Mounting a persistent volume (PV) from an NFS file share fails with the following error on Tanzu Kubernetes Grid Integrated Edition (TKGI) using NSX-T with Network Address Translation (NAT):

mount.nfs: access denied by server while mounting

Tanzu Kubernetes Grid Integrated Edition (TKGI) 

When a Pod attempts to mount a volume from an NFS share, it utilizes a source port lower than 1024. However, in environments configured with NSX-T and NAT, port translation occurs. Consequently, the NFS server receives the connection from a source port greater than 1024, which it identifies as insecure and subsequently refuses.

To resolve this, update the NFS server configuration to permit connections from "insecure" ports. For enhanced security, you should restrict this permission to only the specific external NAT IP addresses or subnets used by the TKGI environment.