一、使用持久化存储StorageClass(ceph挂载)
一、准备好ceph服务器,和创建k8s secret(第三步用到)
# 在k8s集群中所有节点安装 ceph-common # 需要使用kubelet使用rdb命令map附加rbd创建的image
yum install -y ceph-common
# 创建 osd pool 在ceph的mon或者admin节点
[root@bd-server-2 ~]# ceph osd pool create kube 128
pool 'ceph_rbd' created
[root@bd-server-2 ~]# rbd pool init kube
[root@bd-server-2 ~]# ceph osd pool application enable kube rbd #启动kube作为rdb存储池
# 创建k8s访问ceph的用户 在ceph的mon或者admin节点
ceph auth get-or-create client.kube mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=kube' -o ceph.client.kube.keyring
# 查看key 在ceph的mon或者admin节点
ceph auth get-key client.admin
ceph auth get-key client.kube
# 创建 admin secret # CEPH_ADMIN_SECRET 替换为 client.admin 获取到的key export CEPH_ADMIN_SECRET='AQBBAnRbSiSOFxAAEZXNMzYV6hsceccYLhzdWw=='
kubectl create secret generic ceph-secret --type="kubernetes.io/rbd" \
--from-literal=key=$CEPH_ADMIN_SECRET \
--namespace=kube-system
# 在 dev 命名空间创建pvc用于访问ceph的 secret # CEPH_KUBE_SECRET 替换为 client.kube 获取到的key export CEPH_KUBE_SECRET='AQBZK3VbTN/QOBAAIYi6CRLQcVevW5HM8lunOg=='
kubectl create secret generic ceph-user-secret --type="kubernetes.io/rbd" \
--from-literal=key=$CEPH_KUBE_SECRET \
--namespace=dev #和pvc同一个命名空间
# 查看 secret
kubectl get secret ceph-user-secret -o yaml -n dev
kubectl get secret ceph-secret -o yaml -n kube-system
二、开启rbac权限
RBAC基于角色的访问控制–全拼Role-Based Access Control
根据rbac.yaml 文件创建Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbd-provisioner
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-provisioner
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["services"]
resourceNames: ["kube-dns"]
verbs: ["list", "get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-provisioner
subjects:
- kind: ServiceAccount
name: rbd-provisioner
namespace: kube-system
roleRef:
kind: ClusterRole
name: rbd-provisioner
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: rbd-provisioner
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rbd-provisioner
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rbd-provisioner
subjects:
- kind: ServiceAccount
name: rbd-provisioner
namespace: kube-system
这个文件是创建授权账户。为什么要授权?在K8S中,我们知道有 ApiServer 组件,它可以管理我们创建的 deployment, pod,service等资源,但是有些资源它是管不到的,比如说 K8S本身运行需要的组件等等,同样StorageClass这种资源它也管不到,所以,需要授权账户。
我们在master节点执行
[root@k8s-master1 static]
serviceaccount/rbd-provisioner created
clusterrole.rbac.authorization.k8s.io/rbd-provisioner created
clusterrolebinding.rbac.authorization.k8s.io/rbd-provisioner created
role.rbac.authorization.k8s.io/rbd-provisioner created
rolebinding.rbac.authorization.k8s.io/rbd-provisioner created
三、 创建StorageClass,指定provisioner
ceph-provisioner镜像包下载链接:
https://pan.baidu.com/s/1iSdea0TpdlyPUAYoaqjgsQ?pwd=u50u
提取码:u50u
创建ceph-sc-provisioner.yaml 文件
[root@k8s-master1 static]
apiVersion: apps/v1
kind: Deployment
metadata:
name: rbd-provisioner
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: rbd-provisioner
strategy:
type: Recreate
template:
metadata:
labels:
app: rbd-provisioner
spec:
containers:
- name: rbd-provisioner
image: "quay.io/external_storage/rbd-provisioner:latest"
env:
- name: PROVISIONER_NAME
value: ceph.com/rbd
serviceAccount: rbd-provisioner
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ceph-rbd
provisioner: ceph.com/rbd
parameters:
monitors: 10.0.19.127:6789,10.0.19.129:6789,10.0.19.130:6789
adminId: admin
adminSecretName: ceph-secret
adminSecretNamespace: kube-system
pool: kube
userId: kube
userSecretName: ceph-user-secret
fsType: ext4
imageFormat: "2"
imageFeatures: "layering"
reclaimPolicy: Retain
PS:nfs-client-provisioner这个镜像的作用,它通过k8s集群内置的ceph驱动,挂载远端的ceph服务器到本地目录,然后将自身作为storageprovisioner,然后关联到storageclass资源。
在master上创建
[root@k8s-master1 static]
deployment.apps/rbd-provisioner created
storageclass.storage.k8s.io/ceph-rbd created
四、基于StorageClass创建一个pvc,看看动态生成的pv是什么效果:
[root@k8s-master1 ~]
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ceph-sc-claim
namespace: dev
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
- ReadOnlyMany
resources:
requests:
storage: 500Mi
[root@k8s-master1 ~]
persistentvolumeclaim/nginx created
[root@k8s-master1 static]
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
ceph-sc-claim Bound pvc-751e4b5d-7a29-4da8-ba40-b7dfb6e86320 500Mi RWO,ROX ceph-rbd 9m40s
[root@k8s-master1 static]
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-751e4b5d-7a29-4da8-ba40-b7dfb6e86320 500Mi RWO,ROX Delete Bound dev/ceph-sc-claim ceph-rbd 5m58s
五、创建pod测试
创建pod,申明PVC进行测试
[root@k8s-master1 ~]
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
namespace: dev
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- name: html-files
mountPath: "/usr/share/nginx/html"
volumes:
- name: html-files
persistentVolumeClaim:
claimName: ceph-sc-claim
清空前面实验的pvc,由于pvc绑定了pv,直接删除pv删除不掉:kubectl delete pvc --all 先删pvc再删pv
如果有pod绑定,则需要先删除pod然后删除pvc,再删除pv,如果还需要清理后端存储,则最后根据情况删除后端存储数据
测试
在master上创建
[root@k8s-master1 ~]
deployment.apps/nginx unchanged
[root@k8s-master1 static]
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-5767cf6c4d-9vqt8 1/1 Running 0 112s 10.244.0.239 k8s-node1 <none> <none>
[root@k8s-node1 ~]
rbd0 252:0 0 500M 0 disk /var/lib/kubelet/pods/45ac8ba0-5cc3-4c34-99c6
[root@k8s-node1 ~]
[root@k8s-node1 ~]
hellow
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
