Chainguard Container for azuredisk-csi-fips

The Azure Disk CSI driver enables the provisioning and management of Azure Disks through Kubernetes.This driver provides an interface for attaching, detaching, and managing persistent disks on Azure, helping applications achieve durable and high-performing storage.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/azuredisk-csi-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Example Usage with Chainguard Image

This guide outlines steps to test volume provisioning with the Azure Disk CSI driver. The Azure Disk CSI driver enables the provisioning and management of Azure Disks through Kubernetes.

Prerequisites

To test the Azure Disk CSI driver, you need:

• Azure CLI
• Access to an Azure account
• An AKS cluster
• Proper IAM roles and policies configured for Azure Disk CSI driver, with permissions to create and attach disks to the AKS nodes.

Install the Azure Disk CSI Driver

The Azure Disk CSI driver can be installed via Helm. Ensure you have the Helm repo added:

helm repo add azuredisk-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/charts
helm repo update

Then, install the driver with the following command, ensuring appropriate values are set in the configuration file:

helm install azuredisk-csi-driver azuredisk-csi-driver/azuredisk-csi-driver \
--namespace kube-system \
--set image.azuredisk.repository=cgr.dev/chainguard/azuredisk-csi-fips \
--set image.azuredisk.tag=latest \
--set image.azuredisk.pullPolicy=IfNotPresent \
--set serviceAccount.node=new-csi-azuredisk-node-sa \
--set serviceAccount.create=true \
--set rbac.name=new-csi-azuredisk \
--set controller.hostNetwork=false \
--set controller.replicas=1 \
--set linux.hostNetwork=false \
--set linux.dsName=new-csi-azuredisk-node \
--set windows.dsName=new-csi-azuredisk-node-win

If you face any issues with the above helm install, you might have to annotate the below

Annotate and label the CSI driver for Helm management:

kubectl annotate csidriver disk.csi.azure.com \
  meta.helm.sh/release-name=azuredisk-csi-driver \
  meta.helm.sh/release-namespace=kube-system

kubectl label csidriver disk.csi.azure.com \
  app.kubernetes.io/managed-by=Helm

Check that the CSI driver controller and node pods are running:

kubectl get pods -n kube-system -l "app.kubernetes.io/name=azuredisk-csi-driver"

Step 1: Create a StorageClass for Azure Disk

Create a StorageClass to provision disks using the Azure Disk CSI driver. This StorageClass should specify disk.csi.azure.com as the provisioner.

kubectl apply -f -<<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: azure-disk
provisioner: disk.csi.azure.com
volumeBindingMode: WaitForFirstConsumer
EOF

Step 2: Create a PersistentVolumeClaim (PVC)

Request a PersistentVolumeClaim using the Azure Disk StorageClass created in Step 1.

kubectl apply -f -<<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azure-disk-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: azure-disk
  resources:
    requests:
      storage: 5Gi
EOF

Verify the PVC has been created and is bound to a PersistentVolume (PV):

kubectl get pvc azure-disk-pvc

Example output:

NAME             STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
azure-disk-pvc   Bound    pvc-1234abcd-56ef-78gh-ijkl-mnopqrstuvwx   5Gi        RWO            azure-disk     10s

Step 3: Create a Pod to Use the PVC

Create a Pod that uses the PVC to test the volume's functionality. This Pod will write a test file to the mounted volume.

kubectl apply -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
  name: azure-disk-test-pod
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["/bin/sh", "-c", "echo 'Hello from Azure Disk!' > /mnt/azure/hello.txt && sleep 3600"]
    volumeMounts:
    - mountPath: "/mnt/azure"
      name: azure
  volumes:
  - name: azure
    persistentVolumeClaim:
      claimName: azure-disk-pvc
EOF

Verify that the Pod is created and enters the Running state:

kubectl get pod azure-disk-test-pod

Step 4: Verify Data Written to the Disk

Check that the data written by the Pod to the Azure Disk is successfully stored.

kubectl exec azure-disk-test-pod -- cat /mnt/azure/hello.txt

Expected output:

Hello from Azure Disk!

Step 5: Check Logs of the Azure Disk CSI Driver

Check the logs of the Azure Disk CSI driver's controller and node pods to ensure that there are no errors during the volume provision and attachment process.

Controller Logs

kubectl logs -n kube-system -l "app.kubernetes.io/name=azuredisk-csi-driver" -c csi-provisioner

Node Logs

kubectl logs -n kube-system -l "app.kubernetes.io/name=azuredisk-csi-driver" -c azuredisk

Step 6: Clean Up

Once testing is complete, clean up the resources created:

kubectl delete pod azure-disk-test-pod
kubectl delete pvc azure-disk-pvc
kubectl delete storageclass azure-disk

If you installed the Azure Disk CSI driver with Helm and want to remove it:

helm uninstall azuredisk-csi-driver -n kube-system

---

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.