https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner

配置 NFS 服务

  1. yum install -y nfs-utils
  2. # debian
  3. apt-get install nfs-kernel-server -y
  5. systemctl enable nfs --now
  7. # 写入路径
  8. vi /etc/exports
  9. /path *(rw,no_root_squash,insecure,async,no_subtree_check,anonuid=1001,anongid=1001)
  10. /path 192.168.1.0/24(rw,no_root_squash,insecure,async,no_subtree_check,anonuid=1001,anongid=1001)
  12. exportfs -ra
  15. # 关于showmount -e 信息泄露(CEE-1999-0554)的漏洞
  16. # 在 /etc/hosts.allow 文件中配置
  17. mountd:192.168.1.*
  18. rpcbind:192.168.1.*
  19. # 在 /etc/hosts.deny 文件中配置
  20. mountd:ALL
  21. rpcbind:ALL:deny

创建 NFS 角色

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   name: nfs-client-provisioner
  5.   # replace with namespace where provisioner is deployed
  6.   namespace: default
  7. ---
  8. kind: ClusterRole
  9. apiVersion: rbac.authorization.k8s.io/v1
  10. metadata:
  11.   name: nfs-client-provisioner-runner
  12. rules:
  13.   - apiGroups: [""]
  14.     resources: ["nodes"]
  15.     verbs: ["get", "list", "watch"]
  16.   - apiGroups: [""]
  17.     resources: ["persistentvolumes"]
  18.     verbs: ["get", "list", "watch", "create", "delete"]
  19.   - apiGroups: [""]
  20.     resources: ["persistentvolumeclaims"]
  21.     verbs: ["get", "list", "watch", "update"]
  22.   - apiGroups: ["storage.k8s.io"]
  23.     resources: ["storageclasses"]
  24.     verbs: ["get", "list", "watch"]
  25.   - apiGroups: [""]
  26.     resources: ["events"]
  27.     verbs: ["create", "update", "patch"]
  28. ---
  29. kind: ClusterRoleBinding
  30. apiVersion: rbac.authorization.k8s.io/v1
  31. metadata:
  32.   name: run-nfs-client-provisioner
  33. subjects:
  34.   - kind: ServiceAccount
  35.     name: nfs-client-provisioner
  36.     # replace with namespace where provisioner is deployed
  37.     namespace: default
  38. roleRef:
  39.   kind: ClusterRole
  40.   name: nfs-client-provisioner-runner
  41.   apiGroup: rbac.authorization.k8s.io
  42. ---
  43. kind: Role
  44. apiVersion: rbac.authorization.k8s.io/v1
  45. metadata:
  46.   name: leader-locking-nfs-client-provisioner
  47.   # replace with namespace where provisioner is deployed
  48.   namespace: default
  49. rules:
  50.   - apiGroups: [""]
  51.     resources: ["endpoints"]
  52.     verbs: ["get", "list", "watch", "create", "update", "patch"]
  53. ---
  54. kind: RoleBinding
  55. apiVersion: rbac.authorization.k8s.io/v1
  56. metadata:
  57.   name: leader-locking-nfs-client-provisioner
  58.   # replace with namespace where provisioner is deployed
  59.   namespace: default
  60. subjects:
  61.   - kind: ServiceAccount
  62.     name: nfs-client-provisioner
  63.     # replace with namespace where provisioner is deployed
  64.     namespace: default
  65. roleRef:
  66.   kind: Role
  67.   name: leader-locking-nfs-client-provisioner
  68.   apiGroup: rbac.authorization.k8s.io

部署 provisioner

https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/deploy/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nfs-client-provisioner
  labels:
    app: nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: default
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nfs-client-provisioner
  template:
    metadata:
      labels:
        app: nfs-client-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
      containers:
        - name: nfs-client-provisioner
          image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: k8s-sigs.io/nfs-subdir-external-provisioner
            - name: NFS_SERVER
              value: 10.3.243.101
            - name: NFS_PATH
              value: /ifs/kubernetes
      volumes:
        - name: nfs-client-root
          nfs:
            server: 10.3.243.101
            path: /ifs/kubernetes

创建 NFS 存储类

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: managed-nfs-storage
#  默认存储类
#  annotations:
#    "storageclass.kubernetes.io/is-default-class": "true"
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
# allowVolumeExpansion: true # 允许动态扩缩容,NFS 不支持
parameters:
  archiveOnDelete: "false"

配置默认存储类

# 查看当前 sc 
kubectl get sc

# 设置 managed-nfs-storage 为默认后端存储
kubectl patch storageclass managed-nfs-storage -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

# 取消默认存储后端
kubectl patch storageclass managed-nfs-storage -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'

image.png

创建 PVC 示例

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: test-claim
  annotations:
    nfs.io/storage-path: "test-path" # not required, depending on whether this annotation was shown in the storage class description
spec:
  storageClassName: managed-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Mi

创建 Pod 测试

kind: Pod
apiVersion: v1
metadata:
  name: test-pod
spec:
  containers:
  - name: test-pod
    image: busybox:stable
    command:
      - "/bin/sh"
    args:
      - "-c"
      - "touch /mnt/SUCCESS && exit 0 || exit 1"
    volumeMounts:
      - name: nfs-pvc
        mountPath: "/mnt"
  restartPolicy: "Never"
  volumes:
    - name: nfs-pvc
      persistentVolumeClaim:
        claimName: test-claim

image.png