Skip to main content

The NFS server

A dedicated VM (K8s-NFS, 10.100.100.12) does one job: export a directory.

K8s-NFS (10.100.100.12)
  nfs-kernel-server
  export:  /srv/nfs/k8s   ->  10.100.100.0/24  (rw, no_root_squash)
  firewall: allow tcp/2049 from 10.100.100.0/24   (NFSv4)

The export is scoped to the private subnet, so only lab machines can mount it. no_root_squash is enabled because the CSI driver (next page) needs to manage ownership on the subdirectories it creates — a reasonable concession on a trusted network, though it's exactly the kind of thing you'd tighten in production.

Two deliberate decisions:

  • NFSv4 only, one port. v4 needs just TCP 2049, which keeps the firewall rule to a single line. (v3 drags in a portmapper and a fistful of random ports — more surface, more to open.)
  • A whole dedicated VM for it. It would be tempting to fold NFS onto an existing box, but giving storage its own VM means its disk, its load, and its failure domain are cleanly separated.

The Kubernetes nodes just need the nfs-common client package installed so the kubelet can mount NFS volumes. That's part of their baseline.

No comments to display

Back to top