无法在kubernetes pod中挂载只读卷(在AWS EKS中使用EFS CSI驱动程序)

Question

我安装了EFS CI驱动程序并让他们的静态供给示例工作起来:我能够启动一个附加到EFS卷上的文件的结束符。我可以删除吊舱并启动另一个文件来检查该文件，并确认由第一个pod编写的数据仍然在那里。但我实际上需要做的是挂载卷只读，而我没有运气。

注意，在成功运行该示例之后，我启动了一个EC2实例，并在其中挂载了EFS文件系统，然后添加了我的荚以只读方式访问的数据。然后卸载EFS文件系统并终止实例。

使用下面的配置(基于上面引用的静态配置示例)，我的pod不会启动Running；它将保留在ContainerCreating中。

存储类：

$ kubectl get sc efs-sc -o yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"efs-sc"},"provisioner":"efs.csi.aws.com"}
  creationTimestamp: "2020-01-12T05:36:13Z"
  name: efs-sc
  resourceVersion: "809880"
  selfLink: /apis/storage.k8s.io/v1/storageclasses/efs-sc
  uid: 71ecce62-34fd-11ea-8a5f-124f4ee64e8d
provisioner: efs.csi.aws.com
reclaimPolicy: Delete
volumeBindingMode: Immediate

持久性卷(这是集群中使用EFS存储类的唯一PV )：

$ kubectl get pv efs-pv-ro -o yaml
apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"PersistentVolume","metadata":{"annotations":{},"name":"efs-pv-ro"},"spec":{"accessModes":["ReadOnlyMany"],"capacity":{"storage":"5Gi"},"csi":{"driver":"efs.csi.aws.com","volumeHandle":"fs-26120da7"},"persistentVolumeReclaimPolicy":"Retain","storageClassName":"efs-sc","volumeMode":"Filesystem"}}
    pv.kubernetes.io/bound-by-controller: "yes"
  creationTimestamp: "2020-01-12T05:36:59Z"
  finalizers:
  - kubernetes.io/pv-protection
  name: efs-pv-ro
  resourceVersion: "810231"
  selfLink: /api/v1/persistentvolumes/efs-pv-ro
  uid: 8d54a80e-34fd-11ea-8a5f-124f4ee64e8d
spec:
  accessModes:
  - ReadOnlyMany
  capacity:
    storage: 5Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: efs-claim-ro
    namespace: default
    resourceVersion: "810229"
    uid: e0498cae-34fd-11ea-8a5f-124f4ee64e8d
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-26120da7
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  volumeMode: Filesystem
status:
  phase: Bound

持久性卷声明(这是集群中试图使用EFS存储类的唯一PVC：

$ kubectl get pvc efs-claim-ro -o yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"PersistentVolumeClaim","metadata":{"annotations":{},"name":"efs-claim-ro","namespace":"default"},"spec":{"accessModes":["ReadOnlyMany"],"resources":{"requests":{"storage":"5Gi"}},"storageClassName":"efs-sc"}}
    pv.kubernetes.io/bind-completed: "yes"
    pv.kubernetes.io/bound-by-controller: "yes"
  creationTimestamp: "2020-01-12T05:39:18Z"
  finalizers:
  - kubernetes.io/pvc-protection
  name: efs-claim-ro
  namespace: default
  resourceVersion: "810234"
  selfLink: /api/v1/namespaces/default/persistentvolumeclaims/efs-claim-ro
  uid: e0498cae-34fd-11ea-8a5f-124f4ee64e8d
spec:
  accessModes:
  - ReadOnlyMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: efs-sc
  volumeMode: Filesystem
  volumeName: efs-pv-ro
status:
  accessModes:
  - ReadOnlyMany
  capacity:
    storage: 5Gi
  phase: Bound

这是Pod。它保留在ContainerCreating中，不切换到Running

$ kubectl get pod efs-app -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"efs-app","namespace":"default"},"spec":{"containers":[{"args":["infinity"],"command":["sleep"],"image":"centos","name":"app","volumeMounts":[{"mountPath":"/data","name":"persistent-storage","subPath":"mmad"}]}],"volumes":[{"name":"persistent-storage","persistentVolumeClaim":{"claimName":"efs-claim-ro"}}]}}
    kubernetes.io/psp: eks.privileged
  creationTimestamp: "2020-01-12T06:07:08Z"
  name: efs-app
  namespace: default
  resourceVersion: "813420"
  selfLink: /api/v1/namespaces/default/pods/efs-app
  uid: c3b8421b-3501-11ea-b164-0a9483e894ed
spec:
  containers:
  - args:
    - infinity
    command:
    - sleep
    image: centos
    imagePullPolicy: Always
    name: app
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /data
      name: persistent-storage
      subPath: mmad
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-z97dh
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: ip-192-168-254-51.ec2.internal
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: persistent-storage
    persistentVolumeClaim:
      claimName: efs-claim-ro
  - name: default-token-z97dh
    secret:
      defaultMode: 420
      secretName: default-token-z97dh
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2020-01-12T06:07:08Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2020-01-12T06:07:08Z"
    message: 'containers with unready status: [app]'
    reason: ContainersNotReady
    status: "False"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2020-01-12T06:07:08Z"
    message: 'containers with unready status: [app]'
    reason: ContainersNotReady
    status: "False"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2020-01-12T06:07:08Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - image: centos
    imageID: ""
    lastState: {}
    name: app
    ready: false
    restartCount: 0
    state:
      waiting:
        reason: ContainerCreating
  hostIP: 192.168.254.51
  phase: Pending
  qosClass: BestEffort
  startTime: "2020-01-12T06:07:08Z"

我不确定subPath是否会使用此配置，但是无论subPath是否在Pod配置中，都会发生同样的问题。

问题似乎确实与音量有关。如果我注释掉volumes和volumeMounts部分，pod就会运行。

似乎PVC与正确的PV绑定，但吊舱没有启动。我在上面的输出中没有看到任何线索，但也许我遗漏了什么？

Kubernetes版本：

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"211047e9a1922595eaa3a1127ed365e9299a6c23", GitTreeState:"clean", BuildDate:"2019-10-15T12:11:03Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.9-eks-c0eccc", GitCommit:"c0eccca51d7500bb03b2f163dd8d534ffeb2f7a2", GitTreeState:"clean", BuildDate:"2019-12-22T23:14:11Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

驱动程序版本: v.0.2.0。

Answer 1

注意，其中一个要求是在1.13.4+版本中安装Golang，但是您有go1.12.12。所以你必须更新它。如果要从Go的旧版本升级，则必须首先删除现有版本。看看这里：升级换代。

这个驱动程序在Kubernetes版本1.14以及更高版本的Amazon集群和工作节点上得到了支持。Amazon驱动程序的Alpha特性在Amazon集群上不受支持。无法在kubernetes pod中挂载只读卷(在AWS EKS中使用EFS CSI驱动程序)。尝试将访问模式更改为：

accessModes:
 - ReadWriteMany

您可以在这里找到更多信息：efs-csi-驱动程序。

确保在创建EFS文件系统时，可以从Kuberenetes集群访问该文件系统。这可以通过在与Kubernetes集群相同的VPC中创建文件系统或使用VPC对等来实现。

静态配置- EFS文件系统首先需要手动创建，然后可以使用驱动程序作为持久卷(PV)安装在容器中。挂载选项-可以在持久性卷(PV)中指定安装选项，以定义如何安装卷。除了常规的挂载选项之外，还可以指定tls作为挂载选项，以启用EFS文件系统传输过程中的加密。

因为Amazon是一个弹性文件系统，所以它不强制执行任何文件系统容量限制。在创建文件系统时，不使用持久性卷和持久卷声明中的实际存储容量值。但是，由于在Kubernetes中存储容量是必需的字段，所以必须指定一个有效值，例如本例中的5Gi。此值不限制Amazon文件系统的大小。