目录

一、Configmap配置管理

二、Secret配置管理

三、Volumes配置管理

四、kubernetes调度

五、kubernetes访问控制

一、Configmap配置管理

Configmap用于保存配置数据，以键值对形式存储；

ConfigMap资源提供了向Pod注入配置数据的方法，旨在让镜像和配置文件解耦，以便实现镜像的可移植性和可复用性；

典型的使用场景有：填充环境变量的值、设置容器内的命令行参数、填充卷的配置文件

1.创建ConfigMap的方式有4种：使用字面值创建、使用文件创建、使用目录创建、编写configmap的yaml文件创建

##使用字面值创建，键值对的方式：
[root@node22 ~]# mkdir configmap
[root@node22 ~]# cd configmap/
[root@node22 configmap]# ls
[root@node22 configmap]# kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
configmap/my-config created
[root@node22 configmap]# kubectl get cm
NAME               DATA   AGE
kube-root-ca.crt   1      3d5h
my-config          2      8s
[root@node22 configmap]# kubectl describe cm my-config
Name:         my-config
Namespace:    default
Labels:       <none>
Annotations:  <none>
 
Data
====
key2:
----
config2
key1:
----
config1
 
BinaryData
====
 
Events:  <none>
 
##使用文件创建，文件名为key，文件内容为值
[root@node22 configmap]# kubectl create configmap my-config-2 --from-file=/etc/resolv.conf
configmap/my-config-2 created
[root@node22 configmap]# kubectl describe cm my-config-2
Name:         my-config-2
Namespace:    default
Labels:       <none>
Annotations:  <none>
 
Data
====
resolv.conf:
----
# Generated by NetworkManager
nameserver 114.114.114.114
 
 
BinaryData
====
 
Events:  <none>
 
##使用目录创建，文件名为key，文件内容为值
[root@node22 configmap]# kubectl create configmap my-config-3 --from-file=test
configmap/my-config-3 created
[root@node22 configmap]# kubectl describe cm my-config-3
Name:         my-config-3
Namespace:    default
Labels:       <none>
Annotations:  <none>
 
Data
====
passwd:
----
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
fstab:
----
 
#
# /etc/fstab
# Created by anaconda on Fri Aug  5 17:48:43 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
UUID=d319ed7a-9c18-4cda-b34a-9e2399f1f1fc /boot                   xfs     defaults        0 0
#/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
 
 
BinaryData
====
 
Events:  <none>
 
##编写comfigmap的yml文件创建
[root@node22 configmap]# vim cm1.yaml
apiVersion: v1
kind: ConfigMap
metadata:
 name: cm1-config
data:
 db_host: "192.168.0.1"
 db_port: "3306"
[root@node22 configmap]# kubectl apply -f cm1.yaml
configmap/cm1-config created
[root@node22 configmap]# kubectl get cm
NAME               DATA   AGE
cm1-config         2      11s
kube-root-ca.crt   1      3d5h
my-config          2      9m45s
my-config-2        1      5m54s
my-config-3        2      3m23s
[root@node22 configmap]# kubectl describe cm cm1-config
Name:         cm1-config
Namespace:    default
Labels:       <none>
Annotations:  <none>
 
Data
====
db_port:
----
3306
db_host:
----
192.168.0.1
 
BinaryData
====
 
Events:  <none>

2.如何使用configmap：

1).通过环境变量的方式直接传递给pod 
[root@node22 configmap]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
    - name: pod1
      image: busybox
      command: ["/bin/sh", "-c", "env"]
      env:
        - name: key1
          valueFrom:
            configMapKeyRef:
              name: cm1-config
              key: db_host
        - name: key2
          valueFrom:
            configMapKeyRef:
              name: cm1-config
              key: db_port
  restartPolicy: Never
[root@node22 configmap]# kubectl apply -f pod.yaml
pod/pod1 created
[root@node22 configmap]# kubectl get pod
NAME                       READY   STATUS      RESTARTS      AGE
demo                       1/1     Running     1 (32m ago)   32m
myapp-1-6666f57846-n8zgn   1/1     Running     0             87m
pod1                       0/1     Completed   0             101s
[root@node22 configmap]# kubectl delete pod pod1
pod "pod1" deleted
[root@node22 configmap]# kubectl delete pod demo --force
[root@node22 configmap]# kubectl delete deployments.apps myapp-1
[root@node22 configmap]# kubectl -n test delete pod demo --force
 
2)	.通过在pod的命令行下运行的方式 
##使用conigmap设置命令行参数
[root@node22 configmap]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
    - name: pod1
      image: busybox
      command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]
      envFrom:
        - configMapRef:
            name: cm1-config
  restartPolicy: Never
[root@node22 configmap]# kubectl apply -f pod2.yaml
pod/pod1 created
 
3).作为volume的方式挂载到pod内
##通过数据卷使用configmap
[root@node22 configmap]# vim pod3.yaml
kind: Pod
metadata:
  name: pod2
spec:
  containers:
    - name: pod2
      image: busybox
      command: ["/bin/sh", "-c", "cat /config/db_host"]
      volumeMounts:
      - name: config-volume
        mountPath: /config
  volumes:
    - name: config-volume
      configMap:
        name: cm1-config
  restartPolicy: Never
[root@node22 configmap]# kubectl apply -f pod3.yaml
pod/pod2 created
[root@node22 configmap]# kubectl get pod
NAME   READY   STATUS      RESTARTS   AGE
pod2   0/1     Completed   0          57s
[root@node22 configmap]# kubectl logs pod2
192.168.0.1

示例：

例子：configmap热更新

[root@node22 configmap]# vim nginx.conf

server {

    listen 8000;

    server_name _;

    location / {

        root /usr/share/nginx/html;

        index index.html index.htm;

    }

}

[root@node22 configmap]# kubectl create configmap nginxconf --from-file=nginx.conf

configmap/nginxconf created

[root@node22 configmap]# kubectl get cm

NAME               DATA   AGE

cm1-config         2      28m

kube-root-ca.crt   1      3d6h

my-config          2      37m

my-config-2        1      33m

my-config-3        2      31m

nginxconf          1      15s

[root@node22 configmap]# kubectl describe cm nginxconf

Name:         nginxconf

Namespace:    default

Labels:      

Annotations: 

Data

====

nginx.conf:

----

server {

    listen 8000;

    server_name _;

    location / {

        root /usr/share/nginx/html;

        index index.html index.htm;

    }

}

BinaryData

====

Events: 

[root@node22 configmap]# vim nginx.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

  name: my-nginx

spec:

  replicas: 1

  selector:

    matchLabels:

      app: nginx

  template:

    metadata:

      labels:

        app: nginx

    spec:

      containers:

        - name: nginx

          image: nginx

          volumeMounts:

            mountPath: /etc/nginx/conf.d

      volumes:

        - name: config-volume

          configMap:

            name: nginxconf

[root@node22 configmap]# kubectl apply -f nginx.yaml

deployment.apps/my-nginx created

[root@node22 ~]# cd calico/

[root@node22 calico]# kubectl delete -f networkpolicy.yaml

networkpolicy.networking.k8s.io "test-network-policy" deleted

[root@node22 calico]# cd

[root@node22 ~]# cd configmap/

[root@node22 configmap]# curl 10.244.144.76

curl: (7) Failed connect to 10.244.144.76:80; Connection refused

[root@node22 configmap]# kubectl edit cm nginxconf

##编辑nginxconf这个configmap将其端口修改为8080

[root@node22 configmap]# kubectl exec my-nginx-7b84dc948c-f6vlb -- cat /etc/nginx/conf.d/nginx.conf

server {

    listen 8080;

    server_name _;

    location / {

        root /usr/share/nginx/html;

        index index.html index.htm;

    }

}

[root@node22 configmap]# curl 10.244.144.76:8080

curl: (7) Failed connect to 10.244.144.76:8080; Connection refused

##此时虽然容器内的文件内容会更新（有一定延迟），但是更新的设定并没有生效；需要手动触发Pod滚动更新, 这样才能再次加载nginx.conf配置文件

[root@node22 configmap]# kubectl delete pod my-nginx-7b84dc948c-qmq9h

pod "my-nginx-7b84dc948c-qmq9h" deleted

root@node22 configmakubectl get pod -o wide

NAME                        READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES

my-nginx-7b84dc948c-qxgtb   1/1     Running   0          5s    10.244.144.80   node33             

[root@node22 configmap]# curl 10.244.144.80:8080

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.

For online documentation and support please refer to

nginx.org.

Commercial support is available at

nginx.com.

Thank you for using nginx.

再改回8000

[root@node22 configmap]# kubectl edit cm nginxconf

[root@node22 configmap]# kubectl patch deployments.apps my-nginx --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "20220827"}}}}}'

deployment.apps/my-nginx patched

[root@node22 configmap]# kubectl get all

NAME                            READY   STATUS    RESTARTS   AGE

pod/my-nginx-645f5bbfd6-lrmtp   1/1     Running   0          10s

NAME                  TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE

service/kubernetes    ClusterIP   10.96.0.1                443/TCP   3d6h

service/my-svc        ClusterIP   10.108.185.37            80/TCP    9h

service/web-service   ClusterIP   10.109.238.119           80/TCP    38h

NAME                       READY   UP-TO-DATE   AVAILABLE   AGE

deployment.apps/my-nginx   1/1     1            1           30m

NAME                                  DESIRED   CURRENT   READY   AGE

replicaset.apps/my-nginx-645f5bbfd6   1         1         1       10s

replicaset.apps/my-nginx-7b84dc948c   0         0         0       30m

二、Secret配置管理

Secret对象类型用来保存敏感信息，例如密码、OAuth令牌和ssh key；敏感信息放在secret中比放在Pod的定义或者容器镜像中来说更加安全和灵活

Pod可以用两种方式使用secret：作为volume中的文件被挂载到pod中的一个或者多个容器里；当 kubelet为pod拉取镜像时使用

Secret的类型：

Service Account：Kubernetes自动创建包含访问API凭据的secret，并自动修改pod以使用此类型的secret

Opaque：使用base64编码存储信息，可以通过base64 --decode解码获得原始数据，因此安全性弱，Opaque类型的Secret其value为base64编码后的值

kubernetes.io/dockerconfigjson：用于存储docker registry的认证信息

1.##serviceaccout创建时Kubernetes会默认创建对应的secret，对应的secret会自动挂载到Pod的 /var/run/secrets/kubernetes.io/serviceaccount目录中
[root@node22 ~]# kubectl get pod
NAME                        READY   STATUS    RESTARTS      AGE
my-nginx-645f5bbfd6-lrmtp   1/1     Running   1 (49m ago)   13h
[root@node22 ~]# kubectl describe pod
 Mounts:
      /etc/nginx/conf.d from config-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-r9k7t (ro)
[root@node22 ~]# kubectl exec my-nginx-645f5bbfd6-lrmtp -- ls /var/run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
 
##每个namespace下有一个名为default的默认的ServiceAccount对象
[root@node22 ~]# kubectl get sa
NAME      SECRETS   AGE
default   1         3d20h
[root@node22 ~]# kubectl get sa -n test
NAME      SECRETS   AGE
default   1         16h
 
2.##ServiceAccount里有一个名为Tokens的可以作为Volume一样被Mount到Pod里的Secret，当Pod启动时这个Secret会被自动Mount到Pod的指定目录下，用来协助完成Pod中的进程访问API Server时的身份鉴权过程
[root@node22 ~]# kubectl get pod my-nginx-645f5bbfd6-lrmtp -o yaml
spec:
  containers:
  - image: nginx
    imagePullPolicy: Always
    name: nginx
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /etc/nginx/conf.d
      name: config-volume
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-r9k7t
      readOnly: true
 
3.##从文件中创建secret
[root@node22 ~]# cd secret/
[root@node22 secret]# echo -n 'admin' > ./username.txt
[root@node22 secret]# echo -n 'westos' > ./password.txt
[root@node22 secret]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@node22 secret]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      23h
db-user-pass          Opaque                                2      28s
default-token-pf6bb   kubernetes.io/service-account-token   3      3d20h
tls-secret            kubernetes.io/tls                     2      23h
[root@node22 secret]# kubectl describe secrets db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>
 
Type:  Opaque
 
Data
====
password.txt:  6 bytes
username.txt:  5 bytes
默认情况下 kubectl get和kubectl describe 为了安全是不会显示密码的内容,可以 
通过以下方式查看：
如果密码具有特殊字符，则需要使用 \ 字符对其进行转义，执行以下命令： 
kubectl create secret generic dev-db-secret --from-literal=username=devuser 
--from-literal=password=S\!B\\*d\$zDs
 
[root@node22 secret]# kubectl get  secrets db-user-pass -o yaml
apiVersion: v1
data:
  password.txt: d2VzdG9z
  username.txt: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2022-08-28T09:59:53Z"
  name: db-user-pass
  namespace: default
  resourceVersion: "187151"
  uid: 2630512d-c437-4d41-bdc8-a4748df06835
type: Opaque
查看密码可以采用下面方法：
[root@node22 secret]# echo d2VzdG9z | base64 -d
westos
[root@node22 secret]# echo YWRtaW4= | base64 -d
admin
 
4.##从yaml文件创建secret
[root@node22 secret]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: d2VzdG9z
[root@node22 secret]# kubectl apply -f secret.yaml
secret/mysecret created
[root@node22 secret]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
  password: d2VzdG9z
  username: YWRtaW4=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"d2VzdG9z","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
  creationTimestamp: "2022-08-28T10:08:23Z"
  name: mysecret
  namespace: default
  resourceVersion: "188013"
  uid: cbba6019-bad6-4e95-8acb-b53b9d022bea
type: Opaque
 
##将secrect通过volume挂载到pod中
[root@node22 secret]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
[root@node22 secret]# kubectl apply -f pod.yaml
pod/mysecret created
[root@node22 secret]# kubectl get pod
NAME                        READY   STATUS    RESTARTS      AGE
my-nginx-645f5bbfd6-lrmtp   1/1     Running   1 (75m ago)   14h
mysecret                    1/1     Running   0             10s
[root@node22 secret]# kubectl exec mysecret -- ls /secret
password
username
 
5.##向指定路径映射secret的键值
[root@node22 secret]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username
[root@node22 secret]# kubectl apply -f  pod2.yaml
pod/mysecret created
[root@node22 secret]# kubectl get pod
NAME                        READY   STATUS    RESTARTS      AGE
my-nginx-645f5bbfd6-lrmtp   1/1     Running   1 (79m ago)   14h
mysecret                    1/1     Running   0             6s
[root@node22 secret]# kubectl exec mysecret -- ls /secret
my-group
[root@node22 secret]# kubectl exec mysecret -- ls /secret/my-group
my-username
[root@node22 secret]# kubectl exec mysecret -- cat /secret/my-group/my-username
admin
 
##kubernetes.io/dockerconfigjson用于存储docker registry的认证信息
[root@node22 secret]# vim docker.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: game2048
      image: reg.westos.org/westos/game2048
  #imagePullSecrets:   不做认证
  #  - name: myregistrykey
[root@node22 secret]# kubectl apply -f docker.yaml
pod/mypod created
[root@node22 secret]# kubectl get pod  镜像拉取失败
NAME    READY   STATUS             RESTARTS   AGE
mypod   0/1     ImagePullBackOff   0          14s
[root@node22 secret]#  kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=zcx0216@westos.org
secret/myregistrykey created   做认证
[root@node22 secret]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      23h
db-user-pass          Opaque                                2      28m
default-token-pf6bb   kubernetes.io/service-account-token   3      3d21h
myregistrykey         kubernetes.io/dockerconfigjson        1      40s认证信息
mysecret              Opaque                                2      20m
tls-secret            kubernetes.io/tls                     2      23h
[root@node22 secret]# vim docker.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: game2048
      image: reg.westos.org/westos/game2048
  imagePullSecrets:
    - name: myregistrykey
[root@node22 secret]# kubectl apply -f docker.yaml
pod/mypod created
[root@node22 secret]# kubectl get pod
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   0          6s
[root@node22 secret]# kubectl delete -f docker.yaml
pod "mypod" deleted

三、Volumes配置管理

容器中的文件在磁盘上是临时存放的，这给容器中运行的特殊应用程序带来一些问题，首先，当容器崩溃时，kubelet将重新启动容器，容器中的文件将会丢失，因为容器会以干净的状态重建；其次，当在一个Pod中同时运行多个容器时，常常需要在这些容器之间共享文件；Kubernetes抽象出 Volume对象来解决这两个问题

Kubernetes卷具有明确的生命周期，与包裹它的Pod相同；因此，卷比Pod中运行的任何容器的存活期都长，在容器重新启动时数据也会得到保留；当一个Pod不再存在时，卷也将不再存在；也许更重要的是，Kubernetes可以支持许多类型的卷，Pod也能同时使用任意数量的卷

卷不能挂载到其他卷，也不能与其他卷有硬链接；Pod中的每个容器必须独立地指定每个卷的挂载位置

Kubernetes 支持下列类型的卷：

awsElasticBlockStore 、azureDisk、azureFile、cephfs、cinder、configMap、csi、downwardAPI、emptyDir、fc (fibre channel)、flexVolume、flocker gcePersistentDisk、gitRepo(deprecated)、glusterfs、hostPath、iscsi、local、 nfs、persistentVolumeClaim、projected、portworxVolume、quobyte、rbd scaleIO、secret、storageos、vsphereVolume

1).emptyDir卷：

当Pod指定到某个节点上时，首先创建的是一个emptyDir卷，并且只要Pod在该节点上运行，卷就一直存在；就像其名称表示的那样，卷最初是空的；尽管Pod中的容器挂载emptyDir卷的路径可能相同也可能不同，但是这些容器都可以读写emptyDir卷中相同的文件；当Pod因为某些原因被从节点上删除时，emptyDir卷中的数据也会永久删除

emptyDir的使用场景：缓存空间，例如基于磁盘的归并排序；为耗时较长的计算任务提供检查点，以便任务能方便地从崩溃前状态恢复执行；在Web服务器容器服务数据时，保存内容管理器容器获取的文件

默认情况下，emptyDir卷存储在支持该节点所使用的介质上，这里的介质可以是磁盘或SSD或网络存储，这取决于您的环境；但是，您可以将emptyDir.medium字段设置为"Memory"，以告诉Kubernetes为您安装tmpfs（基于内存的文件系统）；虽然tmpfs速度非常快，但是要注意它与磁盘不同，tmpfs在节点重启时会被清除，并且您所写入的所有文件都会计入容器的内存消耗，受容器内存限制约束

[root@node22 secret]# cd
[root@node22 ~]#  mkdir volumes
[root@node22 ~]# cd volumes/
[root@node22 volumes]# vim vol1.yaml
apiVersion: v1
kind: Pod
metadata:
  name: vol1
spec:
  containers:
  - image: busyboxplus
    name: vm1
    command: ["sleep", "300"]
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - name: vm2
    image: nginx
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir:
      medium: Memory
      sizeLimit: 100Mi
[root@node22 volumes]# kubectl apply -f vol1.yaml
pod/vol1 created
[root@node22 volumes]# kubectl get pod
NAME   READY   STATUS    RESTARTS   AGE
vol1   2/2     Running   0          4s
[root@node22 volumes]# kubectl exec -it vol1 -c vm1 -- sh
/ # ls
bin      cache    dev      etc      home     lib      lib64    linuxrc  media    mnt      opt      proc     root     run      sbin     sys      tmp      usr      var
/ # cd cache/
/cache # ls
/cache # echo www.westos.org > index.html
/cache # curl localhost
www.westos.org
/cache # dd if=/dev/zero of=bigfile bs=1M count=100
100+0 records in
99+1 records out
/cache # dd if=/dev/zero of=bigfile bs=1M count=101
dd: writing 'bigfile': No space left on device
101+0 records in
99+1 records out
 

2).hostPath卷

hostPath卷能将主机节点文件系统上的文件或目录挂载到Pod中，虽然这不是大多数Pod需要的，但是它为一些应用程序提供了强大的逃生舱

hostPath卷的一些用法：运行一个需要访问Docker引擎内部机制的容器，挂载/var/lib/docker路径；在容器中运行cAdvisor时，以hostPath方式挂载 /sys；允许Pod指定给定的hostPath在运行Pod之前是否应该存在，是否应该创建以及应该以什么方式存在

除了必需的path属性之外，用户可以选择性地为hostPath卷指定type

hostPath卷的缺点：具有相同配置（例如从podTemplate创建）的多个Pod会由于节点上文件的不同而在不同节点上有不同的行为；当Kubernetes按照计划添加资源感知的调度时，这类调度机制将无法考虑由hostPath使用的资源；基础主机上创建的文件或目录只能由root用户写入；您需要在特权容器中以root身份运行进程，或者修改主机上的文件权限以便容器能够写入hostPath卷

[root@node22 volumes]# kubectl delete -f vol1.yaml
pod "vol1" deleted
[root@node22 volumes]# vim hostpath.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: test-container
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: DirectoryOrCreate
[root@node22 volumes]# kubectl apply -f hostpath.yaml  生效
pod/test-pd created
[root@node22 volumes]# kubectl get pod
NAME      READY   STATUS    RESTARTS   AGE
test-pd   1/1     Running   0          10s
[root@node22 volumes]# kubectl get pod -o wide  分配到了node33
NAME      READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          62s   10.244.144.90   node33   <none>           <none>
[root@node22 volumes]# curl 10.244.144.90  访问时报错，再node33主机创建首页即可解决
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.5</center>
</body>
</html>
 
[root@node33 ~]# cd /data
[root@node33 data]# ls
[root@node33 data]# pwd
/data
[root@node33 data]# echo www.westos.org > index.html
此时再次访问就没有问题
[root@node22 volumes]# curl 10.244.144.90
www.westos.org
 
如果pod被迁移到node44上：
[root@node44 ~]# mkdir /data
[root@node44 ~]# cd /data/
[root@node44 data]# ls
[root@node44 data]# echo bbs.westos.org > index.html
 
[root@node22 volumes]# kubectl delete -f hostpath.yaml
pod "test-pd" deleted
[root@node22 volumes]# vim hostpath.yaml  做迁移
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: test-container
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: DirectoryOrCreate
  nodeName: node44
[root@node22 volumes]# kubectl apply -f hostpath.yaml
pod/test-pd created
[root@node22 volumes]# kubectl get pod -o wide已经迁移到node44
NAME      READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          38s   10.244.214.130   node44   <none>           <none>
[root@node22 volumes]# curl 10.244.214.130此时访问的就是node44主机的页面
bbs.westos.org
[root@node22 volumes]# kubectl delete -f hostpath.yaml
pod "test-pd" deleted

3).nfs卷

在每个节点上安装nfs

[root@node22 volumes]#  yum install -y nfs-utils
[root@node33 data]#  yum install -y nfs-utils
[root@node44 data]#  yum install -y nfs-utils
[root@node11 harbor]# yum install -y nfs-utils  仓库上安装nfs
[root@node11 harbor]# cat /etc/exports
/nfsdata        *(rw,no_root_squash)
[root@node11 harbor]# mkdir /nfsdata
[root@node11 harbor]# cd /nfsdata/
[root@node11 nfsdata]# chmod 777 .
[root@node11 nfsdata]# ll -d .
drwxrwxrwx 2 root root 6 Aug 28 20:40 .
[root@node11 nfsdata]# systemctl start nfs
[root@node11 nfsdata]# echo www.westos.org > index.html
 
 
[root@node22 volumes]# showmount -e 192.168.0.11
Export list for 192.168.0.11:
/nfsdata *
[root@node22 volumes]# vim nfs.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: test-container
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: test-volume
  volumes:
  - name: test-volume
    nfs:
      server: 192.168.0.11
      path: /nfsdata
[root@node22 volumes]# kubectl apply -f nfs.yaml
pod/test-pd created
[root@node22 volumes]# kubectl get pod -o wide
NAME      READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          20s   10.244.144.91   node33   <none>           <none>
[root@node22 volumes]# curl 10.244.144.91
www.westos.org
[root@node22 volumes]# kubectl delete -f nfs.yaml删除后迁移到
pod "test-pd" deleted
[root@node22 volumes]# vim nfs.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: test-container
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: test-volume
  volumes:
  - name: test-volume
    nfs:
      server: 192.168.0.11
      path: /nfsdata
  nodeName: node44   迁移到node44
[root@node22 volumes]# kubectl apply -f nfs.yaml
pod/test-pd created
[root@node22 volumes]# kubectl get pod
NAME      READY   STATUS    RESTARTS   AGE
test-pd   1/1     Running   0          39s
[root@node22 volumes]# kubectl get pod -o wide
NAME      READY   STATUS    RESTARTS   AGE     IP               NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          2m17s   10.244.214.131   node44   <none>           <none>
[root@node22 volumes]# curl 10.244.214.131
www.westos.org

4).持久卷PV与持久卷声明PVC

PersistentVolume是集群内，由管理员提供的网络存储的一部分，就像集群中的节点一样，PV也是集群中的一种资源，它也像Volume一样，是一种volume插件，但是它的生命周期却是和使用它的Pod相互独立的；PV这个API对象，捕获了诸如NFS、ISCSI、或其他云存储系统的实现细节

PersistentVolumeClaim是用户的一种存储请求，它和Pod类似，Pod消耗Node资源，而PVC消耗PV资源；Pod能够请求特定的资源（如CPU和内存），PVC能够请求指定的大小和访问的模式（可以被映射为一次读写或者多次只读）

有两种PV提供的方式：静态和动态

静态PV：集群管理员创建多个PV，它们携带着真实存储的详细信息，这些存储对于集群用户是可用的，它们存在于Kubernetes API中，并可用于存储使用

动态PV：当管理员创建的静态PV都不匹配用户的PVC时，集群可能会尝试专门地供给volume给PVC，这种供给基于StorageClass

PVC与PV的绑定是一对一的映射，没找到匹配的PV，那么PVC会无限期处于unbound即未绑定状态

PV使用：

Pod使用PVC就像使用volume一样；集群检查PVC，查找绑定的PV，并映射PV给Pod，对于支持多种访问模式的PV，用户可以指定想用的模式；一旦用户拥有了一个PVC，并且PVC被绑定，那么只要用户还需要，PV就一直属于这个用户；用户调度Pod，通过在Pod的volume块中包含PVC来访问PV

PV释放：

当用户使用PV完毕后，他们可以通过API来删除PVC对象，当PVC被删除后，对应的PV就被认为是已经是“released”了，但还不能再给另外一个PVC使用，前一个PVC的属于还存在于该PV中，必须根据策略来处理掉

PV回收：

PV的回收策略告诉集群，在PV被释放之后集群应该如何处理该PV；当前，PV可以被Retained（保留）、Recycled（再利用）或者Deleted（删除）；保留允许手动地再次声明资源，对于支持删除操作的PV卷，删除操作会从Kubernetes中移除PV对象，还有对应的外部存储（如AWS EBS、GCE PD、Azure Disk或者Cinder volume）；动态供给的卷总是会被删除

##创建不同容量和访问模式的两个pv

访问模式：ReadWriteOnce（RWO）==该volume只能被单个节点以读写的方式映射；ReadOnlyMany（ROX）==该volume可以被多个节点以只读方式映射；ReadWriteMany（RWX）==该volume可以被多个节点以读写的方式映射

回收策略：Retain==保留，需要手动回收；Recycle==回收，自动删除卷中数据；Delete==删除，相关联的存储资产，如AWS EBS，GCE PD，Azure Disk，or OpenStack Cinder卷都会被删除

当前只有NFS卷和HostPath卷支持回收利用，AWS EBS、GCE PD、Azure Disk、OpenStack Cinder卷支持删除操作

状态：Available==空闲的资源，未绑定给PVC；Bound==绑定给了某个PVC；Released==PVC已经删除了，但是PV还没有被集群回收；Failed==PV在自动回收中失败了

[root@node11 nfsdata]# mkdir pv1
[root@node11 nfsdata]# mkdir pv2
[root@node11 nfsdata]# mkdir pv3
 
[root@node22 volumes]# vim pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv0003
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: nfs
  mountOptions:
  nfs:
    path: /nfsdata/pv1
    server: 192.168.0.11
[root@node22 volumes]# kubectl apply -f pv.yaml
persistentvolume/pv0003 created
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Available           nfs                     7s
 
 
##创建pvc，pvc会根据文件中定义的存储类、容量需求和访问模式匹配到合适的pv进行绑定[root@node22 volumes]# vim pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc1
spec:
  storageClassName: nfs
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
[root@node22 volumes]# kubectl apply -f pvc.yaml
persistentvolumeclaim/pvc1 created
[root@node22 volumes]# kubectl get pvc
NAME   STATUS   VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
pvc1   Bound    pv0003   5Gi        RWO            nfs            25s
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM          STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Bound    default/pvc1   nfs                     3m41s
 
##pod中挂载pv
[root@node22 volumes]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: vol1
  volumes:
  - name: vol1
    persistentVolumeClaim:
      claimName: pvc1
[root@node22 volumes]# kubectl delete pod test-pd
pod "test-pd" deleted
[root@node22 volumes]# kubectl apply -f pod.yaml
pod/test-pd created
 
[root@node11 nfsdata]# cd pv1
[root@node11 pv1]# echo pv1 > index.html
 
[root@node22 volumes]# kubectl get pod -o wide
NAME      READY   STATUS    RESTARTS   AGE     IP              NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          2m37s   10.244.144.92   node33   <none>           <none>
[root@node22 volumes]# curl 10.244.144.92
pv1
 
创建pv2,pv3
[root@node22 volumes]# vim pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv0003
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: nfs
  mountOptions:
  nfs:
    path: /nfsdata/pv1
    server: 192.168.0.11
 
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv2
spec:
  capacity:
    storage: 10Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: nfs
  mountOptions:
  nfs:
    path: /nfsdata/pv2
    server: 192.168.0.11
 
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv3
spec:
  capacity:
    storage: 20Gi
  volumeMode: Filesystem
  accessModes:
    - ReadOnlyMany
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: nfs
  mountOptions:
  nfs:
    path: /nfsdata/pv3
    server: 192.168.0.11
[root@node22 volumes]# kubectl apply -f pv.yaml
persistentvolume/pv0003 configured
persistentvolume/pv2 created
persistentvolume/pv3 created
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM          STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Bound       default/pvc1   nfs                     15m
pv2      10Gi       RWX            Recycle          Available                  nfs                     12s
pv3      20Gi       ROX            Recycle          Available                  nfs                     12s
 
创建pvc2,pvc3
[root@node22 volumes]# vim pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc1
spec:
  storageClassName: nfs
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc2
spec:
  storageClassName: nfs
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
 
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc3
spec:
  storageClassName: nfs
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 20Gi
[root@node22 volumes]# kubectl apply -f pvc.yaml
persistentvolumeclaim/pvc1 unchanged
persistentvolumeclaim/pvc2 created
persistentvolumeclaim/pvc3 created
[root@node22 volumes]# kubectl get pvc
NAME   STATUS   VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
pvc1   Bound    pv0003   5Gi        RWO            nfs            14m
pvc2   Bound    pv2      10Gi       RWX            nfs            6s
pvc3   Bound    pv3      20Gi       ROX            nfs            6s
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM          STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Bound    default/pvc1   nfs                     18m
pv2      10Gi       RWX            Recycle          Bound    default/pvc2   nfs                     3m7s
pv3      20Gi       ROX            Recycle          Bound    default/pvc3   nfs                     3m7s
 
创建test-pd-2 
[root@node22 volumes]# cp pod.yaml pod2.yaml
[root@node22 volumes]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd-2
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: vol2
  volumes:
  - name: vol2
    persistentVolumeClaim:
      claimName: pvc2
[root@node22 volumes]# kubectl apply -f pod2.yaml
pod/test-pd-2 created
[root@node22 volumes]# kubectl get pod
NAME        READY   STATUS    RESTARTS   AGE
test-pd     1/1     Running   0          11m
test-pd-2   1/1     Running   0          15s
[root@node22 volumes]# kubectl get pod -o wide
NAME        READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
test-pd     1/1     Running   0          12m   10.244.144.92   node33   <none>           <none>
test-pd-2   1/1     Running   0          93s   10.244.144.93   node33   <none>           <none>
[root@node11 pv1]# cd ..
[root@node11 nfsdata]# cd pv2
[root@node11 pv2]# echo pv2 > index.html
[root@node22 volumes]# curl 10.244.144.93
pv2
[root@node22 volumes]# curl 10.244.144.92
pv1
 
删除：（pod被迁移到其他节点的时候，再次挂接pvc）
[root@node22 volumes]# kubectl delete -f pod2.yaml
pod "test-pd-2" deleted
[root@node22 volumes]# kubectl delete -f pod.yaml
pod "test-pd" deleted
[root@node22 volumes]# kubectl get pvc
NAME   STATUS   VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
pvc1   Bound    pv0003   5Gi        RWO            nfs            25m
pvc2   Bound    pv2      10Gi       RWX            nfs            11m
pvc3   Bound    pv3      20Gi       ROX            nfs            11m
 
##删除pvc，先前被绑定的pv的状态由bound->released->available；挂载卷中数据被删除（recycle的回收策略）
[root@node22 volumes]# kubectl delete -f pvc.yaml
persistentvolumeclaim "pvc1" deleted
persistentvolumeclaim "pvc2" deleted
persistentvolumeclaim "pvc3" deleted
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Available           nfs                     31m
pv2      10Gi       RWX            Recycle          Available           nfs                     16m
pv3      20Gi       ROX            Recycle          Available           nfs                     16m
[root@node22 volumes]# kubectl get pod
NAME                  READY   STATUS      RESTARTS   AGE
recycler-for-pv0003   0/1     Completed   0          89s
[root@node22 volumes]# kubectl delete pod recycler-for-pv0003
pod "recycler-for-pv0003" deleted
[root@node22 volumes]# kubectl get pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   REASON   AGE
pv0003   5Gi        RWO            Recycle          Available           nfs                     33m
pv2      10Gi       RWX            Recycle          Available           nfs                     18m
pv3      20Gi       ROX            Recycle          Available           nfs                     18m
[root@node22 volumes]# kubectl delete -f pv.yaml
persistentvolume "pv0003" deleted
persistentvolume "pv2" deleted
persistentvolume "pv3" deleted
[root@node22 volumes]# kubectl get pv
No resources found

5).StorageClass提供了一种描述存储类（class）的方法，不同的class可能会映射到不同的服务质量等级和备份策略或其他策略等；每个StorageClass都包含provisioner、parameters和reclaimPolicy字段， 这些字段会在StorageClass需要动态分配PersistentVolume时会使用到

StorageClass的属性：

Provisioner（存储分配器）：用来决定使用哪个卷插件分配PV，该字段必须指定，可以指定内部分配器，也可以指定外部分配器；外部分配器的代码地址为： kubernetes-incubator/external-storage，其中包括NFS和Ceph等

Reclaim Policy（回收策略）：通过reclaimPolicy字段指定创建的PersistentVolume的回收策略，回收策略包括：Delete或者Retain，没有指定默认为Delete

更多属性查看:https://kubernetes.io/zh/docs/concepts/storage/storage-classes/

NFS Client Provisioner是一个automatic provisioner，使用NFS作为存储，自动创建PV和对应的PVC，其本身不提供NFS存储，需要外部先有一套NFS存储服务

PV以 ${namespace}-${pvcName}-${pvName} 的命名格式提供（在NFS服务器上）；PV回收的时候以 archieved-${namespace}-${pvcName}-${pvName} 的命名格式（在NFS服务器上）；nfs-client-provisioner源码地址：external-storage/nfs-client at master · kubernetes-retired/external-storage · GitHub

##配置授权，编写yaml文件并应用，创建yaml文件中指定的namespace
[root@node22 ~]# mkdir nfs
[root@node22 ~]# cd nfs
[root@node22 nfs]# vim delpoyment.yaml
[root@node22 nfs]# kubectl create namespace nfs-client-provisioner
namespace/nfs-client-provisioner created
[root@node22 nfs]# vim delpoyment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nfs-client-provisioner
  labels:
    app: nfs-client-provisioner
  namespace: nfs-client-provisioner
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nfs-client-provisioner
  template:
    metadata:
      labels:
        app: nfs-client-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
      containers:
        - name: nfs-client-provisioner
          image: sig-storage/nfs-subdir-external-provisioner:v4.0.2
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: k8s-sigs.io/nfs-subdir-external-provisioner
            - name: NFS_SERVER
              value: 192.168.0.11
            - name: NFS_PATH
              value: /nfsdata
      volumes:
        - name: nfs-client-root
          nfs:
            server: 192.168.0.11
            path: /nfsdata
[root@node22 nfs]# vim rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs-client-provisioner
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nfs-client-provisioner-runner
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-nfs-client-provisioner
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: nfs-client-provisioner
roleRef:
  kind: ClusterRole
  name: nfs-client-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs-client-provisioner
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs-client-provisioner
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: nfs-client-provisioner
roleRef:
  kind: Role
  name: leader-locking-nfs-client-provisioner
  apiGroup: rbac.authorization.k8s.io
[root@node22 nfs]# kubectl apply -f rbac.yaml
serviceaccount/nfs-client-provisioner created
clusterrole.rbac.authorization.k8s.io/nfs-client-provisioner-runner created
clusterrolebinding.rbac.authorization.k8s.io/run-nfs-client-provisioner created
role.rbac.authorization.k8s.io/leader-locking-nfs-client-provisioner created
rolebinding.rbac.authorization.k8s.io/leader-locking-nfs-client-provisioner created
[root@node22 nfs]# kubectl apply -f delpoyment.yaml
deployment.apps/nfs-client-provisioner created
[root@node22 nfs]# kubectl -n nfs-client-provisioner get all
NAME                                        READY   STATUS    RESTARTS   AGE
pod/nfs-client-provisioner-784f85c9-mz5nx   1/1     Running   0          23s
 
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nfs-client-provisioner   1/1     1            1           23s
 
NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/nfs-client-provisioner-784f85c9   1         1         1       23s
 
##部署NFS Client Provisioner
[root@node22 nfs]# vim class.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: managed-nfs-storage
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner
parameters:
  archiveOnDelete: "false"
[root@node22 nfs]# kubectl apply -f class.yaml
storageclass.storage.k8s.io/managed-nfs-storage created
[root@node22 nfs]# kubectl get storageclasses.storage.k8s.io
NAME                  PROVISIONER                                   RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
managed-nfs-storage   k8s-sigs.io/nfs-subdir-external-provisioner   Delete          Immediate           false                  21s
 
##创建NFS存储类
[root@node22 nfs]# vim pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: test-claim
spec:
  storageClassName: managed-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
[root@node22 nfs]# kubectl apply -f pvc.yaml
persistentvolumeclaim/test-claim created
[root@node22 nfs]# kubectl get pvc
NAME         STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS          AGE
test-claim   Bound    pvc-9506279b-4c3c-43eb-bebe-7cd89e6062d3   1Gi        RWX            managed-nfs-storage   3s
[root@node22 nfs]# kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                STORAGECLASS          REASON   AGE
pvc-9506279b-4c3c-43eb-bebe-7cd89e6062d3   1Gi        RWX            Delete           Bound    default/test-claim   managed-nfs-storage            42s
[root@node22 nfs]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: nfs-pvc
  volumes:
  - name: nfs-pvc
    persistentVolumeClaim:
      claimName: test-claim
[root@node22 nfs]# kubectl apply -f pod.yaml
pod/test-pd created
[root@node22 nfs]# kubectl get pod
NAME      READY   STATUS    RESTARTS   AGE
test-pd   1/1     Running   0          8s
[root@node22 nfs]# kubectl get pod -o wide
NAME      READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
test-pd   1/1     Running   0          30s   10.244.144.99   node33   <none>           <none>
[root@node22 nfs]# curl 10.244.144.99
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.5</center>
</body>
</html>
 
[root@node11 nfsdata]# cd default-test-claim-pvc-9506279b-4c3c-43eb-bebe-7cd89e6062d3  
[root@node11 default-test-claim-pvc-9506279b-4c3c-43eb-bebe-7cd89e6062d3]# ls
[root@node11 default-test-claim-pvc-9506279b-4c3c-43eb-bebe-7cd89e6062d3]# echo test-claim > index.html
 
[root@node22 nfs]# curl 10.244.144.99
test-claim
[root@node22 nfs]# kubectl delete -f pod.yaml
pod "test-pd" deleted
[root@node22 nfs]# kubectl delete -f pvc.yaml
persistentvolumeclaim "test-claim" deleted
[root@node22 nfs]# kubectl get pv
No resources found
##删除上述pvc时，共享目录下自动创建的pv卷也被删除（因为class.yml文件中设定archiveOnDelete=false）

6).StatefulSet控制器

StatefulSet是用来管理有状态应用的工作负载API对象

StatefulSet用来管理Deployment和扩展一组Pod，并且能为这些Pod提供序号和唯一性保证

和Deployment相同的是，StatefulSet管理了基于相同容器定义的一组Pod，但和Deployment不同的是，StatefulSet为它们的每个Pod维护了一个固定的ID；这些Pod是基于相同的声明来创建的，但是不能相互替换：无论怎么调度，每个Pod都有一个永久不变的ID

StatefulSet和其他控制器使用相同的工作模式，在StatefulSet对象中定义你期望的状态，然后StatefulSet的控制器就会通过各种更新来达到那种你想要的状态

StatefulSets对于需要满足以下一个或多个需求的应用程序很有价值：