google-cloud-platform - GKE Autopilot 未连接到 Cloud Filestore

Question

我一直在尝试将由 Cloud Filestore 支持的 PersistentVolume 附加到我在 GKE Autopilot 中的部署。 Filestore 实例与 Autopilot 集群位于同一网络上，但我始终收到以下错误:

"Unable to attach or mount volumes: unmounted volumes=[prd-fileserver-tmp-dir-volume], unattached volumes=[kube-api-access-fk6zj prd-fileserver-tmp-dir-volume localssd]: timed out waiting for the condition"

当我在集群上运行 kubectl describe pod [POD_NAME] 时，我在输出中看到以下错误:

Output: mount.nfs: access denied by server while mounting 10.209.161.2:/prd-fileserver-tmp-dir-volume

下面是我的 YAML 文件:

Filestore-pv.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: prd-fileserver
spec:
  capacity:
    storage: 20Gi
  accessModes:
  - ReadWriteMany
  nfs:
    path: /prd_fs_share
    server: [IP_ADDRESS]

Filestore-pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: prd-fileserver-claim
spec:
  accessModes:
  - ReadWriteMany
  storageClassName: ""
  volumeName: prd-fileserver
  resources:
    requests:
      storage: 20Gi

deployment.yaml

# This is how I am mounting the PVC
volumes:
      - name: prd-fileserver-tmp-dir-volume
        persistentVolumeClaim:
          claimName: prd-fileserver-claim
          readOnly: false
# Attaching to container
- mountPath: /mnt/disks/fileserver/tmp
          name: prd-fileserver-tmp-dir-volume

当我在 GKE 标准环境中运行相同的配置时，一切正常。我的问题是:您可以在 GKE Autopilot 中使用 Cloud Filestore 吗？我没有看到任何表明您不能的信息。

Accessing file shares from Google Kubernetes Engine clusters公共(public)文档中没有提到您需要运行特权 Pod，但我在网上看到各种文章提到您必须在 GKE 中运行特权 Pod 才能访问 Filestore。鉴于您无法运行特权 Pod，这将是 GKE Autopilot 的限制。

Answer 1

根据 Google Cloud 支持的说法，自 2021 年 8 月起，无法在 GKE Autopilot 中安装 Filestore 实例。响应如下:

GKE autopilot can not run privileged pods as mentioned in this documentation. This is the tradeoff of an enforced security policies for the autopilot mode. As the autopilot exclude the nodes management, this is not possible to interact with the hosts, why privileged pods are not allowed. The recommended solution for you is running your workload on GKE standard for being able to mount filestore as expected.