The Astra Trident team is pleased to announce our latest build: v22.07. v22.07 is now available, and you can download it from Trident’s GitHub webpage! It includes the following features and enhancements:
  • Per-Node Initiator groups for ontap-san volumes: v22.07 will provision an initiator group (igroup) per Kubernetes node. Every node that needs to attach a newly provisioned ontap-san volume will have LUNs mapped to an igroup that is dedicated to each node. LUNs will only be mapped to igroups if they are published to the nodes to which the igroups belong, thus providing you with increased security and more granular volume access control. Earlier versions of Trident operated with one igroup per backend. Dynamically mapping a LUN to the nodes that use the LUN helps prevent unauthorized access by clients present in the Kubernetes cluster. In multi-tenant environments, volumes are accessed only if they are mapped to the igroup created for the node containing the workload. As your workloads move across nodes, Trident will update igroup mappings and move volumes too.

 

  • Trident now includes a resource quota. This is done to ensure Trident’s daemonset pods get scheduled, irrespective of how the Kubernetes admission controller is configured. In certain Kubernetes distributions, consuming PriorityClasses can be restricted, thanks to how the admission controller is set up. Trident's daemonset utilizes the system-node-critical PriorityClass, thereby allowing daemonset pods to be prioritized over lower priority workloads. When scheduling or evicting applications due to resource constraints, a PriorityClass enables you to define relative priority. Providing a resource quota makes it possible for Trident's daemonset to be deployed even if your admission controller restricts the consumption of PriorityClasses.

 

  • Trident’s PodSecurityPolicy (PSP) and SecurityContextConstraint (SCC) are tightened to restrict the volume plugin types that they can use. This is applicable to Trident’s operator as well. As part of a growing emphasis on security, this move helps restrict Trident's scope of operation and the resource types it can use. Access to Linux capabilities is removed. Allowed volume types are narrowed down to a smaller list.

 

  • Network Features for Azure NetApp Files: Azure NetApp Files (ANF) recently introduced a feature that allows you to incorporate VNet features. Trident can now create ANF volumes that allow network features to be configured. This is done using the networkFeatures backend configuration option. Currently, in public preview, you must register this feature in your Azure subscription before it can be used with Trident.

 

  • The minimum version of Kubernetes is set to 1.19.

 

Join us on Discord!

Our community has a new home! NetApp's Discord server is a great place to reach out to experts and stay informed! You will find dedicated channels for most topics where you can engage with like-minded professionals and subject matter experts. Are you an Astra Trident newbie coming up to speed? Do you want to learn about nodeSelectors and Pod Security Policies? Then the #trident channel is the place to be!

Sign up today!

 

About Bala RameshBabu

Bala is a Technical Marketing Engineer who focuses on Trident, NetApp's dynamic storage provisioner for Kubernetes and Docker. With a background in OpenStack, he focuses on open-source solutions and DevOps workflows. When not at work, you can find him in a soccer field or reading biographies

Pin It on Pinterest