Storage design for VPC virtual servers

OpenShift Data Foundation (ODF)

OpenShift Data Foundation (ODF) is Red Hat’s integrated storage solution for OpenShift that provides persistent, software-defined storage for containerized applications. It delivers highly available and scalable storage by combining object, block, and file storage under a unified platform. ODF offers features like snapshots, replication, and scalable storage management, all integrated seamlessly with the OpenShift console and APIs, making it easier to manage storage across diverse workloads.

The primary storage option for OpenShift Virtualization is OpenShift Data Foundation. It is a highly available storage solution that consists of several open source operators and technologies like Ceph, NooBaa, and Rook. These operators allow you to provision and manage File, Block, and Object storage for your clusters using storage classes.

ODF abstracts your underlying storage, and you can use ODF to create File, Block, or Object storage claims from the same underlying raw block storage. In virtualization, ODF uses local NVMe disks on VPC BMSs to create a performant virtualized storage layer, where your app data is replicated in multiples of 3 for high availability by default. Using ODF with OpenShift Virtualization is especially critical if you want to use disaster recovery (DR) capabilities for your VM workloads.

For more details of ODF, refer to Understanding OpenShift Data Foundation.

IBM Cloud Object Storage

IBM Cloud Object Storage can be used with backup solutions, or other Object Storage related use cases. COS allows backup data to be stored outside of the ODF cluster in case a disaster occurs.

IBM Cloud Object Storage is a fully managed IBM Cloud service, while object storage built in the ODF clusters is self-managed on ROKS managed worker nodes. Depending on the use case, there might be a use case for either, or even both of these.

File Storage for VPC

Customers can use File Storage for VPC, which is a network-attached storage with NFS support.

IBM Cloud File Storage for VPC is persistent, fast, and flexible network-attached, NFS-based File Storage for VPC that you can add to your apps by using persistent volumes claims (PVCs). You can choose between predefined storage classes that meet the GB sizes and IOPS that meet the requirements of your workloads.

• All file shares are provisioned with zonal availability, except regional classes which have regional availability.
• All classes are elastic network interface (ENI) enabled.
• All classes support cross-zone mounting.

Regional file share classes can be a better choice for workloads that prioritize durability, availability, or symmetric access across zones over low latency.

• Volume size can range between 1 GiB to 32,000 GiB.
• Volume performance is fixed at 35,000 IOPS.
• The tunable throughput range is 1-8192 Mbps.

See About File Storage for VPC for the details.

For NFS based file share needs for your workloads, you can also use the NFS storage built in the ODF clusters. The key differences here are that File Storage for VPC is a fully managed IBM Cloud service, while NFS storage built in the ODF clusters is self-managed on ROKS managed worker nodes. Also the IOPS and size settings are independent of your clusters. Depending on the use case, there might be a use case for either, or even both of these.

For OpenShift Virtualization workloads, keep the following considerations in mind:

• Snapshots are not supported.
• Each Persistent Volume Claim (PVC) created with this provisioner will provision an NFS share and a mount target in your IBM Cloud VPC.
• A PVC can be mounted as a volume in multiple pods or VMs; however, it cannot be shared across multiple VM deployments.
• For VMs deployment, one VM disk equals one PVC, which means one NFS share per VM disk.

Deploy the File storage shares for VPC add-on on your ROKS cluster by following the instructions in the IBM Cloud documentation Enabling the IBM Cloud File Storage for VPC cluster add-on.

The add-on automatically installs the PersistentVolume provisioner vpc.file.csi.ibm.io and creates a set of StorageClasses named ibmc-vpc-file-*, each offering different IOPS tiers as well as varying reclaim and binding policies. For the full list of available StorageClasses and detailed explanations of their parameters, refer to Storage class reference.

Block Storage for VPC

This add-on provisions hypervisor-mounted, high-performance, block-level data storage for your worker nodes by using Kubernetes persistent volume claims (PVCs). It enables you to store virtual machine disks on IBM Cloud Block Storage volumes.

See About Block Storage for VPC for details.

IBM Cloud Key Protect (encryption)

IBM Cloud Key Protect is a cloud-based key management service (KMS) that enables organizations to create, manage, and control encryption keys used to secure data across IBM Cloud services and applications. It provides centralized key lifecycle management with strong security and compliance features, helping businesses meet regulatory requirements and maintain data confidentiality.

Data on a file share is encrypted at rest with IBM-managed encryption by default. You can optionally use your own root keys to protect your file shares with customer-managed keys. About File Storage for VPC > Securing your data

The ODF add-on supports multiple layers of encryption, including:

• Cluster encryption: Encrypts data at rest across the entire storage cluster.
• In-transit encryption: Secures data as it moves between nodes, pods, and clients.
• Storage volume encryption: Provides encryption at the level of individual PersistentVolumes or storage volumes.

For instructions on setting up storage volume encryption in ROKS, refer to Setting up encryption by using Hyper Protect Crypto Services.