在 Azure Kubernetes Service (AKS) 中以動態方式建立和使用 Azure 檔案服務的永續性磁碟區Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS)

永續性磁碟區代表一塊已佈建來與 Kubernetes Pod 搭配使用的儲存體。A persistent volume represents a piece of storage that has been provisioned for use with Kubernetes pods. 永續性磁碟區可供一個或多個 Pod 使用,且可以動態或靜態方式佈建。A persistent volume can be used by one or many pods, and can be dynamically or statically provisioned. 如果有多個 Pod 需要並行存取相同的儲存體磁碟區,您可以透過伺服器訊息區 (SMB) 通訊協定來使用 Azure 檔案服務進行連線。If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect using the Server Message Block (SMB) protocol. 本文會示範如何在 Azure Kubernetes Service (AKS) 叢集中以動態方式建立 Azure 檔案共用,以供多個 Pod 使用。This article shows you how to dynamically create an Azure Files share for use by multiple pods in an Azure Kubernetes Service (AKS) cluster.

如需有關 Kubernetes 磁碟區的詳細資訊,請參閱 < AKS 中的應用程式的儲存體選項For more information on Kubernetes volumes, see Storage options for applications in AKS.

開始之前Before you begin

此文章假設您目前具有 AKS 叢集。This article assumes that you have an existing AKS cluster. 如果您需要 AKS 叢集,請參閱使用 Azure CLI使用 Azure 入口網站的 AKS 快速入門。If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

您也需要 Azure CLI 2.0.59 版或更新版本安裝並設定。You also need the Azure CLI version 2.0.59 or later installed and configured. 執行  az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱 安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

建立儲存體類別Create a storage class

儲存體類別可用來定義 Azure 檔案共用的建立方式。A storage class is used to define how an Azure file share is created. 將在 _MC 資源群組中自動建立儲存體帳戶,以便與儲存體類別搭配使用以保存 Azure 檔案共用。A storage account is automatically created in the _MC resource group for use with the storage class to hold the Azure file shares. skuName 選擇下列 Azure 儲存體備援Choose of the following Azure storage redundancy for skuName:

  • Standard_LRS - 標準本地備援儲存體 (LRS)Standard_LRS - standard locally redundant storage (LRS)
  • Standard_GRS - 標準異地備援儲存體 (GRS)Standard_GRS - standard geo-redundant storage (GRS)
  • Standard_RAGRS - 標準讀取權限異地備援儲存體 (RA-GRS)Standard_RAGRS - standard read-access geo-redundant storage (RA-GRS)

注意

Azure 檔案服務目前只適用於標準儲存體。Azure Files currently only work with Standard storage. 如果使用進階儲存體,磁碟區將無法佈建。If you use Premium storage, the volume fails to provision.

如需有關適用於 Azure 檔案服務的 Kubernetes 儲存體類別詳細資訊,請參閱 Kubernetes 儲存體類別For more information on Kubernetes storage classes for Azure Files, see Kubernetes Storage Classes.

建立名為 azure-file-sc.yaml 的檔案,然後將下列資訊清單範例複製進來。Create a file named azure-file-sc.yaml and copy in the following example manifest. 如需 mountOptions 的詳細資訊,請參閱掛接選項一節。For more information on mountOptions, see the Mount options section.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azurefile
provisioner: kubernetes.io/azure-file
mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=1000
  - gid=1000
parameters:
  skuName: Standard_LRS

使用 kubectl apply 命令來建立儲存體類別:Create the storage class with the kubectl apply command:

kubectl apply -f azure-file-sc.yaml

建立叢集角色和繫結Create a cluster role and binding

AKS 叢集使用 Kubernetes 角色型存取控制 (RBAC) 來限制可以執行的動作。AKS clusters use Kubernetes role-based access control (RBAC) to limit actions that can be performed. 「角色」會定義要授與的權限,而「繫結」會將角色套用至需要的使用者。Roles define the permissions to grant, and bindings apply them to desired users. 這些指派可以套用至指定的命名空間或在整個叢集中套用。These assignments can be applied to a given namespace, or across the entire cluster. 如需詳細資訊,請參閱使用 RBAC 授權For more information, see Using RBAC authorization.

若要允許 Azure 平台建立必要的儲存體資源,請建立 ClusterRoleClusterRoleBindingTo allow the Azure platform to create the required storage resources, create a ClusterRole and ClusterRoleBinding. 建立名為 azure-pvc-roles.yaml 的檔案,然後將下列 YAML 複製進來:Create a file named azure-pvc-roles.yaml and copy in the following YAML:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:azure-cloud-provider
rules:
- apiGroups: ['']
  resources: ['secrets']
  verbs:     ['get','create']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:azure-cloud-provider
roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: system:azure-cloud-provider
subjects:
- kind: ServiceAccount
  name: persistent-volume-binder
  namespace: kube-system

使用 kubectl apply 命令指派權限:Assign the permissions with the kubectl apply command:

kubectl apply -f azure-pvc-roles.yaml

建立永續性磁碟區宣告Create a persistent volume claim

永續性磁碟區宣告 (PVC) 會使用儲存體類別物件,以動態方式佈建 Azure 檔案共用。A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure file share. 下列 YAML 可用來建立具有 ReadWriteMany 存取權,且大小為 5GB 的永續性磁碟區宣告。The following YAML can be used to create a persistent volume claim 5GB in size with ReadWriteMany access. 如需有關存取模式的詳細資訊,請參閱 Kubernetes 永續性磁碟區文件。For more information on access modes, see the Kubernetes persistent volume documentation.

現在,建立名為 azure-file-pvc.yaml 的檔案,然後將下列 YAML 複製進來。Now create a file named azure-file-pvc.yaml and copy in the following YAML. 請確定 storageClassName 與最後一個步驟中建立的儲存體類別相符。Make sure that the storageClassName matches the storage class created in the last step:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azurefile
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: azurefile
  resources:
    requests:
      storage: 5Gi

使用 kubectl apply 命令來建立永續性磁碟區宣告:Create the persistent volume claim with the kubectl apply command:

kubectl apply -f azure-file-pvc.yaml

完成之後,便會建立檔案共用。Once completed, the file share will be created. 此外,也會建立 Kubernetes 祕密,其中包含連線資訊和認證。A Kubernetes secret is also created that includes connection information and credentials. 您可以使用 kubectl get 命令來檢視 PVC 狀態:You can use the kubectl get command to view the status of the PVC:

$ kubectl get pvc azurefile

NAME        STATUS    VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
azurefile   Bound     pvc-8436e62e-a0d9-11e5-8521-5a8664dc0477   5Gi        RWX            azurefile      5m

使用永續性磁碟區Use the persistent volume

下列 YAML 所建立的 Pod,會使用永續性磁碟區宣告 azurefile,將 Azure 檔案共用裝載在 /mnt/azure 路徑。The following YAML creates a pod that uses the persistent volume claim azurefile to mount the Azure file share at the /mnt/azure path.

建立名為 azure-pvc-files.yaml 的檔案,然後將下列 YAML 複製進來。Create a file named azure-pvc-files.yaml, and copy in the following YAML. 請確定claimName 與最後一個步驟中建立的 PVC 相符。Make sure that the claimName matches the PVC created in the last step.

kind: Pod
apiVersion: v1
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: nginx:1.15.5
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 250m
        memory: 256Mi
    volumeMounts:
    - mountPath: "/mnt/azure"
      name: volume
  volumes:
    - name: volume
      persistentVolumeClaim:
        claimName: azurefile

使用 kubectl apply 命令來建立 Pod。Create the pod with the kubectl apply command.

kubectl apply -f azure-pvc-files.yaml

您現在已有一個 Azure 檔案共用掛接在 /mnt/azure 目錄中的執行中 Pod。You now have a running pod with your Azure Files share mounted in the /mnt/azure directory. 當您透過 kubectl describe pod mypod 檢查 Pod 時,可以看到這項設定。This configuration can be seen when inspecting your pod via kubectl describe pod mypod. 下列扼要範例輸出顯示容器中掛接的磁碟區:The following condensed example output shows the volume mounted in the container:

Containers:
  mypod:
    Container ID:   docker://053bc9c0df72232d755aa040bfba8b533fa696b123876108dec400e364d2523e
    Image:          nginx:1.15.5
    Image ID:       docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
    State:          Running
      Started:      Fri, 01 Mar 2019 23:56:16 +0000
    Ready:          True
    Mounts:
      /mnt/azure from volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-8rv4z (ro)
[...]
Volumes:
  volume:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  azurefile
    ReadOnly:   false
[...]

掛接選項Mount options

Kubernetes 版本之間的預設 fileMode 和 dirMode 值不同,如下表中所述。Default fileMode and dirMode values differ between Kubernetes versions as described in the following table.

versionversion valuevalue
v1.6.x、v1.7.xv1.6.x, v1.7.x 07770777
v1.8.0-v1.8.5v1.8.0-v1.8.5 07000700
v1.8.6 或以上版本v1.8.6 or above 07550755
v1.9.0v1.9.0 07000700
v1.9.1 或以上版本v1.9.1 or above 07550755

如果使用 1.8.5 版或更新版本的叢集,並透過儲存體類別以動態方式建立永續性磁碟區,則可以在儲存體類別物件上指定裝載選項。If using a cluster of version 1.8.5 or greater and dynamically creating the persistent volume with a storage class, mount options can be specified on the storage class object. 下列範例會設定 0777:The following example sets 0777:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azurefile
provisioner: kubernetes.io/azure-file
mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=1000
  - gid=1000
parameters:
  skuName: Standard_LRS

如果您是使用 1.8.0-1.8.4 版的叢集,可將 runAsUser 值設定為 0 來指定資訊安全內容。If using a cluster of version 1.8.0 - 1.8.4, a security context can be specified with the runAsUser value set to 0. 如需關於 Pod 資訊安全內容的詳細資訊,請參閱設定資訊安全內容For more information on Pod security context, see Configure a Security Context.

後續步驟Next steps

如需相關聯的最佳作法,請參閱儲存體和 AKS 中的備份的最佳做法For associated best practices, see Best practices for storage and backups in AKS.

使用「Azure 檔案」來深入了解 Kubernetes 永續性磁碟區。Learn more about Kubernetes persistent volumes using Azure Files.