跳至主要內容

动态存储与存储卷的管理:实现存储资源的自动化配置

老马啸西风2025/8/31大约 5 分钟Kubernetescontainer-k8s

在现代云原生环境中,存储资源的管理需要具备高度的自动化和灵活性。Kubernetes通过动态存储卷配置(Dynamic Volume Provisioning)和存储卷生命周期管理,为应用提供了按需分配、自动扩展和高效管理的存储解决方案。本章将深入探讨动态存储配置的原理、实现方式以及存储卷的全生命周期管理,帮助读者构建高效、可靠的存储管理体系。

使用动态存储卷(Dynamic Volume Provisioning)

动态存储卷配置原理

动态存储卷配置允许在用户请求存储时自动创建PersistentVolume(PV),而无需管理员预先创建PV。这一机制通过StorageClass和卷插件实现。

工作流程

  1. 用户创建PersistentVolumeClaim(PVC),指定StorageClass
  2. Kubernetes查找匹配的StorageClass
  3. 卷插件根据StorageClass配置创建PV
  4. PV与PVC绑定
  5. Pod使用PVC获取存储

StorageClass 配置详解

StorageClass定义了存储的"类",包括卷插件、参数和策略。

基本配置

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast-ssd
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp2
  fsType: ext4
  iopsPerGB: "10"
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
mountOptions:
  - debug

关键参数说明

  • provisioner:卷插件的名称
  • parameters:传递给卷插件的参数
  • reclaimPolicy:PV回收策略(Retain、Recycle、Delete)
  • allowVolumeExpansion:是否允许卷扩展
  • volumeBindingMode:卷绑定模式(Immediate、WaitForFirstConsumer)

不同云平台的动态存储配置

AWS EBS

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: aws-ebs
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp2
  fsType: ext4
  encrypted: "true"

GCP Persistent Disk

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gcp-pd
provisioner: kubernetes.io/gce-pd
parameters:
  type: pd-standard
  fstype: ext4
  replication-type: none

Azure Disk

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: azure-disk
provisioner: kubernetes.io/azure-disk
parameters:
  storageaccounttype: Standard_LRS
  kind: Managed

本地存储的动态配置

使用local-path-provisioner实现本地存储的动态配置:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: local-path
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Delete

管理持久化存储的生命周期

存储卷的创建与绑定

PVC创建流程

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: fast-ssd

当PVC创建时,Kubernetes会:

  1. 查找匹配的StorageClass
  2. 调用相应的卷插件创建PV
  3. 将PV与PVC绑定

卷绑定模式

  • Immediate:PVC创建后立即绑定PV
  • WaitForFirstConsumer:等待Pod使用PVC时才绑定PV

存储卷的使用与挂载

在Pod中使用PVC

apiVersion: v1
kind: Pod
metadata:
  name: app-pod
spec:
  containers:
  - name: app
    image: nginx
    volumeMounts:
    - name: data
      mountPath: /usr/share/nginx/html
  volumes:
  - name: data
    persistentVolumeClaim:
      claimName: my-pvc

多容器共享存储

apiVersion: v1
kind: Pod
metadata:
  name: multi-container-pod
spec:
  containers:
  - name: writer
    image: nginx
    volumeMounts:
    - name: shared-data
      mountPath: /usr/share/nginx/html
  - name: reader
    image: busybox
    command: ['sh', '-c']
    args:
    - while true; do
        cat /data/index.html;
        sleep 30;
      done;
    volumeMounts:
    - name: shared-data
      mountPath: /data
  volumes:
  - name: shared-data
    persistentVolumeClaim:
      claimName: my-pvc

存储卷的回收与清理

回收策略

PV的回收策略决定了当PVC被删除时PV的处理方式:

  1. Retain:手动回收,PV保持不变
  2. Delete:自动删除PV和底层存储资产
  3. Recycle:已弃用,使用动态配置替代

手动回收流程

当使用Retain策略时,需要手动回收PV:

# 删除PVC
kubectl delete pvc my-pvc

# 编辑PV,移除claimRef
kubectl patch pv my-pv -p '{"spec":{"claimRef": null}}'

# 重新创建PVC以绑定PV
kubectl apply -f new-pvc.yaml

存储卷备份与恢复

使用 Velero 进行备份

Velero是CNCF项目,用于Kubernetes集群的备份和恢复。

安装 Velero

# 安装Velero CLI
curl -u <token>: https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz | tar xz
mv linux-amd64/helm /usr/local/bin/helm

# 添加Velero Helm仓库
helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts

# 安装Velero
helm install velero vmware-tanzu/velero \
  --namespace velero \
  --create-namespace \
  --set-file credentials.secretContents.cloud=credentials-velero \
  --set configuration.provider=aws \
  --set configuration.backupStorageLocation.name=aws \
  --set configuration.backupStorageLocation.bucket=velero-backup-bucket \
  --set configuration.backupStorageLocation.config.region=us-west-2 \
  --set configuration.volumeSnapshotLocation.name=aws \
  --set configuration.volumeSnapshotLocation.config.region=us-west-2

创建备份

# 备份指定命名空间
velero backup create nginx-backup --include-namespaces nginx

# 备份所有资源
velero backup create full-cluster-backup

# 定期备份
velero schedule create daily-backup --schedule="0 1 * * *"

恢复备份

# 恢复指定备份
velero restore create --from-backup nginx-backup

# 恢复到指定命名空间
velero restore create --from-backup nginx-backup --namespace-mappings nginx:nginx-restored

使用 CSI 快照进行备份

CSI(Container Storage Interface)快照提供了标准化的存储快照功能。

创建 VolumeSnapshotClass

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
  name: csi-snapshot-class
driver: hostpath.csi.k8s.io
deletionPolicy: Delete

创建 VolumeSnapshot

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
  name: my-snapshot
spec:
  volumeSnapshotClassName: csi-snapshot-class
  source:
    persistentVolumeClaimName: my-pvc

从快照恢复

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: restored-pvc
spec:
  storageClassName: fast-ssd
  dataSource:
    name: my-snapshot
    kind: VolumeSnapshot
    apiGroup: snapshot.storage.k8s.io
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

存储卷加密与安全管理

静态加密

Kubernetes支持对存储在etcd中的Secret进行静态加密。

配置加密

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: <base64-encoded-32-byte-key>
    - identity: {}

启用加密

在API服务器配置中引用加密配置:

--encryption-provider-config=/etc/kubernetes/encryption-config.yaml

动态加密

使用Kubernetes Secrets Store CSI Driver实现动态加密:

apiVersion: v1
kind: SecretProviderClass
metadata:
  name: azure-kv-provider
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    keyvaultName: "my-keyvault"
    objects: |
      array:
        - |
          objectName: my-secret
          objectType: secret
    tenantId: "tenant-id"

访问控制与审计

RBAC配置

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pvc-reader
rules:
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pvc
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pvc-reader
  apiGroup: rbac.authorization.k8s.io

审计日志配置

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
  resources:
  - group: ""
    resources: ["persistentvolumes", "persistentvolumeclaims"]
  verbs: ["create", "update", "delete", "patch"]

通过本章的学习,读者应该能够深入理解动态存储卷配置的原理和实现方式,掌握存储卷的全生命周期管理,了解存储卷备份与恢复的最佳实践,并掌握存储卷加密与安全管理的技术。这些知识对于构建安全、可靠、高效的存储管理体系至关重要。

我是老马,期待与你的下次重逢
Copyright © 2025 老马啸西风