Skip to main content

Creating a ClusterRole to Access a PV in Kubernetes

Hands-On Lab


Photo of Chad Crowell

Chad Crowell

DevOps Training Architect II in Content





ClusterRoles in Kubernetes are meant to define what change can be made to what resource. ClusterRoleBindings determine who can perform the change. By default, PVs (Persistent Volumes) are unable to be queried by pods directly. Therefore, there must be a custom role in Kubernetes that will help us achieve this direct access from a pod.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating a ClusterRole to Access a PV in Kubernetes

We have been given access to a three-node cluster. Within that cluster, a PV has already been provisioned. We will need to make sure we can access the PV directly from a pod in our cluster. By default, pods cannot access PVs directly, so we will need to create a ClusterRole and test the access after it's been created. Every ClusterRole requires a ClusterRoleBinding to bind the role to a user, service account, or group. After we have created the ClusterRole and ClusterRoleBinding, we will try to access the PV directly from a pod.

Log in to the Kube Master server using the credentials on the lab page (either in your local terminal, using the Instant Terminal feature, or using the public IP), and work through the objectives listed.

View the Persistent Volume.

  1. Use the following command to view the Persistent Volume within the cluster:

    kubectl get pv

Create a ClusterRole.

  1. Use the following command to create the ClusterRole:

    kubectl create clusterrole pv-reader --verb=get,list --resource=persistentvolumes

Create a ClusterRoleBinding.

  1. Use the following command to create the ClusterRoleBinding:

    kubectl create clusterrolebinding pv-test --clusterrole=pv-reader --serviceaccount=web:default

Create a pod to access the PV.

  1. Use the following YAML to create a pod that will proxy the connection and allow you to curl the address:

    apiVersion: v1
    kind: Pod
      name: curlpod
      namespace: web
      - image: tutum/curl
        command: ["sleep", "9999999"]
        name: main
      - image: linuxacademycontent/kubectl-proxy
        name: proxy
      restartPolicy: Always
  2. Use the following command to create the pod:

    kubectl apply -f curlpod.yaml

Request access to the PV from the pod.

  1. Use the following command (from within the pod) to access a shell from the pod:

    kubectl exec -it curlpod -n web -- sh
  2. Use the following command to curl the PV resource:

    curl localhost:8001/api/v1/persistentvolumes


Congratulations on completing this lab!