How to use the CSI plug-in - Container Service for Kubernetes

The container storage feature of Container Service for Kubernetes (ACK) is integrated with the storage services provided by Alibaba Cloud, and is compatible with Kubernetes-native storage services. You can deploy the Container Storage Interface (CSI) plug-in in ACK clusters to use Alibaba Cloud storage services. Disk volumes, File Storage NAS (NAS) volumes, Object Storage Service (OSS) volumes, and local volumes can be automatically mounted to pods in ACK clusters. This topic describes how to use the CSI plug-in in a registered cluster.

Prerequisites

A registered cluster is created and an external cluster is connected to the registered cluster. For more information, see Create a registered cluster.
The Kubernetes version of the registered cluster is 1.24 or later.
If the external cluster is deployed in a data center, make sure that the data center is connected to Alibaba Cloud by using an Express Connect circuit before you mount Alibaba Cloud storage resources to nodes in the cluster as volumes.

Considerations

If the external cluster is deployed on Alibaba Cloud and Elastic Compute Service (ECS) instances are added to the cluster, you must add labels to the ECS instances. For more information about how to add labels to ECS instances, see Add labels to ECS instances in an external cluster that is registered with ACK.
If you use the node pool feature to add ECS instances to the external cluster, the alibabacloud.com/external=true label is automatically added to the ECS instances.

Step 1: Grant a RAM user the permissions to manage the CSI plug-in

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.
onectl uses the AccessKey pair of a Resource Access Management (RAM) user to access Alibaba Cloud resources. Run the following command to grant the RAM user the permissions to manage the CSI component:
```
onectl ram-user grant --addon csi-plugin
```
Expected output:
```
Ram policy ack-one-registered-cluster-policy-csi-plugin granted to ram user ack-one-user-ce313528c3 successfully.
```

Use the console

Before you install the CSI plug-in in a registered external cluster, you must set an AccessKey pair in the cluster to access related cloud resources. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

Create a RAM user.

Create a custom policy. The following sample custom policy grants the permissions to manage disks, snapshots, snapshot policies, resource labels, instances, file systems, and repositories.

Show sample code

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:AttachDisk",
                "ecs:DetachDisk",
                "ecs:DescribeDisks",
                "ecs:CreateDisk",
                "ecs:ResizeDisk",
                "ecs:CreateSnapshot",
                "ecs:DeleteSnapshot",
                "ecs:CreateAutoSnapshotPolicy",
                "ecs:ApplyAutoSnapshotPolicy",
                "ecs:CancelAutoSnapshotPolicy",
                "ecs:DeleteAutoSnapshotPolicy",
                "ecs:DescribeAutoSnapshotPolicyEX",
                "ecs:ModifyAutoSnapshotPolicyEx",
                "ecs:AddTags",
                "ecs:DescribeTags",
                "ecs:DescribeSnapshots",
                "ecs:ListTagResources",
                "ecs:TagResources",
                "ecs:UntagResources",
                "ecs:ModifyDiskSpec",
                "ecs:CreateSnapshot",
                "ecs:DeleteDisk",
                "ecs:DescribeInstanceAttribute",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "nas:DescribeFileSystems",
                "nas:DescribeMountTargets",
                "nas:AddTags",
                "nas:DescribeTags",
                "nas:RemoveTags",
                "nas:CreateFileSystem",
                "nas:DeleteFileSystem",
                "nas:ModifyFileSystem",
                "nas:CreateMountTarget",
                "nas:DeleteMountTarget",
                "nas:ModifyMountTarget",
                "nas:TagResources",
                "nas:SetDirQuota",
                "nas:EnableRecycleBin",
                "nas:GetRecycleBinAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "oss:PutBucket",
                "oss:GetObjectTagging",
                "oss:ListBuckets",
                "oss:PutBucketTags",
                "oss:GetBucketTags",
                "oss:PutBucketEncryption",
                "oss:GetBucketInfo"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Attach the custom policy to the RAM user.
Create an AccessKey pair for the RAM user.
Warning
We recommend that you configure AccessKey pair-based policies for network access control, limiting AccessKey invocation sources to trusted network environments to enhance AccessKey security.
Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
The system automatically uses the AccessKey pair to access cloud resources when you install the CSI component.
```
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'
```
Note
Replace <your access key id> and <your access key secret> with the AccessKey pair that you obtained in the previous step.

Step 2: Install the CSI plug-in

Use onectl

Run the following command to install the CSI component:

onectl addon install csi-plugin
onectl addon install csi-provisioner

Expected output:

Addon csi-plugin, version **** installed.
Addon csi-provisioner, version **** installed.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.
Click the Storage tab, find csi-plugin and csi-provisioner, and then click Install.
In the Note message, confirm the versions of the plug-ins and click OK.

Step 3: Mount volumes

The following table describes how to mount different types of volumes in registered clusters.

Volume type	References
NAS volumes	Mount a statically provisioned NAS volume Mount a dynamically provisioned NAS volume
OSS volumes	Mount a statically provisioned OSS volume Encrypt an OSS volume
Disk volumes	Use a statically provisioned disk volume Use a dynamically provisioned disk volume