在 Windows 容器中使用持久存储并为组托管服务帐户准备好 Windows 节点Use persistent storage in a Windows container and prepare Windows nodes for group Managed Service Accounts

永久性卷表示已经过预配可以用于 Kubernetes Pod 的存储块。A persistent volume represents a piece of storage that has been provisioned for use with Kubernetes pods. 持久卷可由一个或多个 Pod 使用,旨在用于长期存储。A persistent volume can be used by one or more pods and is meant for long-term storage. 它还独立于 Pod 或节点生命周期。It's also independent of pod or node lifecycle.   在此部分中,你将了解如何创建持久卷,以及如何在 Windows 应用程序中使用此卷。In this section, you'll see how to create a persistent volume and how to use this volume in your Windows application.

准备阶段Before you begin

以下是开始使用需要满足的条件:Here's what you need to get started:

  • 具有至少一个 Windows 工作器节点的 Kubernetes 群集。A Kubernetes cluster with at least one Windows worker node.
  • 用于访问 Kubernetes 群集的 kubeconfig 文件。A kubeconfig file to access the Kubernetes cluster.

创建永久性卷声明Create a persistent volume claim

持久卷声明用于基于存储类自动预配存储。A persistent volume claim is used to automatically provision storage based on a storage class.  若要创建卷声明,请首先创建名为 pvc-akshci-csi.yaml 的文件,并在以下 YAML 定义中进行复制。To create a volume claim, first create a file named pvc-akshci-csi.yaml and copy in the following YAML definition. 该声明请求大小为 10 GB、具有 ReadWriteOnce **  访问权限的磁盘。The claim requests a disk that is 10 GB in size with ReadWriteOnce access. default **  存储类指定为存储类 (vhdx)。The default storage class is specified as the storage class (vhdx).

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
 name: pvc-akshci-csi
spec:
 accessModes:
 - ReadWriteOnce
 resources:
  requests:
   storage: 10Gi

通过在 Azure Stack HCI 群集中一台服务器上的管理 PowerShell 会话中运行以下命令来创建卷(使用 Enter-PSSession 等方法或远程桌面连接到服务器):Create the volume by running the following commands in an administrative PowerShell session on one of the servers in the Azure Stack HCI cluster (using a method such as Enter-PSSession or Remote Desktop to connect to the server):

kubectl create -f pvc-akshci-csi.yaml 

以下输出会显示已成功创建持久卷声明:The following output will show that your persistent volume claim has been created successfully:

输出:Output:

persistentvolumeclaim/pvc-akshci-csi created

使用持久卷Use persistent volume

若要使用持久卷,请创建名为 winwebserver.yaml 的文件,并在以下 YAML 定义中进行复制。To use a persistent volume, create a file named winwebserver.yaml and copy in the following YAML definition.  随后创建可访问持久卷声明和 vhdx 的 Pod。You will then create a pod with access to the persistent volume claim and vhdx.

在下面的 yaml 定义中,mountPath 是用于在容器中装载卷的路径。In the yaml definition below, mountPath is the path to mount a volume inside a container. 成功创建 Pod 之后,你会看到在 C:\ 中创建了子目录 mnt,并在 mnt 内创建了子目录 akshciscsi 。After a successful pod creation, you will see the subdirectory mnt created in C:\ and the subdirectory akshciscsi created inside mnt.

apiVersion: apps/v1 
kind: Deployment 
metadata: 
  labels: 
    app: win-webserver 
  name: win-webserver 
spec: 
  replicas: 1 
  selector: 
    matchLabels: 
      app: win-webserver 
  template: 
    metadata: 
      labels: 
        app: win-webserver 
      name: win-webserver 
    spec: 
     containers: 
      - name: windowswebserver 
        image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 
        ports:  
          - containerPort: 80    
        volumeMounts: 
            - name: akshciscsi 
              mountPath: "/mnt/akshciscsi" 
     volumes: 
        - name: akshciscsi 
          persistentVolumeClaim: 
            claimName:  pvc-akshci-csi 
     nodeSelector: 
      kubernetes.io/os: windows 

若要使用以上 yaml 定义创建 Pod,请运行:To create a pod with the above yaml definition, run:

Kubectl create -f winwebserver.yaml 

若要确保 Pod 正在运行,请运行以下命令。To make sure the pod is running, run the following command. 等待几分钟,直到 Pod 处于正在运行状态,因为拉取映像会花费时间。Wait a few minutes until the pod is in a running state, since pulling the image takes time.

kubectl get pods -o wide 

Pod 运行后,便可通过运行以下命令来查看 Pod 状态:Once your pod is running, view the pod status by running the following command:

kubectl.exe describe pod %podName% 

若要验证是否已在 Pod 中装载了卷,请运行以下命令:To verify your volume has been mounted in the pod, run the following command:

kubectl exec -it %podname% cmd.exe 

删除持久卷声明Delete a persistent volume claim

删除持久卷声明之前,必须通过运行以下内容来删除应用部署:Before deleting a persistent volume claim, you must delete the app deployment by running:

kubectl.exe delete deployments win-webserver

随后可以通过运行以下内容来删除持久卷声明:You can then delete a persistent volume claim by running:

kubectl.exe delete PersistentVolumeClaim pvc-akshci-csi

为 Windows 节点上的组托管服务帐户支持准备好 Windows 节点Prepare Windows nodes for group Managed Service Account support on Windows nodes

组托管服务帐户是一种特定类型的 Active Directory 帐户,可提供自动密码管理、简化的服务主体名称 (SPN) 管理以及在多台服务器间将管理委托给其他管理员的功能。Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. 若要为在 Windows 节点上运行的 Pod 和容器配置组托管服务帐户 (gMSA),必须首先将 Windows 节点加入 Active Directory 域。To configure group Managed Service Accounts (gMSA) for pods and containers that will run on your Windows nodes, you first have to join your Windows nodes to an Active Directory domain.

若要启用组托管服务帐户支持,Kubernetes 群集名称必须少于 4 个字符。To enable group Managed Service Account support, your Kubernetes cluster name has to be fewer than 4 characters. 这是因为,加入域的服务器名称所支持的最大长度为 15 个字符,而适用于工作器节点的 Azure Stack HCI Kubernetes 群集上的 AKS 命名约定会向节点名称添加一些预定义的字符。This is because the maximum supported length for a domain joined server name is 15 characters, and the AKS on Azure Stack HCI Kubernetes cluster naming convention for a worker node adds a few pre-defined characters to a node name.

若要将 Windows 工作器节点加入域,请通过运行 kubectl get 并记下 EXTERNAL-IP 值,来登录 Windows 工作器节点。To join your Windows worker nodes to a domain, log in to a Windows worker node, by running kubectl get and noting the EXTERNAL-IP value.

kubectl get nodes -o wide

随后可以使用 ssh Administrator@ip 通过 SSH 登录节点。You can then SSH into the node using ssh Administrator@ip.

成功登录 Windows 工作器节点之后,运行以下 PowerShell 命令以将节点加入域。After you've successfully logged in to your Windows worker node, run the following PowerShell command to join the node to a domain. 系统会提示输入域管理员帐户凭据。You'll be prompted to enter your domain administrator account credentials. 还可以使用已授权将计算机加入给定域的提升的用户凭据。You can also use elevated user credentials that have been given rights to join computers to the given domain. 随后需要重新启动 Windows 工作器节点。You'll then need to reboot your Windows worker node.

add-computer --domainame "YourDomainName" -restart

将所有 Windows 工作器节点加入域后,请按照配置 gMSA 中详细介绍的步骤在 Kubernetes 群集上应用 Kubernetes gMSA 自定义资源定义和 Webhook。Once all Windows worker nodes have been joined to a domain, follow the steps detailed at configuring gMSA to apply the Kubernetes gMSA custom resource definitions and webhooks on your Kubernetes cluster.

有关具有 gMSA 的 Windows 容器的详细信息,请参阅 Windows 容器和 gMSAFor more information on Windows container with gMSA, refer Windows containers and gMSA.

后续步骤Next steps