Suscríbase al feed


Peer-pods solution is supported with Red Hat OpenShift sandboxed containers 1.5 alongside Red Hat OpenShift 4.14. With this new release, peer-pods deployment on public cloud AWS and Azure are fully supported by Red Hat. The peer-pods solution is also the foundation for confidential containers on Red Hat OpenShift.

Currently, Container Storage Interface (CSI) persistent volumes for peer-pods solution is not supported. However, there are alternatives available depending on your environment and use cases.  For example, if you deploy peer-pods on AWS and have a workload that needs to process data stored in Amazon S3 (Simple Storage Service), then this blog is for you. 

This blog demonstrates how to access object data stored in Amazon S3 in your workloads deployed using OpenShift sandboxed containers.

Topology overview

Amazon S3 is an object storage service that uses a bucket to store the objects. The application Mountpoint for Amazon S3 is used to mount an Amazon S3 bucket as a local directory inside a Linux operating system. 

Amazon S3 topology

In Amazon S3, a bucket is used to store objects. A bucket is a storage container. The bucket and object topology looks like this:

Topology overview

To use Amazon S3, you need to create a bucket.

Peer-pods with Amazon S3 bucket topology

The chart below illustrates the topology of OpenShift sandboxed container peer-pods with an Amazon S3 bucket mounted using Mountpoint for Amazon S3. 

Peer-pods with Amazon S3 bucket topology

The pod is deployed on the AWS cloud instance (a virtual machine). The OpenShift worker nodes and pod virtual machine (VM) are running at the same virtualization level. The Amazon S3 bucket is mounted to the container running inside the Pod VM.

Configuring an s3 bucket for use with peer-pods

If you want to follow along with this example, you must have the OpenShift sandboxed containers operator installed with peer-pods on AWS. Refer to Red Hat documentation for setup instructions. Configuration for Amazon S3 is described below.

Create an S3 bucket

First, you need to log into AWS and create a bucket.

  1. Select S3 under Storage
  2. Click + Create bucket button
  3. Create a bucket by setting up the Bucket name (for example, peerpodsstorage), Region, and other options
  4. Click the Create button
Create an S3 bucket

Create a secret with auth details

You need valid AWS credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) to access your bucket. In this blog, we use a Kubernetes secret object to store the AWS credentials, and have made the details available as environment variables to the pod.

# export S3_BUCKET=peerpodsstorage 
# export AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id) 
# export AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key)

You must explicitly specify the S3 bucket name to use. In this blog, we use a peerpodsstorage storage account (S3_BUCKET), created in the previous step. 

# cat > storage-secret.yaml  <<EOF 
apiVersion: v1 
kind: Secret 
  name: storage-secret 
type: Opaque 
  S3_BUCKET: "${S3_BUCKET}" 

Apply the configuration with the oc command:

# oc apply -f storage-secret.yaml

Start the pod

There are two common approaches to using an Amazon S3 bucket mounted volume in peer-pods containers. One is to use the Amazon S3 bucket before the application workload, demonstrated in example 1 below. The other is to use the Amazon S3 bucket with a container lifecycle hook, demonstrated in example 2 below.

Example 1:  Use Amazon S3 bucket before the application workload

In this example, the Amazon S3 bucket mounting is executed before the application workload and we use secrets to get the AWS auth details. You do this with a YAML configuration file:

apiVersion: v1 
kind: Pod 
  name: test-s3 
    app: test-s3 
  runtimeClassName: kata-remote 
    - name: test-s3 
      command: ["sh", "-c"] 
        - mknod /dev/fuse -m 0666 c 10 229 && mkdir /mycontainer && mount-s3 "$S3_BUCKET" /mycontainer && sleep infinity 
        privileged: true 
        - name: S3_BUCKET 
              name: s3-secret 
              key: S3_BUCKET 
        - name: AWS_ACCESS_KEY_ID 
              name: s3-secret 
              key: AWS_ACCESS_KEY_ID 
        - name: AWS_SECRET_ACCESS_KEY 
              name: s3-secret 
              key: AWS_SECRET_ACCESS_KEY

Apply the configuration with the oc command:

# oc apply -f test-s3.yaml

Log in to the container to verify that the S3 bucket has been mounted successfully:

# oc rsh test-s3 
# mount 
mountpoint-s3 on /mycontainer type fuse (rw,nosuid,nodev,noatime,user_id=0,group_id=0,default_permissions)

On the Buckets > peerpodsstorage page, create a file named test in the /mycontainer directory.

peerpodsstorage page

Verify that the new directory is visible:

# ls


Example 2: Use an S3 bucket with a container lifecycle hook

In this example, the Amazon S3 bucket mounting is executed at the container postStart lifecycle, and we use secrets to get the AWS auth details. Create the YAML configuration:

apiVersion: v1 
kind: Pod 
  name: test-s3-2 
    app: test-s3-2 
  runtimeClassName: kata-remote 
    - name: test-s3-2 
            command: ["/bin/sh", "-c", "mkdir /mycontainer && mknod /dev/fuse -m 0666 c 10 229 && mount-s3 "$S3_BUCKET" /mycontainer"] 
        privileged: true 
        - name: S3_BUCKET 
              name: s3-secret 
              key: S3_BUCKET 
        - name: AWS_ACCESS_KEY_ID 
              name: s3-secret 
              key: AWS_ACCESS_KEY_ID 
        - name: AWS_SECRET_ACCESS_KEY 
              name: s3-secret 
              key: AWS_SECRET_ACCESS_KEY

Apply the configuration with the oc command:

# oc apply -f test-s3-2.yaml

Log in to the container to verify that the S3 bucket has mounted successfully:

# oc rsh test-s3-2 
# df -a 
Filesystem     1K-blocks     Used Available Use% Mounted on 
overlay         81106868 10939832  70150652  14% / 
mountpoint-s3          0        0         0    - /mycontainer 

Note that there are no stats. This is expected behavior, because Mountpoint doesn't yet report file system stats.


In this blog post, we demonstrated how to incorporate Amazon S3 data into your Red Hat OpenShift workload using an S3 bucket. We hope you find this information helpful.

Sobre los autores

Pei Zhang is a quality engineer in Red Hat since 2015. She has made testing contributions to NFV Virt, Virtual Network, SR-IOV, KVM-RT features. She is working on the Red Hat OpenShift sandboxed containers project.

Read full bio

Pradipta is working in the area of confidential containers to enhance the privacy and security of container workloads running in the public cloud. He is one of the project maintainers of the CNCF confidential containers project.  

Read full bio

Navegar por canal

automation icon


Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos

AI icon

Inteligencia artificial

Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar

open hybrid cloud icon

Nube híbrida abierta

Vea como construimos un futuro flexible con la nube híbrida

security icon


Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías

edge icon

Edge computing

Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge

Infrastructure icon


Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo

application development icon


Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones

Original series icon

Programas originales

Vea historias divertidas de creadores y líderes en tecnología empresarial