Skip to main content
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

准备配置Azure NetApp Files 后端

贡献者

在配置Azure NetApp Files 后端之前、您需要确保满足以下要求。

NFS和SMB卷的前提条件

如果您是首次使用Azure NetApp Files 或在新位置使用、则需要进行一些初始配置来设置Azure NetApp Files 并创建NFS卷。请参见 "Azure:设置Azure NetApp Files 并创建NFS卷"

配置和使用 "Azure NetApp Files" 后端,您需要满足以下要求:

备注
  • subscriptionIDtenantIDclientIDlocation,和 clientSecret 在AKS集群上使用受管身份时为可选。

  • tenantIDclientID,和 clientSecret 在AKS集群上使用云标识时可选。

  • 一个容量池。请参见 "Microsoft:为Azure NetApp Files 创建容量池"

  • 委派给Azure NetApp Files 的子网。请参见 "Microsoft:将子网委派给Azure NetApp Files"

  • ssubscriptionID 来自启用了 Azure NetApp Files 的 Azure 订阅。

  • tenantIDclientID,和 clientSecret"应用程序注册" 在 Azure Active Directory 中,具有足够的 Azure NetApp Files 服务权限。应用程序注册应使用以下任一项:

    • 所有者或贡献者角色 "由Azure预定义"

    • "自定义贡献者角色"订阅级别(`assignableScopes`的)具有以下权限,这些权限仅限于Trident所需的权限。创建自定义角色后,"使用Azure门户分配角色"

      自定义贡献者角色
      {
          "id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",
          "properties": {
              "roleName": "custom-role-with-limited-perms",
              "description": "custom role providing limited permissions",
              "assignableScopes": [
                  "/subscriptions/<subscription-id>"
              ],
              "permissions": [
                  {
                      "actions": [
                          "Microsoft.NetApp/netAppAccounts/capacityPools/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/MountTargets/read",
                          "Microsoft.Network/virtualNetworks/read",
                          "Microsoft.Network/virtualNetworks/subnets/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/write",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/delete",
                          "Microsoft.Features/features/read",
                          "Microsoft.Features/operations/read",
                          "Microsoft.Features/providers/features/read",
                          "Microsoft.Features/providers/features/register/action",
                          "Microsoft.Features/providers/features/unregister/action",
                          "Microsoft.Features/subscriptionFeatureRegistrations/read"
                      ],
                      "notActions": [],
                      "dataActions": [],
                      "notDataActions": []
                  }
              ]
          }
      }
  • Azure location 至少包含一个 "委派子网"。自Trident 22.01日开始 location 参数是后端配置文件顶层的必填字段。在虚拟池中指定的位置值将被忽略。

  • 以使用 Cloud Identity`请获取 `client ID 从A "用户分配的托管身份" 并在中指定此ID azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

SMB卷的其他要求

要创建SMB卷、您必须具有:

  • 已配置Active Directory并连接到Azure NetApp Files。请参见 "Microsoft:创建和管理Azure NetApp Files 的Active Directory连接"

  • 一个Kubernetes集群、其中包含一个Linux控制器节点以及至少一个运行Windows Server 2022的Windows工作节点。Trident仅支持挂载到Windows节点上运行的Pod的SMB卷。

  • 至少一个包含Active Directory凭据的Trident密钥、以便Azure NetApp Files可以向Active Directory进行身份验证。生成密钥 smbcreds

    kubectl create secret generic smbcreds --from-literal username=user --from-literal password='password'
  • 配置为Windows服务的CSI代理。配置 csi-proxy、请参见 "GitHub:CSI代理""GitHub:适用于Windows的CSI代理" 适用于在Windows上运行的Kubernetes节点。