当前位置:网站首页>Remote storage access authorization
Remote storage access authorization
2022-07-06 08:02:00 【Tianxiang shop】
This article describes in detail how to authorize access to remote storage , For backup TiDB Cluster data to remote storage or restore backup data from remote storage to TiDB colony .
AWS Account Authorization
stay AWS In the cloud environment , Different types of Kubernetes Clusters provide different ways to grant permissions . This article introduces the following three permission granting configurations .
adopt AccessKey and SecretKey to grant authorization
AWS The client of supports reading AWS_ACCESS_KEY_ID
as well as AWS_SECRET_ACCESS_KEY
To obtain the permissions of the associated user or role .
establish s3-secret
secret, Use AWS Account number AccessKey and SecretKey To authorize . The secret Store for access S3 Compatible with stored credentials .
kubectl create secret generic s3-secret --from-literal=access_key=xxx --from-literal=secret_key=yyy --namespace=test1
adopt IAM binding Pod to grant authorization
By putting the user's IAM Roles and running Pod Resource binding , send Pod The process running in gets the permissions owned by the role , This authorization method is made by kube2iam Provide .
Be careful
- When using this authorization mode , You can refer to kube2iam file stay Kubernetes Create... In the cluster kube2iam Environmental Science , And deploy TiDB Operator as well as TiDB colony .
- This mode is not applicable to hostNetwork Network mode , Please ensure that the parameters
spec.tikv.hostNetwork
The value of isfalse
.
establish IAM role :
You can refer to AWS Official documents To create a IAM role , And through AWS Official documents by IAM Roles are given the required permissions . because
Backup
Need to access AWS Of S3 Storage , So here is IAM GivenAmazonS3FullAccess
Authority .binding IAM To TiKV Pod:
In the use of BR In the process of backup ,TiKV Pod and BR Pod The same needs to be true S3 Store for reading and writing , So here we need to give TiKV Pod In the play annotation To bind IAM role .
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"annotations":{"iam.amazonaws.com/role":"arn:aws:iam::123456789012:role/user"}}}}'
wait until TiKV Pod After restart , see Pod Is this added annotation.
Be careful
arn:aws:iam::123456789012:role/user
For step 1 Created in the IAM role .
adopt IAM binding ServiceAccount to grant authorization
By putting the user's IAM Roles and Kubeneters Medium serviceAccount Resource binding , So that the ServiceAccount Account number Pod All have the permissions of this role , This authorization method is provided by EKS Pod Identity Webhook Services provide .
When using this authorization mode , You can refer to AWS Official documents establish EKS colony , And deploy TiDB Operator as well as TiDB colony .
Enable... For the service account on the cluster IAM role :
You can refer to AWS Official documents Open the EKS Clustered IAM Role authorization .
establish IAM role :
You can refer to AWS Official documents Create a IAM role , Endow roles with
AmazonS3FullAccess
Authority , And edit the characterTrust relationships
.binding IAM To ServiceAccount Resources :
kubectl annotate sa tidb-backup-manager -n eks.amazonaws.com/role-arn=arn:aws:iam::123456789012:role/user --namespace=test1
take ServiceAccount Bound to the TiKV Pod:
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"serviceAccount": "tidb-backup-manager"}}}'
take
spec.tikv.serviceAccount
It is amended as follows tidb-backup-manager, wait until TiKV Pod After restart , see Pod OfserviceAccountName
Is there any change .
Be careful
arn:aws:iam::123456789012:role/user
For step 2 Created in the IAM role .
GCS Account Authorization
Authorize through the service account key
establish gcs-secret
secret. The secret Store for access GCS Proof of .google-credentials.json
File storage users from GCP console Downloaded service account key. Specific operation reference GCP Official documents .
kubectl create secret generic gcs-secret --from-file=credentials=./google-credentials.json -n test1
Azure Account Authorization
stay Azure In the cloud environment , Different types of Kubernetes Clusters provide different ways to grant permissions . This article introduces the following two permission granting configurations .
Authorization by access key
Azure The client of supports reading AZURE_STORAGE_ACCOUNT
as well as AZURE_STORAGE_KEY
To obtain the permissions of the associated user or role .
establish azblob-secret
secret, Use Azure The access key of the account is authorized . The secret Store for access Azure Blob Storage Proof of .
kubectl create secret generic azblob-secret --from-literal=AZURE_STORAGE_ACCOUNT=xxx --from-literal=AZURE_STORAGE_KEY=yyy --namespace=test1
adopt Azure AD to grant authorization
Azure The client of supports reading AZURE_STORAGE_ACCOUNT
、AZURE_CLIENT_ID
、AZURE_TENANT_ID
、AZURE_CLIENT_SECRET
To obtain the permissions of the associated user or role .
establish
azblob-secret-ad
secret, Use Azure Account number AD To authorize . The secret Store for access Azure Blob Storage Proof of .kubectl create secret generic azblob-secret-ad --from-literal=AZURE_STORAGE_ACCOUNT=xxx --from-literal=AZURE_CLIENT_ID=yyy --from- literal=AZURE_TENANT_ID=zzz --from-literal=AZURE_CLIENT_SECRET=aaa --namespace=test1
binding secret To TiKV Pod:
In the use of BR In the process of backup ,TiKV Pod and BR Pod The same needs to be true Azure Blob Storage Read and write , So here we need to give TiKV Pod binding secret.
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"envFrom":[{"secretRef":{"name":"azblob-secret-ad"}}]}}}'
wait until TiKV Pod After restart , see Pod Whether these environment variables are added .
边栏推荐
- 华为云OBS文件上传下载工具类
- [factorial inverse], [linear inverse], [combinatorial counting] Niu Mei's mathematical problems
- Asia Pacific Financial Media | "APEC industry +" Western Silicon Valley invests 2trillion yuan in Chengdu Chongqing economic circle to catch up with Shanghai | stable strategy industry fund observatio
- 在 uniapp 中使用阿里图标
- Leetcode question brushing record | 203_ Remove linked list elements
- Parameter self-tuning of relay feedback PID controller
- Machine learning - decision tree
- 2.10transfrom attribute
- Circuit breaker: use of hystrix
- Notes on software development
猜你喜欢
08- [istio] istio gateway, virtual service and the relationship between them
"Designer universe": "benefit dimension" APEC public welfare + 2022 the latest slogan and the new platform will be launched soon | Asia Pacific Financial Media
Asia Pacific Financial Media | "APEC industry +" Western Silicon Valley invests 2trillion yuan in Chengdu Chongqing economic circle to catch up with Shanghai | stable strategy industry fund observatio
Step by step guide to setting NFT as an ens profile Avatar
Leetcode question brushing record | 203_ Remove linked list elements
Mex related learning
21. Delete data
Machine learning - decision tree
Document 2 Feb 12 16:54
在 uniapp 中使用阿里图标
随机推荐
Chinese Remainder Theorem (Sun Tzu theorem) principle and template code
National economic information center "APEC industry +": economic data released at the night of the Spring Festival | observation of stable strategy industry fund
[redis] Introduction to NoSQL database and redis
(lightoj - 1410) consistent verbs (thinking)
升级 TiDB Operator
esRally国内安装使用避坑指南-全网最新
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
"Designer universe" APEC design +: the list of winners of the Paris Design Award in France was recently announced. The winners of "Changsha world center Damei mansion" were awarded by the national eco
【Redis】NoSQL数据库和redis简介
Position() function in XPath uses
将 NFT 设置为 ENS 个人资料头像的分步指南
P3047 [usaco12feb]nearby cows g (tree DP)
从 CSV 文件迁移数据到 TiDB
WebRTC系列-H.264预估码率计算
Pangolin Library: control panel, control components, shortcut key settings
[research materials] 2021 China online high growth white paper - Download attached
What is the use of entering the critical point? How to realize STM32 single chip microcomputer?
Inspiration from the recruitment of bioinformatics analysts in the Department of laboratory medicine, Zhujiang Hospital, Southern Medical University
数据治理:数据质量篇
灰度升级 TiDB Operator