有没有办法以创建 pod 的用户身份在 Kubernetes pod 中挂载经过 Kerberos 身份验证的 NFS 服务器?
我们使用 FreeIPA 进行用户管理,并且我们有一个 Kubernetes 集群设置来训练我们的深度学习模型。我们将数据保存在 NFS 上,该 NFS 使用 Kerberos 进行身份验证。以下是我们正在努力实现的目标:
我们正在为 kubernetes 使用 GKE,我们的 NFS 在同一个 VPC 中。
【问题讨论】:
标签: kubernetes authorization kerberos nfs
我就是这样做的。
对于我的方法,您需要:
采用这种方法的原因是:
考虑到所有这些,您首先为 krb5-sidecar 写下您的 Dockerfile。 命令:[“/bin/sh”] 参数:[“-c”,“/usr/bin/sleep 3600000”]
FROM centos:centos7
# install the kerberos client tools
RUN yum install -y krb5-workstation && \
mkdir /krb5 && chmod 755 /krb5
# add resources, the kinit script and the default krb5 configuration
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /krb-sidecar-entrypoint.sh
# Little trick here that will allow my container to remove
# the vault secrets without root
RUN chmod u+s /usr/bin/rm
ENTRYPOINT ["/entrypoint.sh"]
这是管理的入口点脚本
/vault/secrets 文件中删除
# Default value for renewing the TGT ticket
KERBEROS_RENEWAL_TIME=86400 # One day
# Move the keytab into keytabfile
echo "Generating keytab file"
cat /vault/secrets/${USERNAME}.keytab | cut -d' ' -f2 | base64 -d > /etc/${USERNAME}.keytab
# Get the TGT
echo "Loading keytab"
kinit -kt /etc/${USERNAME}.keytab ${USERNAME}@${REALM}
# Remove secrets for security reasons
rm -rf /vault/secrets/*
rm -rf /etc/${USERNAME}.keytab
echo "Secrets removed from tmpfs"
while :;
do
kinit -R
sleep ${KERBEROS_RENEWAL_TIME}
done
当然,您需要为部署创建 PersistentVolumes 和 PersistentVolumeClaims。
持久卷
apiVersion: v1
kind: PersistentVolume
metadata:
name: NFS-vol
spec:
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Recycle
storageClassName: slow
mountOptions:
- sec=krb5
nfs:
path: /exports
server: nfs.server.test
PersistentVolumeClaim:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfsvol
spec:
storageClassName: manual
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
最后是部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-user
spec:
selector:
matchLabels:
test: test
template:
metadata:
labels:
test: test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-secret-userKeytab: 'user/keytabs/user'
vault.hashicorp.com/role: 'nfs'
vault.hashicorp.com/ca-cert: 'certs/ca.crt'
vault.hashicorp.com/tls-secret: 'tls-ca'
vault.hashicorp.com/agent-pre-populate-only: "true"
spec:
securityContext:
# Here we defined the user uid, this user must be present in the NFS server
runAsUser: 2500
runAsGroup: 2500
# This may be needed or not depending on your DNS setup
hostAliases:
- ip: "192.168.111.130"
hostnames:
- "IPA"
- "IPA.server"
- ip: "192.168.111.131"
hostnames:
- "nfs"
- "nfs.serer"
restartPolicy: Always
volumes:
- name: nfs-user
persistentVolumeClaim:
claimName: nfs-vol
- name: krb5
configMap:
name: keos-kerberos-config
- name: kcmsocket
hostPath:
path: /var/run/.heim_org.h5l.kcm-socket
type: File
containers:
- name: krb5-sidecar
image: krb5-sidecar:0.1.0
env:
- name: KRB5CCNAME
value: "KCM:"
- name: USERNAME
value: user
- name: REALM
value: server
volumeMounts:
- name: krb5
mountPath: "/etc/krb5.conf"
subPath: "krb5.conf"
- name: kcmsocket
mountPath: "/var/run/.heim_org.h5l.kcm-socket"
lifecycle:
preStop:
exec:
command: ["/usr/bin/kdestroy"]
- name: mount-nfs-container
image: nfs-centos:0.2.0
env:
- name: KRB5CCNAME
value: "KCM:"
volumeMounts:
- name: nfs-user
mountPath: "/nfs"
- name: krb5
mountPath: "/etc/krb5.conf"
subPath: "krb5.conf"
- name: kcmsocket
mountPath: "/var/run/.heim_org.h5l.kcm-socket"
【讨论】: