An external provisioner is an application that enables dynamic provisioning for a particular storage provider. External provisioners can run alongside the provisioner plug-ins provided by OpenShift Origin and are configured in a similar way as the StorageClass objects are configured, as described in the Dynamic Provisioning and Creating Storage Classes section. Since these provisioners are external, you can deploy and update them independently of OpenShift Origin.

Before You Begin

An Ansible Playbook is also available to deploy and upgrade external provisioners.

Before proceeding, familiarize yourself with the Configuring Cluster Metrics and the Configuring Cluster Logging sections.

External Provisioners Ansible Role

The OpenShift Ansible openshift_provisioners role configures and deploys external provisioners using the variables from the Ansible inventory file. You must specify which provisioners to install by overriding their respective install variables to true.

External Provisioners Ansible Variables

Following is a list of role variables that apply to all provisioners for which the install variable is true.

Table 1. Ansible Variables
Variable Description


If true, deploy all provisioners that have their respective install variables set as true, otherwise, remove them.


The prefix for the component images. For example, with openshift/origin-efs-provisioner:v1.0.0, set prefix openshift/origin-.


The version for the component images. For example, with openshift/origin-efs-provisioner:v1.0.0, set version as v1.0.0.


The project to deploy provisioners in. Defaults to openshift-infra.

AWS EFS Provisioner Ansible Variables

The AWS EFS provisioner dynamically provisions NFS PVs backed by dynamically created directories in a given EFS file system’s directory. You must satisfy the following requirements before the AWS EFS Provisioner Ansible variables can be configured:

  • An IAM user assigned with the AmazonElasticFileSystemReadOnlyAccess policy (or better).

  • An EFS file system in your cluster’s region.

  • Mount targets and security groups such that any node (in any zone in the cluster’s region) can mount the EFS file system by its File system DNS name.

Table 2. Required EFS Ansible Variables
Variable Description


The File system ID of the EFS file system, for example: fs-47a2c22e


The Amazon EC2 region for the EFS file system.


The AWS access key of the IAM user (to check that the specified EFS file system exists).


The AWS secret access key of the IAM user (to check that the specified EFS file system exists).

Table 3. Optional EFS Ansible Variables
Variable Description


If true, the AWS EFS provisioner is installed or uninstalled according to whether openshift_provisioners_install_provisioners is true or false, respectively. Defaults to false.


The path of the directory in the EFS file system, in which the EFS provisioner will create a directory to back each PV it creates. It must exist and be mountable by the EFS provisioner. Defaults to /persistentvolumes.


The provisioner name that StorageClasses specify. Defaults to openshift.org/aws-efs.


A map of labels to select the nodes where the pod will land. For example: {"node":"infra","region":"west"}.


The supplemental group to give the pod, in case it is needed for permission to write to the EFS file system. Defaults to 65534.

Deploying the Provisioners

You can deploy all provisioners at once or one provisioner at a time according to the configuration specified in the OpenShift Ansible variables. The following example shows you how to deploy a given provisioner and then create and configure a corresponding StorageClass.

Deploying the AWS EFS Provisioner

The following command sets the directory in the EFS volume to /data/persistentvolumes. This directory must exist in the file system and must be mountable and writeable by the provisioner pod.

$ ansible-playbook <OPENSHIFT_ANSIBLE_DIR>/common/openshift-cluster/openshift_provisioners.yml \
   -e openshift_provisioners_install_provisioners=True \
   -e openshift_provisioners_efs=True \
   -e openshift_provisioners_efs_fsid=fs-47a2c22e \
   -e openshift_provisioners_efs_region=us-west-2 \
   -e openshift_provisioners_efs_aws_access_key_id=AKIAIOSFODNN7EXAMPLE \
   -e openshift_provisioners_efs_aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
   -e openshift_provisioners_efs_path=/data/persistentvolumes


For information on allowing the provisioner pod to write to EFS directory (which is a remote NFS directory), see the SELinux section of NFS Volume Security topic. The same information applies for allowing other pods to consume the NFS volumes provisioned by the provisioner pod.

AWS EFS Object Definition

kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
  name: slow
provisioner: openshift.org/aws-efs (1)
  gidMin: "40000" (2)
  gidMax: "50000" (3)
1 Set this value same as the value of openshift_provisioners_efs_name variable, which defaults to openshift.org/aws-efs.
2 The minimum value of GID range for the StorageClass. (Optional)
3 The maximum value of GID range for the StorageClass. (Optional)

Each dynamically provisioned volume’s corresponding NFS directory is assigned a unique GID owner from the range gidMin-gidMax. If it is not specified, gidMin defaults to 2000 and gidMax defaults to 2147483647. Any pod that consumes a provisioned volume via a claim automatically runs with the needed GID as a supplemental group and is able to read & write to the volume. Other mounters that do not have the supplemental group (and are not running as root) will not be able to read or write to the volume. For more information on using the supplemental groups to manage NFS access, see the Group IDs section of NFS Volume Security topic.


You can remove everything deployed by the OpenShift Ansible openshift_provisioners role by running the following command:

$ ansible-playbook <OPENSHIFT_ANSIBLE_DIR>/common/openshift-cluster/openshift_provisioners.yml \
   -e openshift_provisioners_install_provisioners=False