个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
24
4
有没有办法以创建 pod 的用户身份在 Kubernetes pod 内挂载经过 Kerberos 身份验证的 NFS 服务器?
我们使用 FreeIPA 进行用户管理,并且我们有一个 Kubernetes 集群设置来训练我们的深度学习模型。我们在 NFS 上拥有我们的数据,它使用 Kerberos 进行身份验证。这是我们正在努力实现的目标:
最佳答案
我就是这样做的。
对于我的方法,您需要:
FROM centos:centos7
# install the kerberos client tools
RUN yum install -y krb5-workstation && \
mkdir /krb5 && chmod 755 /krb5
# add resources, the kinit script and the default krb5 configuration
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /krb-sidecar-entrypoint.sh
# Little trick here that will allow my container to remove
# the vault secrets without root
RUN chmod u+s /usr/bin/rm
ENTRYPOINT ["/entrypoint.sh"]
/vault/secrets key 表文件
# Default value for renewing the TGT ticket
KERBEROS_RENEWAL_TIME=86400 # One day
# Move the keytab into keytabfile
echo "Generating keytab file"
cat /vault/secrets/${USERNAME}.keytab | cut -d' ' -f2 | base64 -d > /etc/${USERNAME}.keytab
# Get the TGT
echo "Loading keytab"
kinit -kt /etc/${USERNAME}.keytab ${USERNAME}@${REALM}
# Remove secrets for security reasons
rm -rf /vault/secrets/*
rm -rf /etc/${USERNAME}.keytab
echo "Secrets removed from tmpfs"
while :;
do
kinit -R
sleep ${KERBEROS_RENEWAL_TIME}
done
apiVersion: v1
kind: PersistentVolume
metadata:
name: NFS-vol
spec:
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Recycle
storageClassName: slow
mountOptions:
- sec=krb5
nfs:
path: /exports
server: nfs.server.test
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfsvol
spec:
storageClassName: manual
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-user
spec:
selector:
matchLabels:
test: test
template:
metadata:
labels:
test: test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-secret-userKeytab: 'user/keytabs/user'
vault.hashicorp.com/role: 'nfs'
vault.hashicorp.com/ca-cert: 'certs/ca.crt'
vault.hashicorp.com/tls-secret: 'tls-ca'
vault.hashicorp.com/agent-pre-populate-only: "true"
spec:
securityContext:
# Here we defined the user uid, this user must be present in the NFS server
runAsUser: 2500
runAsGroup: 2500
# This may be needed or not depending on your DNS setup
hostAliases:
- ip: "192.168.111.130"
hostnames:
- "IPA"
- "IPA.server"
- ip: "192.168.111.131"
hostnames:
- "nfs"
- "nfs.serer"
restartPolicy: Always
volumes:
- name: nfs-user
persistentVolumeClaim:
claimName: nfs-vol
- name: krb5
configMap:
name: keos-kerberos-config
- name: kcmsocket
hostPath:
path: /var/run/.heim_org.h5l.kcm-socket
type: File
containers:
- name: krb5-sidecar
image: krb5-sidecar:0.1.0
env:
- name: KRB5CCNAME
value: "KCM:"
- name: USERNAME
value: user
- name: REALM
value: server
volumeMounts:
- name: krb5
mountPath: "/etc/krb5.conf"
subPath: "krb5.conf"
- name: kcmsocket
mountPath: "/var/run/.heim_org.h5l.kcm-socket"
lifecycle:
preStop:
exec:
command: ["/usr/bin/kdestroy"]
- name: mount-nfs-container
image: nfs-centos:0.2.0
env:
- name: KRB5CCNAME
value: "KCM:"
volumeMounts:
- name: nfs-user
mountPath: "/nfs"
- name: krb5
mountPath: "/etc/krb5.conf"
subPath: "krb5.conf"
- name: kcmsocket
mountPath: "/var/run/.heim_org.h5l.kcm-socket"
关于kubernetes - 如何在 kubernetes 上挂载 Kerberised NFS?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64574328/
24
4
0
我是一名优秀的程序员,十分优秀!