在 Azure Kubernetes 服务 (AKS) 中通过 Azure 文件共享手动创建并使用卷Manually create and use a volume with Azure Files share in Azure Kubernetes Service (AKS)

基于容器的应用程序通常需要访问数据并将数据保存在外部数据卷中。Container-based applications often need to access and persist data in an external data volume. 如果多个 Pod 需要同时访问同一存储卷,则可以使用 Azure 文件存储通过服务器消息块 (SMB) 协议进行连接。If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect using the Server Message Block (SMB) protocol. 本文介绍了如何手动创建 Azure 文件共享并将其附加到 AKS 中的 Pod。This article shows you how to manually create an Azure Files share and attach it to a pod in AKS.

有关 Kubernetes 卷的详细信息,请参阅 AKS 中应用程序的存储选项For more information on Kubernetes volumes, see Storage options for applications in AKS.

准备阶段Before you begin

本文假定你拥有现有的 AKS 群集。This article assumes that you have an existing AKS cluster. 如果需要 AKS 群集,请参阅 AKS 快速入门使用 Azure CLI使用 Azure 门户If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

还需安装并配置 Azure CLI 2.0.59 或更高版本。You also need the Azure CLI version 2.0.59 or later installed and configured. 运行  az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅 安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建 Azure 文件共享Create an Azure file share

必须先创建 Azure 存储帐户和文件共享,然后才能将 Azure 文件共享用作 Kubernetes 卷。Before you can use Azure Files as a Kubernetes volume, you must create an Azure Storage account and the file share. 以下命令创建一个名为 myAKSShare 的资源组、一个存储帐户和一个名为 aksshare 的文件共享:The following commands create a resource group named myAKSShare, a storage account, and a Files share named aksshare:

# Change these four parameters as needed for your own environment
AKS_PERS_STORAGE_ACCOUNT_NAME=mystorageaccount$RANDOM
AKS_PERS_RESOURCE_GROUP=myAKSShare
AKS_PERS_LOCATION=chinaeast2
AKS_PERS_SHARE_NAME=aksshare

# Create a resource group
az group create --name $AKS_PERS_RESOURCE_GROUP --location $AKS_PERS_LOCATION

# Create a storage account
az storage account create -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURCE_GROUP -l $AKS_PERS_LOCATION --sku Standard_LRS

# Export the connection string as an environment variable, this is used when creating the Azure file share
export AZURE_STORAGE_CONNECTION_STRING=$(az storage account show-connection-string -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURCE_GROUP -o tsv)

# Create the file share
az storage share create -n $AKS_PERS_SHARE_NAME --connection-string $AZURE_STORAGE_CONNECTION_STRING

# Get storage account key
STORAGE_KEY=$(az storage account keys list --resource-group $AKS_PERS_RESOURCE_GROUP --account-name $AKS_PERS_STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv)

# Echo storage account name and key
echo Storage account name: $AKS_PERS_STORAGE_ACCOUNT_NAME
echo Storage account key: $STORAGE_KEY

记下脚本输出末尾显示的存储帐户名称和密钥。Make a note of the storage account name and key shown at the end of the script output. 在下面的步骤之一中创建 Kubernetes 卷时需要这些值。These values are needed when you create the Kubernetes volume in one of the following steps.

创建 Kubernetes 机密Create a Kubernetes secret

Kubernetes 需要使用凭据访问上一步骤中创建的文件共享。Kubernetes needs credentials to access the file share created in the previous step. 这些凭据存储在 Kubernetes 机密中,创建 Kubernetes Pod 时将引用它。These credentials are stored in a Kubernetes secret, which is referenced when you create a Kubernetes pod.

使用 kubectl create secret 命令创建机密。Use the kubectl create secret command to create the secret. 以下示例创建一个名为 azure-secret 的机密并填充上一步骤中的 azurestorageaccountnameazurestorageaccountkeyThe following example creates a shared named azure-secret and populates the azurestorageaccountname and azurestorageaccountkey from the previous step. 若要使用现有 Azure 存储帐户,请提供帐户名称和密钥。To use an existing Azure storage account, provide the account name and key.

kubectl create secret generic azure-secret --from-literal=azurestorageaccountname=$AKS_PERS_STORAGE_ACCOUNT_NAME --from-literal=azurestorageaccountkey=$STORAGE_KEY

将文件共享装载为卷Mount the file share as a volume

若要将 Azure 文件共享装载到 Pod 中,请在容器规范中配置卷。使用以下内容创建名为 azure-files-pod.yaml 的新文件。To mount the Azure Files share into your pod, configure the volume in the container spec. Create a new file named azure-files-pod.yaml with the following contents. 如果更改了文件共享名称或机密名称,请更新 shareNamesecretNameIf you changed the name of the Files share or secret name, update the shareName and secretName. 如果需要,请更新 mountPath,这是文件共享在 Pod 中的装载路径。If desired, update the mountPath, which is the path where the Files share is mounted in the pod. 对于 Windows Server 容器,请使用 Windows 路径约定指定 mountPath,例如“D:”。For Windows Server containers, specify a mountPath using the Windows path convention, such as 'D:'.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - image: dockerhub.azk8s.cn/library/nginx:1.15.5
    name: mypod
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 250m
        memory: 256Mi
    volumeMounts:
      - name: azure
        mountPath: /mnt/azure
  volumes:
  - name: azure
    azureFile:
      secretName: azure-secret
      shareName: aksshare
      readOnly: false

使用 kubectl 命令创建 Pod。Use the kubectl command to create the pod.

kubectl apply -f azure-files-pod.yaml

现在你有一个正在运行的 Pod,其中 Azure 文件共享装载在 /mnt/azure 处。You now have a running pod with an Azure Files share mounted at /mnt/azure. 可以使用 kubectl describe pod mypod 来验证共享是否已成功装载。You can use kubectl describe pod mypod to verify the share is mounted successfully. 以下精简示例输出显示容器中装载的卷:The following condensed example output shows the volume mounted in the container:

Containers:
  mypod:
    Container ID:   docker://86d244cfc7c4822401e88f55fd75217d213aa9c3c6a3df169e76e8e25ed28166
    Image:          dockerhub.azk8s.cn/library/nginx:1.15.5
    Image ID:       docker-pullable://nginx@sha256:9ad0746d8f2ea6df3a17ba89eca40b48c47066dfab55a75e08e2b70fc80d929e
    State:          Running
      Started:      Sat, 02 Mar 2019 00:05:47 +0000
    Ready:          True
    Mounts:
      /mnt/azure from azure (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-z5sd7 (ro)
[...]
Volumes:
  azure:
    Type:        AzureFile (an Azure File Service mount on the host and bind mount to the pod)
    SecretName:  azure-secret
    ShareName:   aksshare
    ReadOnly:    false
  default-token-z5sd7:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-z5sd7
[...]

装载选项Mount options

对于 Kubernetes 版本 1.9.1 及更高版本,fileMode 和 dirMode 的默认值为 0755。The default value for fileMode and dirMode is 0755 for Kubernetes version 1.9.1 and above. 如果使用 Kubernetes 版本为 1.8.5 或更高版本的群集并静态创建永久性卷对象,则需要在 PersistentVolume 对象上指定装载选项。If using a cluster with Kubernetes version 1.8.5 or greater and statically creating the persistent volume object, mount options need to be specified on the PersistentVolume object. 以下示例设置 0777The following example sets 0777:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: azurefile
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  storageClassName: azurefile
  azureFile:
    secretName: azure-secret
    shareName: aksshare
    readOnly: false
  mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=1000
  - gid=1000
  - mfsymlinks
  - nobrl

如果使用版本为 1.8.0 - 1.8.4 的群集,则可在指定安全性上下文时,将 runAsUser 值设置为 0If using a cluster of version 1.8.0 - 1.8.4, a security context can be specified with the runAsUser value set to 0. 有关 Pod 安全性上下文的详细信息,请参阅配置安全性上下文For more information on Pod security context, see Configure a Security Context.

若要更新装载选项,请创建包含 PersistentVolume 的 azurefile-mount-options-pv.yaml 文件。To update your mount options, create a azurefile-mount-options-pv.yaml file with a PersistentVolume. 例如:For example:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: azurefile
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  storageClassName: azurefile
  azureFile:
    secretName: azure-secret
    shareName: aksshare
    readOnly: false
  mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=1000
  - gid=1000
  - mfsymlinks
  - nobrl

创建一个 azurefile-mount-options-pvc.yaml 文件,其中包含使用 PersistentVolume 的 PersistentVolumeClaim。Create a azurefile-mount-options-pvc.yaml file with a PersistentVolumeClaim that uses the PersistentVolume. 例如:For example:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azurefile
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: azurefile
  resources:
    requests:
      storage: 5Gi

使用 kubectl 命令创建 PersistentVolume 和 PersistentVolumeClaim。Use the kubectl commands to create the PersistentVolume and PersistentVolumeClaim.

kubectl apply -f azurefile-mount-options-pv.yaml
kubectl apply -f azurefile-mount-options-pvc.yaml

验证 PersistentVolumeClaim 是否已创建并绑定到 PersistentVolume。Verify your PersistentVolumeClaim is created and bound to the PersistentVolume.

$ kubectl get pvc azurefile

NAME        STATUS   VOLUME      CAPACITY   ACCESS MODES   STORAGECLASS   AGE
azurefile   Bound    azurefile   5Gi        RWX            azurefile      5s

更新容器规范以引用 PersistentVolumeClaim并更新 Pod。Update your container spec to reference your PersistentVolumeClaim and update your pod. 例如:For example:

...
  volumes:
  - name: azure
    persistentVolumeClaim:
      claimName: azurefile

后续步骤Next steps

如需相关的最佳做法,请参阅在 AKS 中存储和备份的最佳做法For associated best practices, see Best practices for storage and backups in AKS.

有关 AKS 群集与 Azure 文件存储进行交互的详细信息,请参阅 Azure 文件存储的 Kubernetes 插件For more information about AKS clusters interact with Azure Files, see the Kubernetes plugin for Azure Files.

有关存储类参数,请参阅静态预配(自带文件共享)For storage class parameters, see Static Provision(bring your own file share).