一. k8s接入ceph的RBD-基于secret认证
1.将K8S所有的worker节点的对应的认证文件全部删除
[root@master231 ~]# rm -f /etc/ceph/ceph.client.*
[root@worker232 ~]# rm -f /etc/ceph/ceph.client.*
[root@worker233 ~]# rm -f /etc/ceph/ceph.client.*
2.获取ceph集群的admin账号的key信息并经过base64编码
[root@ceph141 ~]# grep key /etc/ceph/ceph.client.admin.keyring | awk '{printf "%s", $NF}' | base64
QVFEakZycGx5dkZDRGhBQXBKZzExMVlNSUdRNi9GL3gvWStxcFE9PQ==
[root@ceph141 ~]#
温馨提示:
每个ceph集群队友对应的key,根据你的实际情况来。
3.将该编码封装为secrets资源
[root@master231 rbd]# cat 03-deploy-svc-ing-secrets-volume-rbd-admin-secretRef.yaml
apiVersion: v1
kind: Secret
metadata:
name: ceph-admin-secret
type: "kubernetes.io/rbd"
data:
# 指定ceph的admin的KEY,将其进行base64编码,此处需要修改!
key: QVFEakZycGx5dkZDRGhBQXBKZzExMVlNSUdRNi9GL3gvWStxcFE9PQ==
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-volume-rbd-secrets-keyring
spec:
replicas: 1
selector:
matchLabels:
apps: ceph-rbd
template:
metadata:
labels:
apps: ceph-rbd
spec:
volumes:
- name: data
rbd:
monitors:
- 10.0.0.141:6789
- 10.0.0.142:6789
- 10.0.0.143:6789
pool: yinzhengjie-k8s
image: nginx-web
fsType: xfs
readOnly: false
# 指定连接ceph集群的用户
user: admin
# keyring: "/etc/ceph/ceph.client.k8s.keyring"
# 指定rbd的用户,如果定义将会覆盖"keyring"字段的配置。
secretRef:
# 指定用于存储ceph管理员的secret名称
name: ceph-admin-secret
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v3
volumeMounts:
- name: data
mountPath: /yinzhengjie-data
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-rbd-secrets
spec:
selector:
apps: ceph-rbd
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apps-ingress-secrets
annotations:
# 指定Ingress controller的类型
kubernetes.io/ingress.class: traefik
spec:
# 指定Ingress controller的名称
# ingressClassName: mytraefik
rules:
- host: v3.yinzhengjie.com
http:
paths:
- backend:
service:
name: svc-rbd-secrets
port:
number: 80
path: /
pathType: ImplementationSpecific
[root@master231 rbd]#
4.创建资源
[root@master231 rbd]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-volume-rbd-secrets-keyring-6dbc6688f5-kqjxp 1/1 Running 0 6s 10.100.1.175 worker232 <none> <none>
[root@master231 rbd]#
[root@master231 rbd]# kubectl -n yinzhengjie-traefik get svc,po
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/mytraefik LoadBalancer 10.200.205.77 10.0.0.189 80:18238/TCP,443:13380/TCP 12d
NAME READY STATUS RESTARTS AGE
pod/mytraefik-5f6bd48975-6w8gm 1/1 Running 0 3d
[root@master231 rbd]#
[root@master231 rbd]#
[root@master231 rbd]# kubectl describe ingress apps-ingress-secrets
Name: apps-ingress-secrets
Labels: <none>
Namespace: default
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
v3.yinzhengjie.com
/ svc-rbd-secrets:80 (10.100.1.175:80)
Annotations: kubernetes.io/ingress.class: traefik
Events: <none>
[root@master231 rbd]#
5.windows文件解析
10.0.0.189 v3.yinzhengjie.com
6.访问测试
http://v3.yinzhengjie.com/
二.其他补充
本博客采用admin用户账号信息进行测试,如果想要使用普通用户测试,套路一样哟。
如果对于用户管理的命令不熟悉的小伙伴们,可以参考我之前的笔记。
推荐阅读:
https://github.com/kubernetes/examples/blob/master/volumes/rbd/README.md
https://www.cnblogs.com/yinzhengjie/p/14275022.html
