Azure Kubernetes 服务 (AKS) 中的应用程序存储选项Storage options for applications in Azure Kubernetes Service (AKS)

在 Azure Kubernetes 服务 (AKS) 中运行的应用程序可能需要存储和检索数据。Applications that run in Azure Kubernetes Service (AKS) may need to store and retrieve data. 对于某些应用程序工作负荷,此数据存储可使用节点上在 Pod 删除后即不再需要的本地快速存储。For some application workloads, this data storage can use local, fast storage on the node that is no longer needed when the pods are deleted. 其他应用程序工作负荷可能需要使用在 Azure 平台内更加普通的数据卷中持续保存的存储。Other application workloads may require storage that persists on more regular data volumes within the Azure platform. 多个 Pod 可能需要共享相同的数据卷,或者,如果在其他节点上重新计划 Pod,则需要重新附加数据卷。Multiple pods may need to share the same data volumes, or reattach data volumes if the pod is rescheduled on a different node. 最后,你可能需要将敏感数据或应用程序配置信息注入 Pod。Finally, you may need to inject sensitive data or application configuration information into pods.

Azure Kubernetes 服务 (AKS) 群集中的应用程序存储选项

本文介绍为 AKS 中的应用程序提供存储的核心概念:This article introduces the core concepts that provide storage to your applications in AKS:

Volumes

应用程序通常需要能够存储和检索数据。Applications often need to be able to store and retrieve data. 由于 Kubernetes 通常将单个 Pod 视为可释放的临时资源,应用程序可根据需要通过不同方法来使用和保存数据。As Kubernetes typically treats individual pods as ephemeral, disposable resources, different approaches are available for applications to use and persist data as necessary. 表示一种跨 Pod 和应用程序生命周期存储、检索及保存数据的方法。A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle.

用于存储和检索数据的传统卷作为 Azure 存储支持的 Kubernetes 资源创建。Traditional volumes to store and retrieve data are created as Kubernetes resources backed by Azure Storage. 你可以手动创建这些数据卷并直接分配给 Pod,也可以让 Kubernetes 自动创建它们。You can manually create these data volumes to be assigned to pods directly, or have Kubernetes automatically create them. 这些数据卷可以使用 Azure 磁盘或 Azure 文件:These data volumes can use Azure Disks or Azure Files:

  • Azure 磁盘可用于创建 Kubernetes DataDisk 资源。Azure Disks can be used to create a Kubernetes DataDisk resource. Azure 磁盘可以使用由高性能 SSD 支持的 Azure 高级存储,也可以使用由普通 HDD 支持 Azure 标准存储。Disks can use Azure Premium storage, backed by high-performance SSDs, or Azure Standard storage, backed by regular HDDs. 对于大部分生产和开发工作负荷,请使用高级存储。For most production and development workloads, use Premium storage. Azure 磁盘以 ReadWriteOnce 的形式装载,因此仅可用于单个 Pod。Azure Disks are mounted as ReadWriteOnce, so are only available to a single pod. 对于可同时由多个 Pod 访问的存储卷,请使用 Azure 文件存储。For storage volumes that can be accessed by multiple pods simultaneously, use Azure Files.
  • Azure 文件可用于将 Azure 存储帐户支持的 SMB 3.0 共享装载到 Pod。Azure Files can be used to mount an SMB 3.0 share backed by an Azure Storage account to pods. 借助 Azure 文件,可跨多个节点和 Pod 共享数据。Files let you share data across multiple nodes and pods. 文件可以使用由常规 HDD 支持的 Azure 标准存储,也可以使用由高性能 SSD 支持的Azure 高级存储。Files can use Azure Standard storage backed by regular HDDs, or Azure Premium storage, backed by high-performance SSDs.

在 Kubernetes 中,卷不仅仅能够表示可以存储和检索信息的传统磁盘。In Kubernetes, volumes can represent more than just a traditional disk where information can be stored and retrieved. Kubernetes 卷还可以用于将数据注入 Pod 以供容器使用。Kubernetes volumes can also be used as a way to inject data into a pod for use by the containers. Kubernetes 中常见的其他卷类型包括:Common additional volume types in Kubernetes include:

  • emptyDir:此卷通常用作 Pod 的临时空间。emptyDir - This volume is commonly used as temporary space for a pod. Pod 中的所有容器都可以访问卷上的数据。All containers within a pod can access the data on the volume. 写入此卷类型的数据仅在 Pod 的生命周期内持续保存,当 Pod 被删除时,卷也会删除。Data written to this volume type persists only for the lifespan of the pod - when the pod is deleted, the volume is deleted. 此卷通常使用基础本地节点磁盘存储,但它也可以仅存在于节点的内存中。This volume typically uses the underlying local node disk storage, though it can also exist only in the node's memory.
  • secret:此卷用于将敏感数据注入 Pod,例如密码。secret - This volume is used to inject sensitive data into pods, such as passwords. 首先使用 Kubernetes API 创建机密。You first create a Secret using the Kubernetes API. 在定义 pod 或部署时,可以请求特定机密。When you define your pod or deployment, a specific Secret can be requested. 机密仅提供给所计划的 pod 需要该机密的节点,且机密存储在 tmpfs 中,不写入磁盘。Secrets are only provided to nodes that have a scheduled pod that requires it, and the Secret is stored in tmpfs, not written to disk. 当节点上最后一个需要该机密的 pod 被删除后,将从该节点的 tmpfs 中删除该机密。When the last pod on a node that requires a Secret is deleted, the Secret is deleted from the node's tmpfs. 机密存储在给定的命名空间中,只有同一命名空间中的 pod 能访问该机密。Secrets are stored within a given namespace and can only be accessed by pods within the same namespace.
  • configMap:此卷类型用于将键-值对属性注入 Pod,例如应用程序配置信息。configMap - This volume type is used to inject key-value pair properties into pods, such as application configuration information. 无需在容器映像中定义应用程序配置信息,而是可以将其定义为 Kubernetes 资源,以便在部署新 Pod 实例时可轻松为其更新并应用。Rather than defining application configuration information within a container image, you can define it as a Kubernetes resource that can be easily updated and applied to new instances of pods as they are deployed. 与使用 secret 一样,必须先使用 Kubernetes API 创建 ConfigMap。Like using a Secret, you first create a ConfigMap using the Kubernetes API. 随后可在定义 Pod 或部署时请求此 ConfigMap。This ConfigMap can then be requested when you define a pod or deployment. ConfigMap 存储在给定命名空间内,且只能由同一命名空间中的 Pod 访问。ConfigMaps are stored within a given namespace and can only be accessed by pods within the same namespace.

永久性卷Persistent volumes

卷作为 Pod 生命周期的一部分定义和创建,且仅在删除 Pod 之前存在。Volumes that are defined and created as part of the pod lifecycle only exist until the pod is deleted. 如果在维护事件期间(尤其是在 StatefulSets 中)于另一台主机上重新计划 Pod,则 Pod 通常会预期其存储会被保留。Pods often expect their storage to remain if a pod is rescheduled on a different host during a maintenance event, especially in StatefulSets. 永久性卷 (PV) 是由 Kubernetes API 创建和管理的存储资源,可以在单个 Pod 的生命周期之外存在。A persistent volume (PV) is a storage resource created and managed by the Kubernetes API that can exist beyond the lifetime of an individual pod.

Azure 磁盘或文件用于提供 PersistentVolume。Azure Disks or Files are used to provide the PersistentVolume. 如上一部分中对卷所做的说明,选择磁盘还是文件通常取决于并发访问数据或性能层的需求。As noted in the previous section on Volumes, the choice of Disks or Files is often determined by the need for concurrent access to the data or the performance tier.

Azure Kubernetes 服务 (AKS) 群集中的应用程序存储选项

PersistentVolume 可以由群集管理员静态创建,或者由 Kubernetes API 服务器动态创建。A PersistentVolume can be statically created by a cluster administrator, or dynamically created by the Kubernetes API server. 如果已计划 Pod 并请求当前不可用的存储,则 Kubernetes 可以创建基础 Azure 磁盘或文件存储并将其附加到 Pod。If a pod is scheduled and requests storage that is not currently available, Kubernetes can create the underlying Azure Disk or Files storage and attach it to the pod. 动态预配使用 StorageClass 来标识需要创建的 Azure 存储类型。Dynamic provisioning uses a StorageClass to identify what type of Azure storage needs to be created.

存储类Storage classes

若要定义不同的存储层(例如高级和标准),可创建 StorageClassTo define different tiers of storage, such as Premium and Standard, you can create a StorageClass. StorageClass 还定义 reclaimPolicyThe StorageClass also defines the reclaimPolicy. 删除 Pod 后且可能不再需要永久性卷时,此 reclaimPolicy 可控制基础 Azure 存储资源在此情况下的行为。This reclaimPolicy controls the behavior of the underlying Azure storage resource when the pod is deleted and the persistent volume may no longer be required. 可删除基础存储资源,也可保留基础存储资源以便与未来的 Pod 配合使用。The underlying storage resource can be deleted, or retained for use with a future pod.

在 AKS 中,将使用树中存储插件为群集创建四个初始 StorageClassesIn AKS, four initial StorageClasses are created for cluster using the in-tree storage plugins:

  • default - 使用 Azure StandardSSD 存储创建托管磁盘。default - Uses Azure StandardSSD storage to create a Managed Disk. 回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
  • managed-premium - 使用 Azure 高级存储创建托管磁盘。managed-premium - Uses Azure Premium storage to create a Managed Disk. 同样,回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy again ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
  • azurefile - 使用 Azure 标准存储创建 Azure 文件共享。azurefile - Uses Azure Standard storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.
  • azurefile-premium - 使用 Azure 高级存储创建 Azure 文件共享。azurefile-premium - Uses Azure Premium storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.

对于使用新的容器存储接口 (CSI) 外部插件(预览版)的群集,将创建以下额外的 StorageClassesFor clusters using the new Container Storage Interface (CSI) external plugins (preview) the following additionalStorageClasses are created:

  • managed-csi - 使用 Azure StandardSSD 本地冗余存储 (LRS) 创建托管磁盘。managed-csi - Uses Azure StandardSSD locally redundant storage (LRS) to create a Managed Disk. 回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. 存储类还会将永久卷配置为可扩展的卷,你只需使用新的大小编辑永久卷声明即可。The storage class also configures the persistent volumes to be expandable, you just need to edit the persistent volume claim with the new size.
  • managed-csi-premium - 使用 Azure 高级本地冗余存储 (LRS) 创建托管磁盘。managed-csi-premium - Uses Azure Premium locally redundant storage (LRS) to create a Managed Disk. 同样,回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy again ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. 同样,此存储类也允许扩展永久卷。Similarly, this storage class allows for persistent volumes to be expanded.
  • azurefile-csi - 使用 Azure 标准存储创建 Azure 文件共享。azurefile-csi - Uses Azure Standard storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.
  • azurefile-csi-premium - 使用 Azure 高级存储创建 Azure 文件共享。azurefile-csi-premium - Uses Azure Premium storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.

如果没有为永久性卷指定 StorageClass,则会使用默认 StorageClass。If no StorageClass is specified for a persistent volume, the default StorageClass is used. 请求永久性卷时应小心,以便它们使用你需要的适当存储。Take care when requesting persistent volumes so that they use the appropriate storage you need. 可使用 kubectl 创建 StorageClass 来满足其他需求。You can create a StorageClass for additional needs using kubectl. 以下示例使用高级托管磁盘并指定在删除 Pod 时应该保留基础 Azure 磁盘:The following example uses Premium Managed Disks and specifies that the underlying Azure Disk should be retained when the pod is deleted:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: managed-premium-retain
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
parameters:
  storageaccounttype: Premium_LRS
  kind: Managed

备注

AKS 会协调默认存储类,并将覆盖你对这些存储类所做的任何更改。AKS reconciles the default storage classes and will overwrite any changes you make to those storage classes.

永久性卷声明Persistent volume claims

PersistentVolumeClaim 会请求特定 StorageClass、访问模式和大小的磁盘或文件存储。A PersistentVolumeClaim requests either Disk or File storage of a particular StorageClass, access mode, and size. 如果根据定义的 StorageClass 没有现有资源可用于实现声明,Kubernetes API 服务器可在 Azure 中动态预配基础存储资源。The Kubernetes API server can dynamically provision the underlying storage resource in Azure if there is no existing resource to fulfill the claim based on the defined StorageClass. 卷连接到 Pod 后,Pod 定义即会包含装载。The pod definition includes the volume mount once the volume has been connected to the pod.

Azure Kubernetes 服务 (AKS) 群集中的应用程序存储选项

可用存储资源分配给请求它的 Pod 后,PersistentVolume 就会绑定到 PersistentVolumeClaim。A PersistentVolume is bound to a PersistentVolumeClaim once an available storage resource has been assigned to the pod requesting it. 永久性卷与声明之间存在 1:1 的映射。There is a 1:1 mapping of persistent volumes to claims.

以下示例 YAML 清单显示使用 managed-premium StorageClass 并请求 5Gi 存储的永久性卷声明:The following example YAML manifest shows a persistent volume claim that uses the managed-premium StorageClass and requests a Disk 5Gi in size:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azure-managed-disk
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: managed-premium
  resources:
    requests:
      storage: 5Gi

创建 Pod 定义时,将指定永久性卷声明来请求所需的存储。When you create a pod definition, the persistent volume claim is specified to request the desired storage. 随后还会为应用程序指定用于读取和写入数据的 volumeMountYou also then specify the volumeMount for your applications to read and write data. 以下示例 YAML 清单说明如何使用先前的永久性卷声明来将卷装载到 /mnt/azureThe following example YAML manifest shows how the previous persistent volume claim can be used to mount a volume at /mnt/azure:

kind: Pod
apiVersion: v1
metadata:
  name: nginx
spec:
  containers:
    - name: myfrontend
      image: nginx
      volumeMounts:
      - mountPath: "/mnt/azure"
        name: volume
  volumes:
    - name: volume
      persistentVolumeClaim:
        claimName: azure-managed-disk

后续步骤Next steps

如需相关的最佳做法,请参阅 AKS 中的存储和备份最佳做法For associated best practices, see Best practices for storage and backups in AKS.

若要了解如何创建使用 Azure 磁盘或 Azure 文件的动态和静态卷,请参阅以下操作指南:To see how to create dynamic and static volumes that use Azure Disks or Azure Files, see the following how-to articles:

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For additional information on core Kubernetes and AKS concepts, see the following articles: