The MinIO Operator provides easy to run MinIO Tenant on Kubernetes. We have provided cluster-wide MinIO Operator for easy deployment of MinIO S3 object storage servers. The MinIO Operator defines a kind of Tenant
that ensures the existence of a object storage. Full documentation about its structure is available here. The official manual for creating an example MinIO tenant can be found here. For your convenience, we provide some working examples below, divided into sections.
Deploying a single instance
You can start with an example instance, which is suitable for testing. This example creates a resource Tenant defined by the installed Minio operator. You can download the example here.
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: myminio
spec:
## Create configuration in the Tenant using this field. Make sure to create a secret with root credentials with the same name as in this section.
## Secret should follow the format used in `myminio-root-secret`.
configuration:
- name: myminio-root-secret
## Specification for MinIO Pool(s) in this Tenant.
pools:
## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
## For standalone mode, supply 1. For distributed mode, supply 4 or more.
## Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 4
## custom pool name
name: pool-0
## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
volumesPerServer: 2
## Request CPU resources
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 100m
memory: 512Mi
## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO Tenant in this Pool.
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
## Configure Pod's security context
securityContext:
runAsNonRoot: true
fsGroup: 1000
runAsUser: 1000
runAsGroup: 1000
## Configure container security context
containerSecurityContext:
runAsNonRoot: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: "RuntimeDefault"
This example also requires to deploy secret for the root access to the minio console. You can download the secret example.
apiVersion: v1
kind: Secret
metadata:
name: myminio-root-secret
type: Opaque
stringData:
config.env: |-
export MINIO_ROOT_USER=<root-user-name>
export MINIO_ROOT_PASSWORD=<root-user-password>
Run kubectl create -n [namespace] -f example-tenant-secret.yaml -f example-tenant.yaml
, you should see pod named myminio-pool-0-0
(possibly similar pods depending on the configuration) running in the specified namespace.
Minio Console Access (Tenant Administration)
You can access myminio-console
service that is automatically created from other Pods in the Kubernetes cluster. That service works like a DNS name so you can use it as an endpoint for another applications within the Kubernetes cluster. If exposure to another namespace is required, use the full name - e.g. myminio-console.[namespace].svc.cluster.local
.
To access the Minio console from the internet you need to configure the ingress rule. There you can define a custom hostname. You can download the ingress example. Adding this ingress rule will generate the appropriate secret (certificate) for your hostname and bind to myminio-console
service within Kubernetes. There You must change host
property in rules
section to your own and consequently also the properties in tls
section. You must change the DNS name in the ingress rule, i.e. “[myminio-console]” string to your own. For secretName
use the hostname where you replace dots with dashes and append -tls
, i.e. [myminio-console]-dyn-cloud-e-infra-cz-tls. This secret will be generated automatically DO NOT generate it in advance or DO NOT use any existing. You can fully rely on Let’s Encrypt service to obtain the correct secret (certificate). You can check the port number of myminio-console
service by running the command kubectl -n [namespace] get svc
, default myminio-console
service port is 9443.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
name: myminio-ingress-console
spec:
ingressClassName: nginx
rules:
- host: [myminio-console].dyn.cloud.e-infra.cz
http:
paths:
- backend:
service:
name: myminio-console
port:
number: 9443
pathType: ImplementationSpecific
tls:
- hosts:
- [myminio-console].dyn.cloud.e-infra.cz
secretName: [myminio-console]-dyn-cloud-e-infra-cz-tls
S3 Storage Access (S3 Storage Endpoint for uploading and downloading data)
To access the S3 storage from other Pods in Kubernetes cluster you can use myminio-hl
service that is automatically created. That service works like DNS names so you can use it as endpoint for another application within the Kubernetes cluster. If exposure to another namespace is required, use the full name - e.g. myminio-hl.[namespace].svc.cluster.local
.
To access the Minio S3 storage from the internet you need to configure the ingress rule. There you can define a custom S3 endpoint hostname. You can download the ingress example. Adding this ingress rule will generate the appropriate secret (certificate) for your hostname and bind to myminio-hl
service within Kubernetes. There You must change host
property in rules
section to your own and consequently also the properties in tls
section. You must change the DNS name in the ingress rule, i.e. “[myminio-s3]” string to your own. For secretName
use the hostname where you replace dots with dashes and append -tls
, i.e. [myminio-s3]-dyn-cloud-e-infra-cz-tls. This secret will be generated automatically DO NOT generate it in advance or DO NOT use any existing. You can fully rely on Let’s Encrypt service to obtain the correct secret (certificate). You can check the port number of myminio-hl
service by running the command kubectl -n [namespace] get svc
, default myminio-hl
service port is 9000.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
generation: 2
name: minio-ingress-s3
spec:
ingressClassName: nginx
rules:
- host: [myminio-s3].dyn.cloud.e-infra.cz
http:
paths:
- backend:
service:
name: myminio-hl
port:
number: 9000
pathType: ImplementationSpecific
tls:
- hosts:
- status:
loadBalancer:
ingress:
- hostname: [myminio-s3].dyn.cloud.e-infra.cz
secretName: [myminio-s3]-dyn-cloud-e-infra-cz-tls
Network Policy
To increase security, a network policy can be used to allow network access to the S3 storage only from certain pods. See Network Policy for more information. External access, i.e. access from the public Internet, is disabled by default. However, it is possible to expose the S3 via Load Balancer.
This is an example of a NetworkPolicy applied to the Minio tenant. You can download this example here
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myminio-np
spec:
podSelector:
matchLabels:
# This NetworkPolicy is applied to the `myminio` Tenant
app: myminio
policyTypes:
- Egress
- Ingress
egress:
# Enables egress communication to the local DNS resolver
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
# Enables egress communication to the Minio operator installed in Kubernetes.
- to:
- ipBlock:
cidr: 10.43.0.1/32
- ipBlock:
cidr: 10.16.62.14/32
- ipBlock:
cidr: 10.16.62.15/32
- ipBlock:
cidr: 10.16.62.16/32
- ipBlock:
cidr: 10.16.62.17/32
- ipBlock:
cidr: 10.16.62.18/32
ports:
- port: 6443
protocol: TCP
ingress:
# Enables ingress communication from any Pod to the 9000 and 9443 ports
# for web management console access and S3 connection
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 9000
- protocol: TCP
port: 9443
This is an example of a NetworkPolicy applied to a hypothetical application. You can download this example here
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: myapplication-allow-s3
spec:
podSelector:
matchLabels:
# This NetworkPolicy is applied to `myapplication` Pod
app: myapplication
policyTypes:
- Egress
egress:
# Enables egress S3 communication from `myapplication` to the `myminio` Tenant
- to:
- podSelector:
matchLabels:
app : myminio
ports:
- protocol: TCP
port: 9000