KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes with NGINX
KubeCon EU 2016: Kubernetes Storage 101
-
Upload
kubeacademy -
Category
Technology
-
view
1.970 -
download
1
Transcript of KubeCon EU 2016: Kubernetes Storage 101
○
Temp Local Network
● emptyDir ● hostPath ● GlusterFS● CephRBD● gitRepo● secret● flocker● gcePersistentDisk● AWS ElasticBlockStore (EBS)● NFS● iSCSI● Fibre Channel● Cinder
○
○
VS.
Cattle Storage
SALLYBOB
GLOBAL Persistent Volume (PV123) Persistent Volume (PV456)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC001)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC002)
POD
CLAIM REFERENCE
PERSISTENT VOLUME CLAIM (PVC003)
kind: PersistentVolumeClaimapiVersion: v1metadata: name: dyn-prov-claim annotations: volume.alpha.kubernetes.io/storage-class: aws-ebsspec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi
Available Provisioners:
OpenStack Cinderkubernetes.io/cinder
AWS Elastic Block Store (EBS)kubernetes.io/aws-ebs
GCE Persistent Disk (gcePD)kubernetes.io/gce-pd
PROVISION:● MANUAL● DYNAMIC
AVAILABLE
BOUNDPV + PVC =
RELEASEDPV + PVC =
FAILURE
POD CLAIM REQUEST
CLAIM DELETED
PENDING
RETAIN PV(default policy)
volume cannot mount
CrashBackLoop
PROVISION:● MANUAL● DYNAMIC
AVAILABLE
BOUNDPV + PVC =
RELEASEDPV + PVC =
FAILURE
POD CLAIM REQUEST
POD DELETED
PENDING
FAILURE
RETAIN PV
POD CLAIM REQUEST
volume cannot mount
CrashBackLoop
Timing / vague state
Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift)
● PSP provides an interface for the security types but enforcement doesn’t exist today
● No admission controller
SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:
1. Running of privileged containers.2. Capabilities a container can request to be added.3. Use of host directories as volumes.4. The SELinux context of the container.5. The user ID.6. The use of host namespaces and networking.7. Allocating an FSGroup that owns the pod’s volumes8. Configuring allowable supplemental groups
● SCC defined by namespace and can be restricted to specific users
# ls -ld /opt/nfs # on NFS serverdrwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs
kind: Podmetadata: name: nginx-nfs-testspec: containers: - name: nginx-nfs-test image: fedora/nginx ports: - name: web containerPort: 80 volumeMounts: - name: nginx-nfs mountPath: /usr/share/nginx/html/test securityContext: supplementalGroups: [1234] volumes: - name: nginx-nfs persistentVolumeClaim claimName: nfs-claim
Currently the list of volumes which support ownership management includes:
● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo
apiVersion: v1kind: Podmetadata: name: rbd-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ceph-rbd mountPath: "/usr/share/nginx/html" securityContext: fsGroup: 1234 volumes: - name: ceph-rbd rbd: monitors: - 192.168.122.133:6789 pool: rbd image: foo user: admin secretRef: name: ceph-secret fsType: ext4 readOnly: false
Currently the list of volumes which support SELinux management includes:
● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo● Fibre Channel
apiVersion: v1kind: Podmetadata: name: ebs-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ebs-volume mountPath: "/usr/share/nginx/html" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: ebs-volume awsElasticBlockStore: volumeID: <VOLUME ID>