All Products
Search

This Product

    Container Service for Kubernetes:Mount OSS buckets as volumes

    Document Center

    Container Service for Kubernetes:Mount OSS buckets as volumes

    Last Updated:Mar 01, 2026

    Object Storage Service (OSS) is a secure, cost-effective, and highly durable cloud storage service provided by Alibaba Cloud for storing large amounts of unstructured data, such as images, audio data, and video data. This topic describes how to mount an OSS bucket to Elastic Container Instance-based pods in an ACK Serverless cluster by using a persistent volume claim (PVC).

    Prerequisites

    An ACK Serverless cluster is created. For more information, see Create a cluster.

    Usage notes

    • OSS is a shared storage service. You can mount a single OSS bucket to multiple pods.

    • We recommend that you store no more than 1,000 files in the mount directory. When the mount directory contains a large number of files, ossfs (a FUSE-based tool that mounts OSS buckets as local file systems) consumes a significant amount of memory, which may cause out-of-memory (OOM) errors in pods.

    Procedure

    Step 1: Obtain OSS bucket information

    If no OSS bucket is available, create one in the OSS console. For more information, see Create a bucket.

    1. Log on to the OSS console. In the left-side navigation pane, click Buckets.

    2. On the Buckets page, find the OSS bucket that you want to use and click the bucket name.

    3. On the bucket details page, click the Overview tab. In the Port section, copy an endpoint based on the following rules:

      • If the bucket and your cluster are in the same region, copy the internal endpoint.

      • If the bucket and your cluster are in different regions, copy the public endpoint.

    Step 2: Grant permissions for accessing OSS

    Use one of the following methods to grant the required permissions:

    • Method 1 (recommended): Use a RAM role Create a Resource Access Management (RAM) role and attach a RAM policy to the role. When you create the RAM role, set Principal Type to Cloud Service and set Principal Name to Elastic Compute Service / ECS. Then, attach the AliyunOSSFullAccess policy to the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

    • Method 2: Use an AccessKey pair Obtain the AccessKey ID and AccessKey secret of the RAM user that you use. For more information, see Obtain an AccessKey pair.

    Step 3: Create the YAML configuration file

    Create a file named test-ack-oss.yaml and copy the following content to the file.

    Note

    This example uses a VPC. Make sure that the instance, the image repository, and the OSS bucket all reside in the same region, such as China (Beijing).

    If you want to mount an OSS bucket or pull an image across regions, you must configure access over the Internet and update the image and url fields in the following code accordingly:

    • image: Set the value to registry.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2.

    • url: Set the value to the public endpoint.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-ack-oss
  labels:
    alibabacloud.com/eci: "true"
spec:
  replicas: 2
  selector:
    matchLabels:
      alibabacloud.com/eci: "true"
  template:
    metadata:
      labels:
        alibabacloud.com/eci: "true"
    spec:
      containers:
      - name: nginx
        image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2
        ports:
        - containerPort: 80
        volumeMounts:
          - name: cache-volume
            mountPath: /cache-test
      volumes:
        - name: cache-volume
          persistentVolumeClaim:
            claimName: oss-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: oss-pvc
spec:
  storageClassName: test
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      alicloud-pvname: pv-oss
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
  labels:
    alicloud-pvname: pv-oss
spec:
  storageClassName: test
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "oss-test"
      url: "oss-cn-beijing-internal.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      ramRole: "<your RAM Role Name>"

    The preceding YAML defines three Kubernetes resources: a Deployment, a PVC, and a persistent volume (PV). The PV uses the Container Storage Interface (CSI) driver ossplugin.csi.alibabacloud.com to mount the OSS bucket.

    AccessKey pair authorization: If you want to use an AccessKey pair instead of a RAM role, replace ramRole: "<your RAM Role Name>" with the following lines:

          akId: "<your AccessKey ID>"
      akSecret: "<your AccessKey secret>"
    Note

    If the OSS bucket and the cluster to which you want to mount the bucket belong to different Alibaba Cloud accounts, you must specify the AccessKey pair of the account that owns the OSS bucket.

    volumeAttributes parameters

    The following table describes the parameters that you can configure in the volumeAttributes section.

    ParameterDescription
    bucketThe name of the OSS bucket. Only OSS buckets can be mounted to pods. You cannot mount subdirectories or individual files in OSS buckets to pods.
    urlThe endpoint of the OSS bucket, which you obtained in Step 1. Use the internal endpoint if the bucket and the cluster are in the same region. Use the public endpoint if they are in different regions.
    otherOptsCustom options for mounting the OSS bucket. Format: -o *** -o ***. Example: -o max_stat_cache_size=0 -o allow_other.
    ramRoleThe name of the RAM role used to grant access permissions.
    akIdThe AccessKey ID used to grant access permissions.
    akSecretThe AccessKey secret used to grant access permissions.

    Step 4: Deploy the pods

    Run the following command to create Elastic Container Instance-based pods with the OSS bucket mounted:

    kubectl create -f test-ack-oss.yaml

    Step 5: Verify the result

    Run the following command to query the pods:

    kubectl get pods -o wide

    Expected output:

    NAME                              READY   STATUS    RESTARTS   AGE     IP              NODE                           NOMINATED NODE   READINESS GATES
test-ack-oss-655db9d64d-5q7d9     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>
test-ack-oss-655db9d64d-m5vct     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>

    Verify the following:

    • Both pods are in the Running state and scheduled on virtual-kubelet nodes.

    • The /cache-test mount directory exists in each pod.

    • Files written to one pod are visible in the other pod, which confirms that both pods share the same OSS bucket.

    View pods

    References

    For more information about OSS volumes, see OSS volume overview.