使用Kubernetes持久卷进行数据保护
[英]Using Kubernetes Persistent Volume for Data Protection
问题描述
To resolve a few issues we are running into with docker and running multiple instances of some services, we need to be able to share values between running instances of the same docker image. 
为了解决我们在docker中运行并运行某些服务的多个实例的一些问题,我们需要能够在同一docker映像的运行实例之间共享值。 The original solution I found was to create a storage account in Azure (where we are running our kubernetes instance that houses the containers) and a Key Vault in Azure, accessing both via the well defined APIs that microsoft has provided for Data Protection (detailed here ). 我发现的原始解决方案是在Azure中创建一个存储帐户(我们在其中运行容纳容器的kubernetes实例)和Azure中的密钥保管库,通过Microsoft为数据保护提供的定义明确的API进行访问(详细信息请参见此处) )。
Our architect instead wants to use Kubernetes Persitsent Volumes, but he has not provided information on how to accomplish this (he just wants to save money on the azure subscription by not having an additional storage account or key storage). 相反,我们的架构师想使用Kubernetes Persitsent Volumes,但他没有提供有关如何完成此工作的信息(他只是想通过没有额外的存储帐户或密钥存储来节省Azure订阅的费用)。 I'm very new to kubernetes and have no real idea how to accomplish this, and my searches so far have not come up with much usefulness. 我是kubernetes的新手,不知道如何实现此目的,到目前为止,我的搜索还没有太大的用处。
Is there an extension method that should be used for Persistent Volumes? 持久卷是否应该使用扩展方法? Would this just act like a shared file location and be accessible with the PersistKeysToFileSystem API for Data Protection? 这会像共享文件位置一样使用PersistKeysToFileSystem API进行数据保护访问吗? Any resources that you could point me to would be greatly appreciated. 您可以向我指出的任何资源将不胜感激。
1 个解决方案
解决方案1
2 已采纳 2018-09-25 18:48:18
A PersistentVolume with Kubernetes in Azure will not give you the same exact functionality as Key Vault in Azure. 在Azure中具有Kubernetes的PersistentVolume无法为您提供与Azure中的Key Vault完全相同的功能。
PesistentVolume: 持续量:
- Store locally on a mounted volume on a server 本地存储在服务器上已安装的卷上
- Volume can be encrypted 卷可以加密
- Volume moves with the pod. 音量随吊舱移动。
- If the pod starts on a different server, the volume moves. 如果pod在其他服务器上启动,则卷将移动。
- If the pod starts on a different server, the volume moves.
- Accessing volume from other pods is not that easy. 从其他吊舱访问音量并不是那么容易。
- You can control performance by assigning guaranteed IOPs to the volume (from the cloud provider) 您可以通过将有保证的IOP分配给卷来控制性能(来自云提供商)
Key Vault: 关键保管箱:
- Store keys in a centralized location managed by Azure 将密钥存储在由Azure管理的集中位置
- Data is encrypted at rest and in transit. 静态和传输中的数据都会被加密。
- You rely on a remote API rather than a local file system. 您依赖于远程API而不是本地文件系统。
- There might be a performance hit by going to an external service 转到外部服务可能会降低性能
- I assume this not to be a major problem in Azure. 我认为这不是Azure中的主要问题。
- I assume this not to be a major problem in Azure.
- Kubernetes pods can access the service from anywhere as long as they have network connectivity to the service. 只要Kubernetes Pod具有到服务的网络连接,便可以从任何地方访问该服务。
- Less maintenance time, since it's already maintained by Azure. 更少的维护时间,因为它已经由Azure维护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.