当前位置:网站首页>Remote storage access authorization
Remote storage access authorization
2022-07-06 08:02:00 【Tianxiang shop】
This article describes in detail how to authorize access to remote storage , For backup TiDB Cluster data to remote storage or restore backup data from remote storage to TiDB colony .
AWS Account Authorization
stay AWS In the cloud environment , Different types of Kubernetes Clusters provide different ways to grant permissions . This article introduces the following three permission granting configurations .
adopt AccessKey and SecretKey to grant authorization
AWS The client of supports reading AWS_ACCESS_KEY_ID
as well as AWS_SECRET_ACCESS_KEY
To obtain the permissions of the associated user or role .
establish s3-secret
secret, Use AWS Account number AccessKey and SecretKey To authorize . The secret Store for access S3 Compatible with stored credentials .
kubectl create secret generic s3-secret --from-literal=access_key=xxx --from-literal=secret_key=yyy --namespace=test1
adopt IAM binding Pod to grant authorization
By putting the user's IAM Roles and running Pod Resource binding , send Pod The process running in gets the permissions owned by the role , This authorization method is made by kube2iam Provide .
Be careful
- When using this authorization mode , You can refer to kube2iam file stay Kubernetes Create... In the cluster kube2iam Environmental Science , And deploy TiDB Operator as well as TiDB colony .
- This mode is not applicable to hostNetwork Network mode , Please ensure that the parameters
spec.tikv.hostNetwork
The value of isfalse
.
establish IAM role :
You can refer to AWS Official documents To create a IAM role , And through AWS Official documents by IAM Roles are given the required permissions . because
Backup
Need to access AWS Of S3 Storage , So here is IAM GivenAmazonS3FullAccess
Authority .binding IAM To TiKV Pod:
In the use of BR In the process of backup ,TiKV Pod and BR Pod The same needs to be true S3 Store for reading and writing , So here we need to give TiKV Pod In the play annotation To bind IAM role .
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"annotations":{"iam.amazonaws.com/role":"arn:aws:iam::123456789012:role/user"}}}}'
wait until TiKV Pod After restart , see Pod Is this added annotation.
Be careful
arn:aws:iam::123456789012:role/user
For step 1 Created in the IAM role .
adopt IAM binding ServiceAccount to grant authorization
By putting the user's IAM Roles and Kubeneters Medium serviceAccount Resource binding , So that the ServiceAccount Account number Pod All have the permissions of this role , This authorization method is provided by EKS Pod Identity Webhook Services provide .
When using this authorization mode , You can refer to AWS Official documents establish EKS colony , And deploy TiDB Operator as well as TiDB colony .
Enable... For the service account on the cluster IAM role :
You can refer to AWS Official documents Open the EKS Clustered IAM Role authorization .
establish IAM role :
You can refer to AWS Official documents Create a IAM role , Endow roles with
AmazonS3FullAccess
Authority , And edit the characterTrust relationships
.binding IAM To ServiceAccount Resources :
kubectl annotate sa tidb-backup-manager -n eks.amazonaws.com/role-arn=arn:aws:iam::123456789012:role/user --namespace=test1
take ServiceAccount Bound to the TiKV Pod:
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"serviceAccount": "tidb-backup-manager"}}}'
take
spec.tikv.serviceAccount
It is amended as follows tidb-backup-manager, wait until TiKV Pod After restart , see Pod OfserviceAccountName
Is there any change .
Be careful
arn:aws:iam::123456789012:role/user
For step 2 Created in the IAM role .
GCS Account Authorization
Authorize through the service account key
establish gcs-secret
secret. The secret Store for access GCS Proof of .google-credentials.json
File storage users from GCP console Downloaded service account key. Specific operation reference GCP Official documents .
kubectl create secret generic gcs-secret --from-file=credentials=./google-credentials.json -n test1
Azure Account Authorization
stay Azure In the cloud environment , Different types of Kubernetes Clusters provide different ways to grant permissions . This article introduces the following two permission granting configurations .
Authorization by access key
Azure The client of supports reading AZURE_STORAGE_ACCOUNT
as well as AZURE_STORAGE_KEY
To obtain the permissions of the associated user or role .
establish azblob-secret
secret, Use Azure The access key of the account is authorized . The secret Store for access Azure Blob Storage Proof of .
kubectl create secret generic azblob-secret --from-literal=AZURE_STORAGE_ACCOUNT=xxx --from-literal=AZURE_STORAGE_KEY=yyy --namespace=test1
adopt Azure AD to grant authorization
Azure The client of supports reading AZURE_STORAGE_ACCOUNT
、AZURE_CLIENT_ID
、AZURE_TENANT_ID
、AZURE_CLIENT_SECRET
To obtain the permissions of the associated user or role .
establish
azblob-secret-ad
secret, Use Azure Account number AD To authorize . The secret Store for access Azure Blob Storage Proof of .kubectl create secret generic azblob-secret-ad --from-literal=AZURE_STORAGE_ACCOUNT=xxx --from-literal=AZURE_CLIENT_ID=yyy --from- literal=AZURE_TENANT_ID=zzz --from-literal=AZURE_CLIENT_SECRET=aaa --namespace=test1
binding secret To TiKV Pod:
In the use of BR In the process of backup ,TiKV Pod and BR Pod The same needs to be true Azure Blob Storage Read and write , So here we need to give TiKV Pod binding secret.
kubectl patch tc demo1 -n test1 --type merge -p '{"spec":{"tikv":{"envFrom":[{"secretRef":{"name":"azblob-secret-ad"}}]}}}'
wait until TiKV Pod After restart , see Pod Whether these environment variables are added .
边栏推荐
- [research materials] 2021 live broadcast annual data report of e-commerce - Download attached
- PHP - Common magic method (nanny level teaching)
- Artcube information of "designer universe": Guangzhou implements the community designer system to achieve "great improvement" of urban quality | national economic and Information Center
- CAD ARX gets the current viewport settings
- Pangolin Library: control panel, control components, shortcut key settings
- 面向个性化需求的在线云数据库混合调优系统 | SIGMOD 2022入选论文解读
- P3047 [USACO12FEB]Nearby Cows G(树形dp)
- Asia Pacific Financial Media | designer universe | Guangdong responds to the opinions of the national development and Reform Commission. Primary school students incarnate as small community designers
- Wireshark grabs packets to understand its word TCP segment
- . Net 6 learning notes: what is NET Core
猜你喜欢
Hcip day 16
Parameter self-tuning of relay feedback PID controller
Understanding of law of large numbers and central limit theorem
Database basic commands
[research materials] 2021 Research Report on China's smart medical industry - Download attached
"Friendship and righteousness" of the center for national economy and information technology: China's friendship wine - the "unparalleled loyalty and righteousness" of the solidarity group released th
The Vice Minister of the Ministry of industry and information technology of "APEC industry +" of the national economic and information technology center led a team to Sichuan to investigate the operat
NFT smart contract release, blind box, public offering technology practice -- jigsaw puzzle
[research materials] 2022 China yuancosmos white paper - Download attached
2.10transfrom attribute
随机推荐
Secure captcha (unsafe verification code) of DVWA range
ESP系列引脚說明圖匯總
onie支持pice硬盘
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
"Friendship and righteousness" of the center for national economy and information technology: China's friendship wine - the "unparalleled loyalty and righteousness" of the solidarity group released th
[t31zl intelligent video application processor data]
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Solution: système de surveillance vidéo intelligent de patrouille sur le chantier
好用的TCP-UDP_debug工具下载和使用
Chinese Remainder Theorem (Sun Tzu theorem) principle and template code
How to prevent Association in cross-border e-commerce multi account operations?
Understanding of law of large numbers and central limit theorem
从 TiDB 集群迁移数据至另一 TiDB 集群
数据治理:微服务架构下的数据治理
matplotlib. Widgets are easy to use
使用 BR 恢复 S3 兼容存储上的备份数据
PHP Coding Standard
Sanzi chess (C language)
"Designer universe" APEC design +: the list of winners of the Paris Design Award in France was recently announced. The winners of "Changsha world center Damei mansion" were awarded by the national eco
Mex related learning