Use the CSI plug-in - Container Service for Kubernetes - Alibaba Cloud Documentation Center

The container storage feature of Container Service for Kubernetes (ACK) is integrated with the storage services provided by Alibaba Cloud, and is compatible with Kubernetes-native storage services. You can deploy the Container Storage Interface (CSI) plug-in in ACK clusters to use Alibaba Cloud storage services. Disk volumes, Apsara File Storage NAS (NAS) volumes, Object Storage Service (OSS) volumes, and local volumes can be automatically mounted to pods in ACK clusters. This topic describes how to use the CSI plug-in in a registered cluster.

Prerequisites

A registered cluster is created and an external cluster is connected to the registered cluster. For more information, see Create a registered cluster in the ACK console and Use onectl to create a registered cluster.
Elastic Compute Service (ECS) instances are added to the external cluster. For more information, see Create and scale out a node pool .
Important
The CSI plug-in provided by Alibaba Cloud can be deployed only on ECS instances. Therefore, you must add the alibabacloud.com/external=true label to the ECS instances in the external cluster.
A kubectl client is connected to the external cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Considerations

If the external cluster is deployed on Alibaba Cloud and ECS instances are added to the cluster, you must add labels to the ECS instances. For more information about how to add labels to ECS instances, see Add labels to ECS instances in an external cluster that is registered with ACK.
If you use the node pool feature to add ECS instances to the registered external cluster, the ECS instances have the alibabacloud.com/external=true label by default.

Step 1: Grant a RAM user the permissions to manage the CSI plug-in

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.
onectl uses the AccessKey pair of a Resource Access Management (RAM) user to access Alibaba Cloud resources. Run the following command to grant the RAM user the permissions to manage the CSI plug-in:
```
onectl ram-user grant --addon csi-plugin
```
Expected output:
```
Ram policy ack-one-registered-cluster-policy-csi-plugin granted to ram user ack-one-user-ce313528c3 successfully.
```

Use the console

Before you install the CSI plug-in in a registered external cluster, you must set an AccessKey pair in the cluster to access related cloud resources. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

Create a RAM user. For more information, see Create a RAM user.

Create a custom policy.

For more information about how to create a custom policy, see Create a custom policy.

The following examples are custom permission policies used to grant permissions to manage disks, snapshots, snapshot policies, resource labels, instances, file systems, and repositories. For more information about API operations, see List of operations by function.

Show sample code

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:AttachDisk",
                "ecs:DetachDisk",
                "ecs:DescribeDisks",
                "ecs:CreateDisk",
                "ecs:ResizeDisk",
                "ecs:CreateSnapshot",
                "ecs:DeleteSnapshot",
                "ecs:CreateAutoSnapshotPolicy",
                "ecs:ApplyAutoSnapshotPolicy",
                "ecs:CancelAutoSnapshotPolicy",
                "ecs:DeleteAutoSnapshotPolicy",
                "ecs:DescribeAutoSnapshotPolicyEX",
                "ecs:ModifyAutoSnapshotPolicyEx",
                "ecs:AddTags",
                "ecs:DescribeTags",
                "ecs:DescribeSnapshots",
                "ecs:ListTagResources",
                "ecs:TagResources",
                "ecs:UntagResources",
                "ecs:ModifyDiskSpec",
                "ecs:CreateSnapshot",
                "ecs:DeleteDisk",
                "ecs:DescribeInstanceAttribute",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "nas:DescribeFileSystems",
                "nas:DescribeMountTargets",
                "nas:AddTags",
                "nas:DescribeTags",
                "nas:RemoveTags",
                "nas:CreateFileSystem",
                "nas:DeleteFileSystem",
                "nas:ModifyFileSystem",
                "nas:CreateMountTarget",
                "nas:DeleteMountTarget",
                "nas:ModifyMountTarget",
                "nas:TagResources",
                "nas:SetDirQuota",
                "nas:EnableRecycleBin",
                "nas:GetRecycleBinAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "oss:PutBucket",
                "oss:GetObjectTagging",
                "oss:ListBuckets",
                "oss:PutBucketTags",
                "oss:GetBucketTags",
                "oss:PutBucketEncryption",
                "oss:GetBucketInfo"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Attach the policy to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
The system automatically uses the AccessKey pair to access cloud resources when you install the CSI plug-in.
```
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'
```
Note
Replace <your access key id> and <your access key secret> with the AccessKey pair that you obtained in the previous step.

Step 2: Install the CSI plug-in

Use onectl

Run the following command to install the CSI plug-in:

onectl addon install csi-plugin
onectl addon install csi-provisioner

Expected output:

Addon csi-plugin, version **** installed.
Addon csi-provisioner, version **** installed.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.
Click the Storage tab, find csi-plugin and csi-provisioner, and then click Install.
In the Note message, confirm the versions of the plug-ins and click OK.

Step 3: Mount volumes

The following table describes how to mount different types of volumes in registered clusters.

Volume type	References
NAS	Mount a statically provisioned NAS volume Mount a dynamically provisioned NAS volume
OSS	Mount a statically provisioned OSS volume Encrypt an OSS volume
CPFS	Statically provisioned CPFS 1.0 volumes Dynamically provisioned CPFS 1.0 volumes
CNFS	Use CNFS to manage NAS file systems Use CNFS to manage shared NAS volumes (recommended) Use CNFS to manage isolated NAS volumes (recommended)
Disk volumes	Disk volumes are not supported in registered clusters.