Azure Kubernetes 服务 (AKS) 中的应用程序存储选项Storage options for applications in Azure Kubernetes Service (AKS)

在 Azure Kubernetes 服务 (AKS) 中运行的应用程序可能需要存储和检索数据。Applications running in Azure Kubernetes Service (AKS) may need to store and retrieve data. 虽然某些应用程序工作负载可以在不需要的已清空节点上使用本地快速存储,但其他工作负载需要在 Azure 平台中更常规的数据卷上持久的存储。While some application workloads can use local, fast storage on unneeded, emptied nodes, others require storage that persists on more regular data volumes within the Azure platform.

多个 pod 可能需要:Multiple pods may need to:

  • 共享相同的数据卷。Share the same data volumes.
  • 重新附加数据卷(如果在不同节点上重新计划 pod)。Reattach data volumes if the pod is rescheduled on a different node.

最后,你可能需要将敏感数据或应用程序配置信息注入 Pod。Finally, you may need to inject sensitive data or application configuration information into pods.

本文介绍为 AKS 中的应用程序提供存储的核心概念:This article introduces the core concepts that provide storage to your applications in AKS:

Azure Kubernetes 服务 (AKS) 群集中的应用程序存储选项

Volumes

Kubernetes 通常将各个 pod 视为短暂的可处置资源。Kubernetes typically treats individual pods as ephemeral, disposable resources. 应用程序可使用不同的方法来使用和保持数据。Applications have different approaches available to them for using and persisting data. 表示一种跨 Pod 和应用程序生命周期存储、检索及保存数据的方法。A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle.

传统卷作为 Azure 存储支持的 Kubernetes 资源进行创建。Traditional volumes are created as Kubernetes resources backed by Azure Storage. 你可以手动创建数据卷以直接分配给 Pod,也可以让 Kubernetes 自动创建它们。You can manually create data volumes to be assigned to pods directly, or have Kubernetes automatically create them. 数据卷可以使用 Azure 磁盘或 Azure 文件。Data volumes can use Azure Disks or Azure Files.

Azure 磁盘Azure Disks

使用 Azure 磁盘可创建 Kubernetes DataDisk 资源 。Use Azure Disks to create a Kubernetes DataDisk resource. 磁盘可以使用:Disks can use:

  • 由高性能 SSD 支持的 Azure 高级存储,或是Azure Premium storage, backed by high-performance SSDs, or
  • 由普通 HDD 支持的 Azure 标准存储。Azure Standard storage, backed by regular HDDs.

提示

对于大部分生产和开发工作负荷,请使用高级存储。For most production and development workloads, use Premium storage.

由于 Azure 磁盘以 ReadWriteOnce 的形式装载,因此仅可用于单个 Pod。Since Azure Disks are mounted as ReadWriteOnce, they're only available to a single pod. 对于可同时由多个 Pod 访问的存储卷,请使用 Azure 文件存储。For storage volumes that can be accessed by multiple pods simultaneously, use Azure Files.

Azure 文件Azure Files

使用 Azure 文件存储可将 Azure 存储帐户支持的 SMB 3.0 共享装载到 Pod。Use Azure Files to mount an SMB 3.0 share backed by an Azure Storage account to pods. 借助文件存储可跨多个节点和 Pod 共享数据,并且可以使用:Files let you share data across multiple nodes and pods and can use:

  • 由高性能 SSD 支持的 Azure 高级存储,或是Azure Premium storage, backed by high-performance SSDs, or
  • 由普通 HDD 支持的 Azure 标准存储。Azure Standard storage backed by regular HDDs.

卷类型Volume types

Kubernetes 卷不仅仅表示用于存储和检索信息的传统磁盘。Kubernetes volumes represent more than just a traditional disk for storing and retrieving information. Kubernetes 卷还可以用于将数据注入 Pod 以供容器使用。Kubernetes volumes can also be used as a way to inject data into a pod for use by the containers.

Kubernetes 中常见的卷类型包括:Common volume types in Kubernetes include:

emptyDiremptyDir

通常用作 Pod 的临时空间。Commonly used as temporary space for a pod. Pod 中的所有容器都可以访问卷上的数据。All containers within a pod can access the data on the volume. 写入此卷类型的数据仅在 Pod 的生命周期内持续保存。Data written to this volume type persists only for the lifespan of the pod. 删除 Pod 后,卷也会删除。Once you delete the pod, the volume is deleted. 此卷通常使用基础本地节点磁盘存储,但它也可以仅存在于节点的内存中。This volume typically uses the underlying local node disk storage, though it can also exist only in the node's memory.

secretsecret

可以使用 secret 卷将敏感数据注入 Pod,例如密码。You can use secret volumes to inject sensitive data into pods, such as passwords.

  1. 使用 Kubernetes API 创建机密。Create a Secret using the Kubernetes API.
  2. 定义 pod 或部署,并请求特定机密。Define your pod or deployment and request a specific Secret.
    • 机密只会提供给具有需要它们的计划 pod 的节点。Secrets are only provided to nodes with a scheduled pod that requires them.
    • 机密存储在 tmpfs 中,而不是写入磁盘。The Secret is stored in tmpfs, not written to disk.
  3. 删除节点上最后一个需要机密的 pod 后,会从节点的 tmpfs 中删除机密。When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.
    • 机密存储在给定的命名空间中,只有同一命名空间中的 pod 能访问该机密。Secrets are stored within a given namespace and can only be accessed by pods within the same namespace.

configMapconfigMap

可以使用 configMap 将键值对属性注入 Pod,例如应用程序配置信息。You can use configMap to inject key-value pair properties into pods, such as application configuration information. 将应用程序配置信息定义为 Kubernetes 资源(可在部署 pod 的新实例时轻松更新并应用于它们)。Define application configuration information as a Kubernetes resource, easily updated and applied to new instances of pods as they're deployed.

例如使用机密:Like using a Secret:

  1. 使用 Kubernetes API 创建 ConfigMap。Create a ConfigMap using the Kubernetes API.
  2. 在定义 pod 或部署时请求 ConfigMap。Request the ConfigMap when you define a pod or deployment.
    • ConfigMap 存储在给定命名空间内,且只能由同一命名空间中的 Pod 访问。ConfigMaps are stored within a given namespace and can only be accessed by pods within the same namespace.

永久性卷Persistent volumes

作为 Pod 生命周期的一部分定义和创建的卷仅在删除 Pod 之前存在。Volumes defined and created as part of the pod lifecycle only exist until you delete the pod. 如果在维护事件期间(尤其是在 StatefulSets 中)于另一台主机上重新计划 Pod,则 Pod 通常会预期其存储会被保留。Pods often expect their storage to remain if a pod is rescheduled on a different host during a maintenance event, especially in StatefulSets. 永久性卷 (PV) 是由 Kubernetes API 创建和管理的存储资源,可以在单个 Pod 的生命周期之外存在。A persistent volume (PV) is a storage resource created and managed by the Kubernetes API that can exist beyond the lifetime of an individual pod.

可以使用 Azure 磁盘或文件存储提供 PersistentVolume。You can use Azure Disks or Files to provide the PersistentVolume. 部分中所述,选择磁盘还是文件存储通常取决于对并发访问数据或性能层的需求。As noted in the Volumes section, the choice of Disks or Files is often determined by the need for concurrent access to the data or the performance tier.

Azure Kubernetes 服务 (AKS) 群集中的永久性卷

PersistentVolume 可以由群集管理员 静态 创建,或者由 Kubernetes API 服务器 动态 创建。A PersistentVolume can be statically created by a cluster administrator, or dynamically created by the Kubernetes API server. 如果 Pod 进行了计划并请求当前不可用的存储,则 Kubernetes 可以创建基础 Azure 磁盘或文件存储并将其附加到 Pod。If a pod is scheduled and requests currently unavailable storage, Kubernetes can create the underlying Azure Disk or Files storage and attach it to the pod. 动态预配使用 StorageClass 来标识需要创建的 Azure 存储类型。Dynamic provisioning uses a StorageClass to identify what type of Azure storage needs to be created.

存储类Storage classes

若要定义不同的存储层(例如高级和标准),可创建 StorageClassTo define different tiers of storage, such as Premium and Standard, you can create a StorageClass.

StorageClass 还定义 reclaimPolicyThe StorageClass also defines the reclaimPolicy. 删除 Pod 且可能不再需要永久性卷时,reclaimPolicy 可控制基础 Azure 存储资源的行为。When you delete the pod and the persistent volume is no longer required, the reclaimPolicy controls the behavior of the underlying Azure storage resource. 可删除基础存储资源,也可保留基础存储资源以便与未来的 Pod 配合使用。The underlying storage resource can either be deleted or kept for use with a future pod.

在 AKS 中,将使用树中存储插件为群集创建四个初始 StorageClassesIn AKS, four initial StorageClasses are created for cluster using the in-tree storage plugins:

权限Permission 原因Reason
default 使用 Azure StandardSSD 存储创建托管磁盘。Uses Azure StandardSSD storage to create a Managed Disk. 回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
managed-premium 使用 Azure 高级存储创建托管磁盘。Uses Azure Premium storage to create a Managed Disk. 同样,回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy again ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted.
azurefile 使用 Azure 标准存储创建 Azure 文件共享。Uses Azure Standard storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.
azurefile-premium 使用 Azure 高级存储创建 Azure 文件共享。Uses Azure Premium storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.

对于使用新的容器存储接口 (CSI) 外部插件(预览版)的群集,将创建以下额外的 StorageClassesFor clusters using the new Container Storage Interface (CSI) external plugins (preview) the following extra StorageClasses are created:

权限Permission 原因Reason
managed-csi 使用 Azure StandardSSD 本地冗余存储 (LRS) 创建托管磁盘。Uses Azure StandardSSD locally redundant storage (LRS) to create a Managed Disk. 回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. 存储类还会将永久卷配置为可扩展的卷,你只需使用新的大小编辑永久卷声明即可。The storage class also configures the persistent volumes to be expandable, you just need to edit the persistent volume claim with the new size.
managed-csi-premium 使用 Azure 高级本地冗余存储 (LRS) 创建托管磁盘。Uses Azure Premium locally redundant storage (LRS) to create a Managed Disk. 同样,回收策略确保在删除使用基础 Azure 磁盘的持久卷时会删除该磁盘。The reclaim policy again ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. 同样,此存储类也允许扩展永久卷。Similarly, this storage class allows for persistent volumes to be expanded.
azurefile-csi 使用 Azure 标准存储创建 Azure 文件共享。Uses Azure Standard storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.
azurefile-csi-premium 使用 Azure 高级存储创建 Azure 文件共享。Uses Azure Premium storage to create an Azure File Share. 回收策略确保在删除使用基础 Azure 文件共享的永久卷时会删除该文件共享。The reclaim policy ensures that the underlying Azure File Share is deleted when the persistent volume that used it is deleted.

除非为永久性卷指定 StorageClass,否则会使用默认 StorageClass。Unless you specify a StorageClass for a persistent volume, the default StorageClass will be used. 请求永久性卷时,请确保卷使用你需要的适当存储。Ensure volumes use the appropriate storage you need when requesting persistent volumes.

可使用 kubectl 创建 StorageClass 来满足其他需求。You can create a StorageClass for additional needs using kubectl. 以下示例使用高级托管磁盘并指定在删除 Pod 时应该保留基础 Azure 磁盘:The following example uses Premium Managed Disks and specifies that the underlying Azure Disk should be retained when you delete the pod:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: managed-premium-retain
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
parameters:
  storageaccounttype: Premium_LRS
  kind: Managed

备注

AKS 会协调默认存储类,并将覆盖你对这些存储类所做的任何更改。AKS reconciles the default storage classes and will overwrite any changes you make to those storage classes.

永久性卷声明Persistent volume claims

PersistentVolumeClaim 会请求特定 StorageClass、访问模式和大小的磁盘或文件存储。A PersistentVolumeClaim requests either Disk or File storage of a particular StorageClass, access mode, and size. 如果根据定义的 StorageClass 没有现有资源可以实现声明,Kubernetes API 服务器可动态预配基础 Azure 存储资源。The Kubernetes API server can dynamically provision the underlying Azure storage resource if no existing resource can fulfill the claim based on the defined StorageClass.

卷连接到 Pod 后,Pod 定义即会包含装载。The pod definition includes the volume mount once the volume has been connected to the pod.

Azure Kubernetes 服务 (AKS) 群集中的永久性卷声明

可用存储资源分配给请求存储的 Pod 后,PersistentVolume 就会绑定到 PersistentVolumeClaim。Once an available storage resource has been assigned to the pod requesting storage, PersistentVolume is bound to a PersistentVolumeClaim. 永久性卷会 1:1 映射到声明。Persistent volumes are 1:1 mapped to claims.

以下示例 YAML 清单显示使用 managed-premium StorageClass 并请求 5Gi 存储的永久性卷声明:The following example YAML manifest shows a persistent volume claim that uses the managed-premium StorageClass and requests a Disk 5Gi in size:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azure-managed-disk
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: managed-premium
  resources:
    requests:
      storage: 5Gi

创建 pod 定义时,还需指定:When you create a pod definition, you also specify:

  • 用于请求所需存储的永久性卷声明。The persistent volume claim to request the desired storage.
  • 供应用程序用于读取和写入数据的 volumeMount。The volumeMount for your applications to read and write data.

以下示例 YAML 清单说明如何使用先前的永久性卷声明来将卷装载到 /mnt/azureThe following example YAML manifest shows how the previous persistent volume claim can be used to mount a volume at /mnt/azure:

kind: Pod
apiVersion: v1
metadata:
  name: nginx
spec:
  containers:
    - name: myfrontend
      image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine
      volumeMounts:
      - mountPath: "/mnt/azure"
        name: volume
  volumes:
    - name: volume
      persistentVolumeClaim:
        claimName: azure-managed-disk

若要在 Windows 容器中装载卷,请指定驱动器号和路径。For mounting a volume in a Windows container, specify the drive letter and path. 例如:For example:

...      
       volumeMounts:
        - mountPath: "d:"
          name: volume
        - mountPath: "c:\k"
          name: k-dir
...

后续步骤Next steps

如需相关的最佳做法,请参阅 AKS 中的存储和备份最佳做法For associated best practices, see Best practices for storage and backups in AKS.

若要了解如何创建使用 Azure 磁盘或 Azure 文件的动态和静态卷,请参阅以下操作指南:To see how to create dynamic and static volumes that use Azure Disks or Azure Files, see the following how-to articles:

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For more information on core Kubernetes and AKS concepts, see the following articles: