1. 在Ceph上为Kubernetes创建一个存储池
# ceph osd pool create k8s 128
2. 创建k8s用户
# ceph auth get-or-create client.k8s mon 'allow r' osd 'allow rwx pool=k8s' -o ceph.client.k8s.keyring
3. 将k8s用户的key进行base64编码
这是Kubernetes访问Ceph的密钥,会保存在Kubernetes的Secret中
# grep key ceph.client.k8s.keyring | awk '{printf "%s", $NF}' | base64 VBGFaeN3OWJYdUZPSHhBQTNrU2E2QlUyaEF5UUV0SnNPRHdXeRT8PQ==
4. 在Kubernetes创建访问Ceph的Secret
# echo ' apiVersion: v1 kind: Secret metadata: name: ceph-k8s-secret type: "kubernetes.io/rbd" data: key: VBGFaeN3OWJYdUZPSHhBQTNrU2E2QlUyaEF5UUV0SnNPRHdXeRT8PQ== --- apiVersion: v1 kind: Secret metadata: name: ceph-admin-secret namespace: kube-system type: "kubernetes.io/rbd" data: key: VBGFaeN3OWJYdUZPSHhBQTNrU2E2QlUyaEF5UUV0SnNPRHdXeRT8PQ== ‘ | kubectl create -f -
5. 将访问Ceph的keyring复制到Kubernetes work节点上
在创建Pod的时候,kubelet会调用rbd命令去检测和挂载PVC对应的rbd镜像,因此在kubelet节点上要保证存在rbd命令和访问ceph的keyring。否则创建Pod,kubelet有可能报各种各样ceph相关的错误。
如果kubelet在worker节点上是正常运行在default namespace下的,那么安装ceph-common包,然后将keyring拷贝到/etc/ceph/目录下即可;如果kubelet是运行在容器中,那这两个操作就需要在容器中执行。
我们的环境中,kubelet是运行在rkt容器中的,官方镜像中已经包含了ceph客户端,所以只需要将keyring拷贝到容器中。
我们环境中使用systemctl管理kubelet,以服务的方式启动一个rkt容器来运行kubelet,修改/etc/systemd/system/kubelet.service,增加一个对应keyring的volume:
[Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=load-images.service Requires=docker.service [Service] EnvironmentFile=/etc/cluster-envs Environment=KUBELET_IMAGE_TAG=v1.7.10 Environment="RKT_RUN_ARGS= --volume ceph-keyring,kind=host,source=/etc/ceph/ceph.client.k8s.keyring --mount volume=ceph-keyring,target=/etc/ceph/ceph.client.k8s.keyring --volume modprobe,kind=host,source=/usr/sbin/modprobe --mount volume=modprobe,target=/usr/sbin/modprobe --volume lib-modules,kind=host,source=/lib/modules --mount volume=lib-modules,target=/lib/modules ExecStartPre=/usr/bin/mkdir -p /etc/ceph ExecStart=/opt/bin/kubelet-wrapper --address=0.0.0.0 --allow-privileged=true --cluster-dns=192.168.192.10 --cluster-domain=cluster.local --cloud-provider='' --port=10250 --lock-file=/var/run/lock/kubelet.lock --exit-on-lock-contention --node-labels=worker=true --pod-manifest-path=/etc/kubernetes/manifests --kubeconfig=/etc/kubernetes/kubeconfig.yaml --require-kubeconfig=true --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --logtostderr=true Restart=always RestartSec=10 [Install] WantedBy=multi-user.target
6. 在Kubernetes创建ceph-rbd StorageClass
# echo ‘apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: ceph-rbd provisioner: kubernetes.io/rbd parameters: monitors: 10.32.24.11:6789,10.32.24.12:6789,10.32.24.13:6789 adminId: k8s adminSecretName: ceph-k8s-secret adminSecretNamespace: kube-system pool: k8s userId: k8s userSecretName: ceph-k8s-secret’ | kubectl create -f -
7. 将ceph-rbd设置为默认的StorageClass
# kubectl patch storageclass ceph-rbd -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
注意集群中只能存在一个默认StorageClass,如果同时将多个StorageClass设置为默认,相当于没有设置默认StorageClass。查看StorageClass列表,默认StorageClass带有(default)标记:
# kubectl get storageclass NAME TYPE ceph-rbd (default) kubernetes.io/rbd ceph-sas kubernetes.io/rbd ceph-ssd kubernetes.io/rbd
8. 创建一个PersistentVolumeClaim
# echo ‘apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nginx-test-vol1-claim spec: accessModes: - ReadWriteOnce storageClassName: ceph-rbd resources: requests: storage: 10Gi’ | kubectl create -f -
因为指定了默认StorageClass,所以这里的storageClassName其实可以省略。
9. 创建使用PVC的Pod
# echo ‘apiVersion: v1 kind: Pod metadata: name: nginx-test spec: containers: - name: nginx image: nginx:latest volumeMounts: - name: nginx-test-vol1 mountPath: /data/ readOnly: false volumes: - name: nginx-test-vol1 persistentVolumeClaim: claimName: nginx-test-vol1-claim’ | kubectl create -f -
10. 查看容器状态
进入容器看到rbd挂载到了/data目录
# kubectl exec nginx-test -it -- /bin/bash [root@nginx-test ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/rbd0 50G 52M 47G 1% /data