EKS持久化存储-AWS EFS
必要前提
- 集群已有IAM OIDC提供程序
- 安装AWS CLI(1.25.46及以上)
- 安装kubectl、eksctl工具
集群侧EFS CSI部署
权限配置
创建AWS IAM policy绑定到集群serviceaccount以授予EFS CSI调用AWS API的权限
- 下载IAM policy模板
curl -o iam-policy-example.json https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/docs/iam-policy-example.json
2.创建IAM policy(与下面第3步的操作都需要该实例拥有IAM相关权限)
aws iam create-policy \
--policy-name AmazonEKS_EFS_CSI_Driver_Policy \
--policy-document file://iam-policy-example.json
3.创建IAM Role并附件上述IAM policy,将其绑定到集群serviceaccount
对应集群名字及aws区域id请根据实际环境配置
eksctl create iamserviceaccount \
--cluster my-cluster \
--namespace kube-system \
--name efs-csi-controller-sa \
--attach-policy-arn arn:aws:iam::111122223333:policy/AmazonEKS_EFS_CSI_Driver_Policy \
--approve \
--region region-code
安装EFS CSI驱动
- 添加helm repo
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
2.更新repo
helm repo update
3.hlem安装EFS CSI驱动
helm upgrade -i aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
--namespace kube-system \
--set image.repository=918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/eks/aws-efs-csi-driver \
--set controller.serviceAccount.create=false \
--set controller.serviceAccount.name=efs-csi-controller-sa
4.StorageClass部署
- 下载aws官方提供的StorageClass模板:
curl -o storageclass.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml
- 更改fileSystemId值为你的EFS ID
reclaimPolicy-Retain:手动回收类型,当pod资源被删除时被分配的pv不会被自动删除
volumeBindingMode-WaitForFirstConsumer:延迟pod与pv的绑定,直到pod被成功创建出来,pv才会与pod进行绑定
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-sc
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap
fileSystemId: fs-92107410
directoryPerms: "700"
gidRangeStart: "1000" # optional
gidRangeEnd: "2000" # optional
basePath: "/dynamic_provisioning" # optiona
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer
- 部署
kubectl apply -f storageclass.yaml
EFS侧配置
- AWS控制台创建EFS
- 将eks集群所在VPC、Subnet添加为EFS挂载目标
- 挂载目标的安全组开通入站端口2049,源地址为eks集群所在cidr
集群应用侧配置
- 创建pvc
exp:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana-storage-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
storageClassName: efs-sc-grafana
- 将pvc配置到应用pod中
官方文档链接参考:
https://docs.amazonaws.cn/eks/latest/userguide/efs-csi.html
https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes/