How does a Kubernetes cluster use Alibaba Cloud CSI storage components
The container storage function of Alibaba Cloud Container Service ACK is based on the Kubernetes storage system, deeply integrated with Alibaba Cloud storage services and fully compatible with Kubernetes native storage services, such as EmptyDir, HostPath, Secret, ConfigMap and other storage. Based on the Community Container Storage Interface (CSI), ACK realizes the access capability of Alibaba Cloud storage services by deploying CSI plug-ins. Container Service ACK supports pods to automatically bind storage services such as Alibaba Cloud cloud disks, NAS, OSS, CPFS, and local volumes. For the main features and application scenarios of each type of storage volume, see Storage CSI Overview.
prerequisite
You need to create a registered cluster and connect the self-built Kubernetes cluster to the registered cluster. For details, see Creating an Alibaba Cloud Registered Cluster and Connecting to a Self-built Kubernetes Cluster.
Your self-built cluster has already expanded the Alibaba Cloud ECS nodes. For how to expand the Alibaba Cloud ECS nodes for the self-built Kubernetes cluster, please refer to Creating a hybrid cluster, or your self-built cluster is deployed on Alibaba Cloud ECS.
Precautions
[Notice]
Alibaba Cloud CSI storage components only support running on Alibaba Cloud ECS nodes. The Alibaba Cloud ECS nodes in the self-built Kubernetes cluster need to be marked with the node label alibabacloud.com/external=true.
If your self-built cluster is deployed on Alibaba Cloud ECS, please refer to [Connect self-built Kubernetes cluster to ACK registration cluster on Alibaba Cloud ECS]()
If you use the ACK registration cluster node pool function to expand the Alibaba Cloud ECS node for the self-built Kubernetes cluster in the local data center, it is marked with alibabacloud.com/external=true by default
Step 1 Configure the CSI component RAM permissions in the self-built cluster
Before installing the CSI component in the registration cluster, you need to set the permission of the AK to access the cloud service in the access cluster. Before setting up an AK, you need to create a RAM user and add permissions for it to access related cloud resources.
Create a RAM user. For details on how to create a RAM user, see Creating a RAM User.
Create permission policies. For specific steps on creating a permission policy, see Creating a Custom Policy. Please authorize the RAM permissions as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AttachDisk",
"ecs:DetachDisk",
"ecs:DescribeDisks",
"ecs:CreateDisk",
"ecs:ResizeDisk",
"ecs:CreateSnapshot",
"ecs:DeleteSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:CancelAutoSnapshotPolicy",
"ecs:DeleteAutoSnapshotPolicy",
"ecs:DescribeAutoSnapshotPolicyEX",
"ecs:ModifyAutoSnapshotPolicyEx",
"ecs:AddTags",
"ecs:DescribeTags",
"ecs:DescribeSnapshots",
"ecs:ListTagResources",
"ecs:TagResources",
"ecs:UntagResources",
"ecs:ModifyDiskSpec",
"ecs:CreateSnapshot",
"ecs:DeleteDisk",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:AddTags",
"nas:DescribeTags",
"nas:RemoveTags",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:ModifyFileSystem",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:ModifyMountTarget",
"nas:TagResources",
"nas:SetDirQuota",
"nas:EnableRecycleBin",
"nas:GetRecycleBinAttribute"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"oss:PutBucket",
"oss:GetObjectTagging",
"oss:ListBuckets",
"oss:PutBucketTags",
"oss:GetBucketTags",
"oss:PutBucketEncryption",
"oss:GetBucketInfo"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
Add permission for RAM user. For details about how to authorize RAM users, see Authorizing RAM Users.
Create an AK for RAM users. For how to create an AK for a sub-account, see Obtaining an AccessKey.
Use the AK to create a Secret resource named alibaba-addon-secret in the self-built Kubernetes cluster. When installing the event center-related components in step 2, this AK will be automatically referenced to access the corresponding cloud service resources.
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=' --from-literal='access-key-secret='
You need to replace the above code with the AK information you obtained.
Step 2 Component installation and upgrade
The steps to install the CSI components are as follows:
Log in to the Container Service console.
2) In the left navigation bar of the console, click Cluster.
3) On the cluster list page, click Details on the right side of the target registration cluster page.
4) On the Cluster Details tab, click Component Management under Operation and Maintenance Management.
5) Find csi-provisioner and csi-plugin and click install.
image.png
Step 3 Use the CSI storage plugin
prerequisite
You need to create a registered cluster and connect the self-built Kubernetes cluster to the registered cluster. For details, see Creating an Alibaba Cloud Registered Cluster and Connecting to a Self-built Kubernetes Cluster.
Your self-built cluster has already expanded the Alibaba Cloud ECS nodes. For how to expand the Alibaba Cloud ECS nodes for the self-built Kubernetes cluster, please refer to Creating a hybrid cluster, or your self-built cluster is deployed on Alibaba Cloud ECS.
Precautions
[Notice]
Alibaba Cloud CSI storage components only support running on Alibaba Cloud ECS nodes. The Alibaba Cloud ECS nodes in the self-built Kubernetes cluster need to be marked with the node label alibabacloud.com/external=true.
If your self-built cluster is deployed on Alibaba Cloud ECS, please refer to [Connect self-built Kubernetes cluster to ACK registration cluster on Alibaba Cloud ECS]()
If you use the ACK registration cluster node pool function to expand the Alibaba Cloud ECS node for the self-built Kubernetes cluster in the local data center, it is marked with alibabacloud.com/external=true by default
Step 1 Configure the CSI component RAM permissions in the self-built cluster
Before installing the CSI component in the registration cluster, you need to set the permission of the AK to access the cloud service in the access cluster. Before setting up an AK, you need to create a RAM user and add permissions for it to access related cloud resources.
Create a RAM user. For details on how to create a RAM user, see Creating a RAM User.
Create permission policies. For specific steps on creating a permission policy, see Creating a Custom Policy. Please authorize the RAM permissions as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AttachDisk",
"ecs:DetachDisk",
"ecs:DescribeDisks",
"ecs:CreateDisk",
"ecs:ResizeDisk",
"ecs:CreateSnapshot",
"ecs:DeleteSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:CancelAutoSnapshotPolicy",
"ecs:DeleteAutoSnapshotPolicy",
"ecs:DescribeAutoSnapshotPolicyEX",
"ecs:ModifyAutoSnapshotPolicyEx",
"ecs:AddTags",
"ecs:DescribeTags",
"ecs:DescribeSnapshots",
"ecs:ListTagResources",
"ecs:TagResources",
"ecs:UntagResources",
"ecs:ModifyDiskSpec",
"ecs:CreateSnapshot",
"ecs:DeleteDisk",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:AddTags",
"nas:DescribeTags",
"nas:RemoveTags",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:ModifyFileSystem",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:ModifyMountTarget",
"nas:TagResources",
"nas:SetDirQuota",
"nas:EnableRecycleBin",
"nas:GetRecycleBinAttribute"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"oss:PutBucket",
"oss:GetObjectTagging",
"oss:ListBuckets",
"oss:PutBucketTags",
"oss:GetBucketTags",
"oss:PutBucketEncryption",
"oss:GetBucketInfo"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
Add permission for RAM user. For details about how to authorize RAM users, see Authorizing RAM Users.
Create an AK for RAM users. For how to create an AK for a sub-account, see Obtaining an AccessKey.
Use the AK to create a Secret resource named alibaba-addon-secret in the self-built Kubernetes cluster. When installing the event center-related components in step 2, this AK will be automatically referenced to access the corresponding cloud service resources.
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=
You need to replace the above code with the AK information you obtained.
Step 2 Component installation and upgrade
The steps to install the CSI components are as follows:
Log in to the Container Service console.
2) In the left navigation bar of the console, click Cluster.
3) On the cluster list page, click Details on the right side of the target registration cluster page.
4) On the Cluster Details tab, click Component Management under Operation and Maintenance Management.
5) Find csi-provisioner and csi-plugin and click install.
image.png
Step 3 Use the CSI storage plugin
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
