The container storage feature of Container Service for Kubernetes (ACK) is integrated with the storage services provided by Alibaba Cloud, and is compatible with Kubernetes-native storage services. You can deploy the Container Storage Interface (CSI) plug-in in ACK clusters to use Alibaba Cloud storage services. Disk volumes, Apsara File Storage NAS (NAS) volumes, Object Storage Service (OSS) volumes, Cloud Paralleled File System (CPFS) volumes, and local volumes can be automatically mounted to pods in ACK clusters. This topic describes how to use the CSI plug-in in an external Kubernetes cluster.

Prerequisites

  • A cluster registration proxy is created and an external Kubernetes cluster is connected to the cluster registration proxy. For more information, see Create a cluster registration proxy and register an on-premises cluster.
  • Elastic Compute Service (ECS) instances are added to the external Kubernetes cluster. For more information about how to add ECS instances to an external Kubernetes cluster, see Create and scale out a node pool.
    Notice The CSI plug-in provided by Alibaba Cloud can be deployed only on ECS instances. Therefore, you must add the alibabacloud.com/external=true label to the ECS instances in the external Kubernetes cluster.
  • A kubectl client is connected to the cluster. For more information, see Connect to ACK clusters by using kubectl.

Considerations

  • If the external Kubernetes cluster is deployed on Alibaba Cloud and ECS instances are added to the cluster, you must add labels to the ECS instances. For more information about how to add labels to ECS instances, see Add labels to ECS instances in an external Kubernetes cluster that is registered with ACK.
  • If you use the node pool feature to add ECS instances to the registered external cluster, the ECS instances are added with the alibabacloud.com/external=true label.

Step 1: Grant a RAM user the permissions to access the CSI plug-in in the external Kubernetes cluster

Before you install the CSI plug-in in a registered external cluster, you must set an AccessKey pair in the cluster to access related cloud resources. Before you set the AccessKey pair, create a Resource Access Management (RAM) user and grant the RAM user the permissions to access Alibaba Cloud resources.

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Create a custom permission policy.
    For more information about how to create a custom permission policy, see Create a custom policy.
    The following examples are custom permission policies used to grant permissions to manage disks, snapshots, snapshot policies, resource labels, instances, file systems, and repositories. For more information about API operations, see List of operations by function.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:AttachDisk",
                    "ecs:DetachDisk",
                    "ecs:DescribeDisks",
                    "ecs:CreateDisk",
                    "ecs:ResizeDisk",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteSnapshot",
                    "ecs:CreateAutoSnapshotPolicy",
                    "ecs:ApplyAutoSnapshotPolicy",
                    "ecs:CancelAutoSnapshotPolicy",
                    "ecs:DeleteAutoSnapshotPolicy",
                    "ecs:DescribeAutoSnapshotPolicyEX",
                    "ecs:ModifyAutoSnapshotPolicyEx",
                    "ecs:AddTags",
                    "ecs:DescribeTags",
                    "ecs:DescribeSnapshots",
                    "ecs:ListTagResources",
                    "ecs:TagResources",
                    "ecs:UntagResources",
                    "ecs:ModifyDiskSpec",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteDisk",
                    "ecs:DescribeInstanceAttribute",
                    "ecs:DescribeInstances"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "nas:DescribeFileSystems",
                    "nas:DescribeMountTargets",
                    "nas:AddTags",
                    "nas:DescribeTags",
                    "nas:RemoveTags",
                    "nas:CreateFileSystem",
                    "nas:DeleteFileSystem",
                    "nas:ModifyFileSystem",
                    "nas:CreateMountTarget",
                    "nas:DeleteMountTarget",
                    "nas:ModifyMountTarget",
                    "nas:TagResources",
                    "nas:SetDirQuota",
                    "nas:EnableRecycleBin",
                    "nas:GetRecycleBinAttribute"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:PutBucket",
                    "oss:GetObjectTagging",
                    "oss:ListBuckets",
                    "oss:PutBucketTags",
                    "oss:GetBucketTags",
                    "oss:PutBucketEncryption",
                    "oss:GetBucketInfo"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  3. Grant permissions to the RAM user For more information, see Grant permissions to a RAM user.
  4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
  5. Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
    The system automatically uses the AccessKey pair to access cloud resources when you install the CSI plug-in.
    kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'
    Note Replace <your AccessKey ID> and <your AccessKey secret> with the AccessKey pair that you obtained.

Step 2: Install the CSI plug-in

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Operations > Add-ons.
  5. Click the Storage tab, find csi-plugin and csi-provisioner, and then click Install.
  6. In the Note message, confirm the versions of the plug-ins and click OK.
    After the plug-ins are installed, the system prompts that the installations are completed and the current versions of the plug-ins are displayed.

Step 3: Mount volumes

The following table describes how to mount different types of volumes in registered clusters.
Volume type References
NAS
OSS
CPFS
CNFS
Disk volumes Disk volumes are not supported in registered clusters.