利用NFS动态提供后端存储storageclass

假设我们已经搭建了一个外部的NFS-server，根据官方的文档，我们首先需要部署：

• nfs-client-provisioner
• nfs-client rbac
• storageclass

nfs-client-provisioner 是一个Kubernetes的简易NFS的外部provisioner，本身不提供NFS，需要现有的NFS服务器提供存储。
nfs-client-rbac.yaml:

kind: ServiceAccount
apiVersion: v1
metadata:
  name: nfs-client-provisioner
  namespace: ecloudcaas-dev
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nfs-client-provisioner-runner
  namespace: ecloudcaas-dev
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-nfs-client-provisioner
  namespace: ecloudcaas-dev
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    namespace: ecloudcaas-dev
roleRef:
  kind: ClusterRole
  name: nfs-client-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  namespace: ecloudcaas-dev
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  namespace: ecloudcaas-dev
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: ecloudcaas-dev
roleRef:
  kind: Role
  name: leader-locking-nfs-client-provisioner
  apiGroup: rbac.authorization.k8s.io

nfs-client-provisioner.yaml

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: nfs-client-provisioner
  namespace: ecloudcaas-dev
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: nfs-client-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
#      securityContext:
#        privileged: true
      containers:
        - name: nfs-client-provisioner
          image: ocp311-registry:5000/external_storage/nfs-client-provisioner:latest
          securityContext:
            privileged: true
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: fuseim.pri/ifs
            - name: NFS_SERVER
              value: 172.18.144.193
            - name: NFS_PATH
              value: /home/exports/pv0001
      volumes:
        - name: nfs-client-root
          nfs:
            server: 172.18.144.193
            path: /home/exports/pv0001

这里需要改动的有两点：

• server: 改成你自己NFS-server的地址
• path: 查看自己NFS-server的export（cat /etc/exports）
  nfs-storageclass.yaml :

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: default-nfs
provisioner: fuseim.pri/ifs

注意

折腾的过程中，遇到了一个棘手的问题，pod一直pending，pvc一直没有bind，这不应该啊，不是应该自动绑定的么
赶紧oc get events看一眼：

Error creating: pods "nfs-client-provisioner-5cf596db9d-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]

股沟一下，都说是scc搞得鬼，如：https://github.com/kubernetes-incubator/external-storage/issues/1145

oc adm policy add-scc-to-user privileged system:serviceaccount:ecloudcaas-dev:nfs-client-provisioner

以上↑