使用 Kubernetes CSI 與 Ceph 實現 Trustzone

Transcript

1. 使用Kubernetes CSI與Ceph 實現Trustzone 林春旺＠NUTC 1

2. Agenda Why need CSI What is CSI How to use

   CSI with Kubernetes What is Trustzone How to implement Trustzone Summary 2

3. Why need CSI 3

4. Kubernetes - Volume(emptyDir) 4

5. Kubernetes - Volume(hostPath) 5

6. Kubernetes - Persistent Storage Persistent Volume(PV) Persistent Volume Claim(PVC) StorageClass

   6

7. Kubernetes - In-Tree Volume Plugin 7 External Storage https://medium.com/google-cloud/understanding-the-container-storage-interface-csi-ddbeb966a3b

8. What is CSI 8

9. Kubernetes - Out-Tree Volume Plugin 9 External Storage https://medium.com/google-cloud/understanding-the-container-storage-interface-csi-ddbeb966a3b

10. How to use CSI with Kubernetes 10

11. Deploy Ceph-CSI Services Deploy RBACs for sidecar containers and node

    plugins kubectl create -f csi-provisioner-rbac.yaml kubectl create -f csi-nodeplugin-rbac.yaml Deploy CSI sidecar containers: kubectl create -f csi-cephfsplugin-provisioner.yaml Deploy CSI CephFS driver: kubectl create -f csi-cephfsplugin.yaml 11 https://github.com/ceph/ceph-csi/blob/master/docs/deploy-cephfs.md

12. Deploy the Storage Class kubectl create -f secret.yaml kubectl create

    -f storageclass.yaml kubectl create -f pvc.yaml kubectl create -f pod.yaml 12

13. Secret 13

14. StorageClass 14

15. PersistentVolumeClaim(PVC) 15

16. Pod 16

17. What is Trustzone 17

18. Trustzone 18 https://www.microcontrollertips.com/embedded-security-brief-arm-trustzone-explained/ 在ARM Cortex手 機處理器中分隔 出沒有安全性要 求的執行區域和 可信任的安全區 域。

19. How to implement Trustzone 19

20. Ceph - Architecture 20 http://docs.ceph.com/docs/mimic/architecture/

21. Ceph - Placement Groups 21 http://docs.ceph.com/docs/mimic/rados/operations/placement-groups/ 1.pg_id = hash(obj_id) mod

    pg_num 2.CRUSH(pg_id)取得對應OSD

22. Ceph - CRUSH Maps 22 http://docs.ceph.com/docs/mimic/rados/operations/crush-map/

23. Ceph - CRUSH Maps 23 host normal { id -2

    alg straw2 hash 0 item osd.1 weight 0.910 item osd.2 weight 0.910 item osd.3 weight 0.910 } host secret { id -3 alg straw2 hash 0 item osd.4 weight 0.910 item osd.5 weight 0.910 item osd.6 weight 0.910 }

24. Ceph - CRUSH Rule 24 rule normal { id 1

    type replicated min_size 1 max_size 10 step take normal step chooseleaf firstn 0 type host step emit } rule secret{ id 2 type replicated min_size 1 max_size 10 step take secret step chooseleaf firstn 0 type host step emit }

25. Ceph - File Layouts (Extended Attributes) ceph osd pool create

    normal_data 128 normal ceph osd pool create secret_data 128 secret setfattr -n ceph.dir.layout -v “pool=normal_data" /mnt/normal/ setfattr -n ceph.dir.layout -v “pool=secret_data” /mnt/secret/ 25 http://docs.ceph.com/docs/jewel/cephfs/file-layouts/

26. Summary 26