-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
92bccb3
commit e2e8861
Showing
29 changed files
with
379 additions
and
6 deletions.
There are no files selected for viewing
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+47.8 KB
source/_static/kubernetes/storage/k8s_csi/alicloud-csi/ack_deploy_csi.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+40.3 KB
source/_static/kubernetes/storage/k8s_csi/alicloud-csi/ack_mandate_csi.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
.../kubernetes/deploy/deploy_pod/k8s_privileged_pod/capsh_drop_all_non-privileged-pod_output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Current: = | ||
Bounding set = | ||
Ambient set = | ||
Securebits: 00/0x0/1'b0 | ||
secure-noroot: no (unlocked) | ||
secure-no-suid-fixup: no (unlocked) | ||
secure-keep-caps: no (unlocked) | ||
secure-no-ambient-raise: no (unlocked) | ||
uid=0(root) | ||
gid=0(root) | ||
groups=0(root) |
11 changes: 11 additions & 0 deletions
11
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/capsh_non-privileged-pod_output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep | ||
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap | ||
Ambient set = | ||
Securebits: 00/0x0/1'b0 | ||
secure-noroot: no (unlocked) | ||
secure-no-suid-fixup: no (unlocked) | ||
secure-keep-caps: no (unlocked) | ||
secure-no-ambient-raise: no (unlocked) | ||
uid=0(root) | ||
gid=0(root) | ||
groups=0(root) |
1 change: 1 addition & 0 deletions
1
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/capsh_privileged-pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
capsh --print |
11 changes: 11 additions & 0 deletions
11
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/capsh_privileged-pod_output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,38,39,40+ep | ||
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,38,39,40 | ||
Ambient set = | ||
Securebits: 00/0x0/1'b0 | ||
secure-noroot: no (unlocked) | ||
secure-no-suid-fixup: no (unlocked) | ||
secure-keep-caps: no (unlocked) | ||
secure-no-ambient-raise: no (unlocked) | ||
uid=0(root) | ||
gid=0(root) | ||
groups=0(root) |
1 change: 1 addition & 0 deletions
1
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/create_drop_all_non-privileged-pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
kubectl create -f privileged-pod-3.yaml |
1 change: 1 addition & 0 deletions
1
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/create_non-privileged-pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
kubectl create -f privileged-pod-2.yaml |
1 change: 1 addition & 0 deletions
1
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/create_privileged-pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
kubectl create -f privileged-pod-1.yaml |
1 change: 1 addition & 0 deletions
1
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/exec_privileged-pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
kubectl exec -it test-pod-1 -- bash |
12 changes: 12 additions & 0 deletions
12
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/privileged-pod-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test-pod-1 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: centos | ||
image: centos | ||
command: ['sh', '-c', 'sleep 999'] | ||
securityContext: | ||
privileged: true |
13 changes: 13 additions & 0 deletions
13
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/privileged-pod-2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test-pod-2 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: centos | ||
image: centos | ||
command: ['sh', '-c', 'sleep 999'] | ||
securityContext: | ||
privileged: false | ||
allowPrivilegeEscalation: false |
17 changes: 17 additions & 0 deletions
17
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/privileged-pod-3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
|
||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test-pod-3 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: centos | ||
image: centos | ||
command: ['sh', '-c', 'sleep 999'] | ||
securityContext: | ||
privileged: false | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- ALL |
17 changes: 17 additions & 0 deletions
17
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/privileged-pod-4.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test-pod-4 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: centos | ||
image: centos | ||
command: ['sh', '-c', 'sleep 999'] | ||
securityContext: | ||
privileged: false | ||
allowPrivilegeEscalation: false | ||
runAsUser: 1000 | ||
capabilities: | ||
drop: | ||
- ALL |
19 changes: 19 additions & 0 deletions
19
source/kubernetes/deploy/deploy_pod/k8s_privileged_pod/privileged-pod-5.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test-pod-5 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: centos | ||
image: centos | ||
command: ['sh', '-c', 'sleep 999'] | ||
securityContext: | ||
privileged: false | ||
allowPrivilegeEscalation: false | ||
runAsUser: 1000 | ||
capabilities: | ||
drop: | ||
- ALL | ||
add: | ||
- SYS_NICE |
53 changes: 53 additions & 0 deletions
53
source/kubernetes/storage/k8s_csi/alicloud-csi/alicloud_csi_arch.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
.. _alicloud_csi_arch: | ||
|
||
====================== | ||
阿里云CSI架构 | ||
====================== | ||
|
||
阿里云ACK(定制Kubernetes)容器存储,是通过CSI(容器存储接口)访问: | ||
|
||
- 块存储: Local Disk(数据库,Hadoop) / Cloud Disk(有状态应用,数据库) | ||
- 文件存储: NAS(日志,共享数据) / CPFS(HPC, :ref:`deep_learning` ) | ||
- 对象存储: OSS(多媒体,基因数据) | ||
- 本地存储: LVM(数据库,文件存储) / QuotaPath (数据库) / AEP(数据库) | ||
|
||
.. figure:: ../../../../_static/kubernetes/storage/k8s_csi/alicloud-csi/ack_csi.png | ||
|
||
阿里云ACK容器存储概览 | ||
|
||
阿里云的ACK集群分为托管集群(管控节点由阿里云维护) 和 自建集群(独立部署管控节点),在部署CSI存储方式有所区别: | ||
|
||
- 托管集群 CSI插件 ``CSI-Provisioner`` 和 ``CSI-Plugin`` 都运行在用户的Worker节点 | ||
|
||
.. figure:: ../../../../_static/kubernetes/storage/k8s_csi/alicloud-csi/ack_mandate_csi.png | ||
|
||
阿里云托管ACK集群 CSI插件 | ||
|
||
- 自建集群 ``CSI-Provisioner`` 运行在Master节点,而 ``CSI-Plugin`` 则作为 :ref:`daemonset` 同时运行在 Master 和 Worker 节点 | ||
|
||
.. figure:: ../../../../_static/kubernetes/storage/k8s_csi/alicloud-csi/ack_deploy_csi.png | ||
|
||
阿里云自建ACK集群 CSI插件 | ||
|
||
CSI使用授权 | ||
================ | ||
|
||
CSI插件在数据卷挂载、卸载、创建和删除等操作上需要使用AccessKey授权,也支持RAM角色授权(默认) | ||
|
||
部署安装CSI-Plugin和CSI-Provisioner | ||
====================================== | ||
|
||
阿里云在ACK的托管或自建集群,控制台默认安装 ``CSI-Plugin`` 和 ``CSI-Provisioner`` 组件: | ||
|
||
.. literalinclude:: alicloud_csi_arch/ack_csi | ||
:caption: 检查ACK集群是否安装好 ``csi-plugin`` 和 ``csi-provisioner`` | ||
|
||
CSI插件安装 | ||
============== | ||
|
||
``kubelet`` 运行参数 ``--enable-controller-attach-detach=true`` 表示集群使用了CSI存储插件,如果这个参数值是 ``false`` 则表明存储插件是 ``Flexvolume`` | ||
|
||
参考 | ||
===== | ||
|
||
- `阿里云容器服务Kubernetes版ACK > 存储CSI概述 <https://help.aliyun.com/zh/ack/ack-managed-and-ack-dedicated/user-guide/csi-overview-1>`_ |
2 changes: 2 additions & 0 deletions
2
source/kubernetes/storage/k8s_csi/alicloud-csi/alicloud_csi_arch/ack_csi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
kubectl get pod -n kube-system | grep csi-plugin | ||
kubectl get pod -n kube-system | grep csi-provisioner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.. _alicloud-csi: | ||
|
||
============================================================ | ||
阿里云 CSI | ||
============================================================ | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
|
||
alicloud_csi_arch.rst | ||
|
||
.. only:: subproject and html | ||
|
||
Indices | ||
======= | ||
|
||
* :ref:`genindex` |
28 changes: 28 additions & 0 deletions
28
source/kubernetes/storage/k8s_csi/ceph-csi/ceph_csi_arch.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
.. _ceph_csi_arch: | ||
|
||
===================== | ||
Ceph CSI架构 | ||
===================== | ||
|
||
`CSI driver for Ceph <https://github.com/ceph/ceph-csi>`_ 提供了 :ref:`ceph_rbd` , :ref:`cephfs` 的驱动,以及Kubernetes :ref:`sidecar` 部署YAML来支持CSI功能: | ||
|
||
- provisioner | ||
- attacher | ||
- resizer | ||
- driver-register | ||
- snapshotter | ||
|
||
概览 | ||
======= | ||
|
||
Ceph CSI plugins 实现了一个 CSI-enabled 容器编排(Container Orchestrator, CO) 和 Ceph 集群之间的接口,可以动态提供Ceph 卷并将卷添加到 :ref:`k8s_workloads` : | ||
|
||
- 支持 :ref:`ceph_rbd` 和 :ref:`cephfs` 后端卷: | ||
|
||
- :ref:`ceph_csi_rbd` | ||
- :ref:`ceph_csi_cephfs` | ||
|
||
参考 | ||
========== | ||
|
||
- `CSI driver for Ceph <https://github.com/ceph/ceph-csi>`_ |
12 changes: 12 additions & 0 deletions
12
source/kubernetes/storage/k8s_csi/ceph-csi/ceph_csi_cephfs.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
.. _ceph_csi_cephfs: | ||
|
||
======================== | ||
Ceph CSI CephFS plugin | ||
======================== | ||
|
||
Ceph CSI CephFS plugin 可以提供新的 CephFS 卷,将CephFS卷附加和挂载到 :ref:`k8s_workloads` | ||
|
||
参考 | ||
====== | ||
|
||
- `ceph-csi/docs/deploy-cephfs.md <https://github.com/ceph/ceph-csi/blob/devel/docs/deploy-cephfs.md>`_ |
26 changes: 26 additions & 0 deletions
26
source/kubernetes/storage/k8s_csi/ceph-csi/ceph_csi_rbd.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
.. _ceph_csi_rbd: | ||
|
||
==================== | ||
Ceph CSI RBD Plugin | ||
==================== | ||
|
||
Ceph CSI RBD plugin 可以提供一个 :ref:`ceph_rbd` 镜像,并将其附加和挂载到 :ref:`k8s_workloads` : | ||
|
||
在Kubernetes中部署CSI RBD | ||
============================ | ||
|
||
`CSI driver for Ceph <https://github.com/ceph/ceph-csi>`_ (GitHub仓库)提供部署的模版文件(源代码 ``deploy/rbd/kubernetes`` 目录下),可以帮助我们在Kubernetes中部署: | ||
|
||
- csi-config-map.yaml | ||
- csidriver.yaml | ||
- csi-nodeplugin-rbac.yaml | ||
- csi-provisioner-rbac.yaml | ||
- csi-rbdplugin-provisioner.yaml | ||
- csi-rbdplugin.yaml | ||
|
||
Kubernetes集群需要允许运行 :ref:`k8s_privileged_pod` | ||
|
||
参考 | ||
====== | ||
|
||
- `ceph-csi/docs/deploy-rbd.md <https://github.com/ceph/ceph-csi/blob/devel/docs/deploy-rbd.md>`_ |
Oops, something went wrong.