generated from container/tmpl
winloong
3 years ago
15 changed files with 468 additions and 2 deletions
@ -1,2 +1,47 @@ |
|||
# |
|||
# NFS |
|||
|
|||
|
|||
利用 k8s 部署 NFS 存储服务 |
|||
|
|||
## 没有 `NFS` 服务 |
|||
|
|||
使用 `server-and-client` 目录中的文件部署nfs 服务 |
|||
|
|||
需要注意根据实际数据持久化的节点,修改 `statefulset.yaml` 下面位置 |
|||
|
|||
```yaml |
|||
nodeSelector: |
|||
kubernetes.io/hostname: test-n3 |
|||
volumes: |
|||
- name: export-volume |
|||
hostPath: |
|||
path: /srv |
|||
``` |
|||
|
|||
`read-pod.yaml` 和 `write-pod.yaml` 是用来测试服务是否搭建成功的。 |
|||
|
|||
## 已经存在 `NFS` 服务 |
|||
|
|||
已经存在外部 `NFS` 如果 `k8s` 需要 持久化使用已存在的 `NFS`,使用 `client-only` 中的文件部署,`nfs provisioner` |
|||
|
|||
需要注意根据实际 NFS 的服务和 export 的目录,修改 `deployment.yaml` 下面位置 |
|||
|
|||
```yaml |
|||
volumeMounts: |
|||
- name: nfs-client-root |
|||
mountPath: /persistentvolumes |
|||
env: |
|||
- name: PROVISIONER_NAME |
|||
value: k8s-sigs.io/nfs-provisioner |
|||
- name: NFS_SERVER |
|||
value: 10.8.30.152 # nfs 服务 |
|||
- name: NFS_PATH |
|||
value: /data # export 的目录 |
|||
volumes: |
|||
- name: nfs-client-root |
|||
nfs: |
|||
server: 10.8.30.152 # nfs 服务 |
|||
path: /data # export 的目录 |
|||
``` |
|||
|
|||
|
|||
|
@ -0,0 +1,7 @@ |
|||
apiVersion: storage.k8s.io/v1 |
|||
kind: StorageClass |
|||
metadata: |
|||
name: k8s-sigs-nfs-client |
|||
provisioner: k8s-sigs.io/nfs-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME' |
|||
parameters: |
|||
archiveOnDelete: "false" |
@ -0,0 +1,39 @@ |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: nfs-client-provisioner |
|||
labels: |
|||
app: nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
spec: |
|||
replicas: 1 |
|||
strategy: |
|||
type: Recreate |
|||
selector: |
|||
matchLabels: |
|||
app: nfs-client-provisioner |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: nfs-client-provisioner |
|||
spec: |
|||
serviceAccountName: nfs-client-provisioner |
|||
containers: |
|||
- name: nfs-client-provisioner |
|||
image: registry.cn-hangzhou.aliyuncs.com/gcr_k8s_containers/nfs-subdir-external-provisioner:v4.0.2 |
|||
volumeMounts: |
|||
- name: nfs-client-root |
|||
mountPath: /persistentvolumes |
|||
env: |
|||
- name: PROVISIONER_NAME |
|||
value: k8s-sigs.io/nfs-provisioner |
|||
- name: NFS_SERVER |
|||
value: 10.8.30.152 |
|||
- name: NFS_PATH |
|||
value: /data |
|||
volumes: |
|||
- name: nfs-client-root |
|||
nfs: |
|||
server: 10.8.30.152 |
|||
path: /data |
@ -0,0 +1,4 @@ |
|||
resources: |
|||
- class.yaml |
|||
- rbac.yaml |
|||
- deployment.yaml |
@ -0,0 +1,68 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
--- |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: nfs-client-provisioner-runner |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: ["nodes"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["persistentvolumes"] |
|||
verbs: ["get", "list", "watch", "create", "delete"] |
|||
- apiGroups: [""] |
|||
resources: ["persistentvolumeclaims"] |
|||
verbs: ["get", "list", "watch", "update"] |
|||
- apiGroups: ["storage.k8s.io"] |
|||
resources: ["storageclasses"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "update", "patch"] |
|||
--- |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: run-nfs-client-provisioner |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
roleRef: |
|||
kind: ClusterRole |
|||
name: nfs-client-provisioner-runner |
|||
apiGroup: rbac.authorization.k8s.io |
|||
--- |
|||
kind: Role |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: leader-locking-nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: ["endpoints"] |
|||
verbs: ["get", "list", "watch", "create", "update", "patch"] |
|||
--- |
|||
kind: RoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: leader-locking-nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: nfs-client-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
roleRef: |
|||
kind: Role |
|||
name: leader-locking-nfs-client-provisioner |
|||
apiGroup: rbac.authorization.k8s.io |
@ -0,0 +1,11 @@ |
|||
kind: PersistentVolumeClaim |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: test-claim |
|||
spec: |
|||
storageClassName: k8s-sigs-nfs-client |
|||
accessModes: |
|||
- ReadWriteMany |
|||
resources: |
|||
requests: |
|||
storage: 1Mi |
@ -0,0 +1,21 @@ |
|||
kind: Pod |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: test-pod |
|||
spec: |
|||
containers: |
|||
- name: test-pod |
|||
image: busybox:stable |
|||
command: |
|||
- "/bin/sh" |
|||
args: |
|||
- "-c" |
|||
- "touch /mnt/SUCCESS && exit 0 || exit 1" |
|||
volumeMounts: |
|||
- name: nfs-pvc |
|||
mountPath: "/mnt" |
|||
restartPolicy: "Never" |
|||
volumes: |
|||
- name: nfs-pvc |
|||
persistentVolumeClaim: |
|||
claimName: test-claim |
@ -0,0 +1,11 @@ |
|||
kind: PersistentVolumeClaim |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: nfs |
|||
spec: |
|||
storageClassName: gcr-nfs |
|||
accessModes: |
|||
- ReadWriteMany |
|||
resources: |
|||
requests: |
|||
storage: 1Mi |
@ -0,0 +1,7 @@ |
|||
kind: StorageClass |
|||
apiVersion: storage.k8s.io/v1 |
|||
metadata: |
|||
name: gcr-nfs |
|||
provisioner: gcr.io/nfs |
|||
mountOptions: |
|||
- vers=4.1 |
@ -0,0 +1,23 @@ |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: nfs-provisioner |
|||
spec: |
|||
fsGroup: |
|||
rule: RunAsAny |
|||
allowedCapabilities: |
|||
- DAC_READ_SEARCH |
|||
- SYS_RESOURCE |
|||
runAsUser: |
|||
rule: RunAsAny |
|||
seLinux: |
|||
rule: RunAsAny |
|||
supplementalGroups: |
|||
rule: RunAsAny |
|||
volumes: |
|||
- configMap |
|||
- downwardAPI |
|||
- emptyDir |
|||
- persistentVolumeClaim |
|||
- secret |
|||
- hostPath |
@ -0,0 +1,61 @@ |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: nfs-provisioner-runner |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: ["persistentvolumes"] |
|||
verbs: ["get", "list", "watch", "create", "delete"] |
|||
- apiGroups: [""] |
|||
resources: ["persistentvolumeclaims"] |
|||
verbs: ["get", "list", "watch", "update"] |
|||
- apiGroups: ["storage.k8s.io"] |
|||
resources: ["storageclasses"] |
|||
verbs: ["get", "list", "watch"] |
|||
- apiGroups: [""] |
|||
resources: ["events"] |
|||
verbs: ["create", "update", "patch"] |
|||
- apiGroups: [""] |
|||
resources: ["services", "endpoints"] |
|||
verbs: ["get"] |
|||
- apiGroups: ["extensions"] |
|||
resources: ["podsecuritypolicies"] |
|||
resourceNames: ["nfs-provisioner"] |
|||
verbs: ["use"] |
|||
--- |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: run-nfs-provisioner |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: nfs-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
roleRef: |
|||
kind: ClusterRole |
|||
name: nfs-provisioner-runner |
|||
apiGroup: rbac.authorization.k8s.io |
|||
--- |
|||
kind: Role |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: leader-locking-nfs-provisioner |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: ["endpoints"] |
|||
verbs: ["get", "list", "watch", "create", "update", "patch"] |
|||
--- |
|||
kind: RoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: leader-locking-nfs-provisioner |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: nfs-provisioner |
|||
# replace with namespace where provisioner is deployed |
|||
namespace: default |
|||
roleRef: |
|||
kind: Role |
|||
name: leader-locking-nfs-provisioner |
|||
apiGroup: rbac.authorization.k8s.io |
@ -0,0 +1,22 @@ |
|||
kind: Pod |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: read-pod |
|||
spec: |
|||
containers: |
|||
- name: read-pod |
|||
image: busybox:1.24 |
|||
command: |
|||
- "/bin/sh" |
|||
args: |
|||
- "-c" |
|||
- "test -f /mnt/SUCCESS && exit 0 || exit 1" |
|||
volumeMounts: |
|||
- name: nfs-pvc |
|||
mountPath: "/mnt" |
|||
restartPolicy: "Never" |
|||
volumes: |
|||
- name: nfs-pvc |
|||
persistentVolumeClaim: |
|||
claimName: nfs |
|||
|
@ -0,0 +1,125 @@ |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: nfs-provisioner |
|||
--- |
|||
kind: Service |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: nfs-provisioner |
|||
labels: |
|||
app: nfs-provisioner |
|||
spec: |
|||
ports: |
|||
- name: nfs |
|||
port: 2049 |
|||
- name: nfs-udp |
|||
port: 2049 |
|||
protocol: UDP |
|||
- name: nlockmgr |
|||
port: 32803 |
|||
- name: nlockmgr-udp |
|||
port: 32803 |
|||
protocol: UDP |
|||
- name: mountd |
|||
port: 20048 |
|||
- name: mountd-udp |
|||
port: 20048 |
|||
protocol: UDP |
|||
- name: rquotad |
|||
port: 875 |
|||
- name: rquotad-udp |
|||
port: 875 |
|||
protocol: UDP |
|||
- name: rpcbind |
|||
port: 111 |
|||
- name: rpcbind-udp |
|||
port: 111 |
|||
protocol: UDP |
|||
- name: statd |
|||
port: 662 |
|||
- name: statd-udp |
|||
port: 662 |
|||
protocol: UDP |
|||
selector: |
|||
app: nfs-provisioner |
|||
--- |
|||
kind: StatefulSet |
|||
apiVersion: apps/v1 |
|||
metadata: |
|||
name: nfs-provisioner |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
app: nfs-provisioner |
|||
serviceName: "nfs-provisioner" |
|||
replicas: 1 |
|||
template: |
|||
metadata: |
|||
labels: |
|||
app: nfs-provisioner |
|||
spec: |
|||
serviceAccount: nfs-provisioner |
|||
terminationGracePeriodSeconds: 10 |
|||
containers: |
|||
- name: nfs-provisioner |
|||
image: registry.cn-hangzhou.aliyuncs.com/gcr_k8s_containers/nfs-provisioner:v3.0.0 |
|||
ports: |
|||
- name: nfs |
|||
containerPort: 2049 |
|||
- name: nfs-udp |
|||
containerPort: 2049 |
|||
protocol: UDP |
|||
- name: nlockmgr |
|||
containerPort: 32803 |
|||
- name: nlockmgr-udp |
|||
containerPort: 32803 |
|||
protocol: UDP |
|||
- name: mountd |
|||
containerPort: 20048 |
|||
- name: mountd-udp |
|||
containerPort: 20048 |
|||
protocol: UDP |
|||
- name: rquotad |
|||
containerPort: 875 |
|||
- name: rquotad-udp |
|||
containerPort: 875 |
|||
protocol: UDP |
|||
- name: rpcbind |
|||
containerPort: 111 |
|||
- name: rpcbind-udp |
|||
containerPort: 111 |
|||
protocol: UDP |
|||
- name: statd |
|||
containerPort: 662 |
|||
- name: statd-udp |
|||
containerPort: 662 |
|||
protocol: UDP |
|||
securityContext: |
|||
capabilities: |
|||
add: |
|||
- DAC_READ_SEARCH |
|||
- SYS_RESOURCE |
|||
args: |
|||
- "-provisioner=gcr.io/nfs" |
|||
env: |
|||
- name: POD_IP |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: status.podIP |
|||
- name: SERVICE_NAME |
|||
value: nfs-provisioner |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
imagePullPolicy: "IfNotPresent" |
|||
volumeMounts: |
|||
- name: export-volume |
|||
mountPath: /export |
|||
nodeSelector: |
|||
kubernetes.io/hostname: test-n3 |
|||
volumes: |
|||
- name: export-volume |
|||
hostPath: |
|||
path: /srv |
@ -0,0 +1,22 @@ |
|||
kind: Pod |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: write-pod |
|||
spec: |
|||
containers: |
|||
- name: write-pod |
|||
image: busybox:1.24 |
|||
command: |
|||
- "/bin/sh" |
|||
args: |
|||
- "-c" |
|||
- "touch /mnt/SUCCESS && exit 0 || exit 1" |
|||
volumeMounts: |
|||
- name: nfs-pvc |
|||
mountPath: "/mnt" |
|||
restartPolicy: "Never" |
|||
volumes: |
|||
- name: nfs-pvc |
|||
persistentVolumeClaim: |
|||
claimName: nfs |
|||
|
Loading…
Reference in new issue