). Everything counts! Thus we want to make Rook’s onboarding experience as smooth as possible. Recently we have started recommending using Github discussions to ask questions or provide feedback. We really encourage you to use that space in addition to Slack or Github issues.

From a developer standpoint, we have worked on documenting setting up your development environment with the intention to make contributions easier.

What’s Next?

As we continue the journey to develop reliable storage operators for Kubernetes, we look forward to your ongoing feedback. Only with the community is it possible to continue this fantastic momentum.

There are many different ways to get involved in the Rook project, whether as user or developer. Please join us in helping the project continue to grow on its way beyond the v1.8 milestone!

• Rook website
• Github
• Twitter
• Slack
• Youtube

co-author: Travis Nielsen