Container Service for Kubernetes (ACK) connects to Alibaba Cloud storage services through the Container Storage Interface (CSI) plug-in. After you install the plug-in in an ACK One registered cluster, you can mount disk volumes, NAS volumes, OSS volumes, and local volumes to your pods.
This topic covers three steps: configuring RAM permissions, installing the CSI plug-in, and using volumes.
Considerations
Before you start, check whether the following restrictions apply to your setup:
-
If your external cluster runs on Alibaba Cloud ECS instances, you must add the required node labels to those instances. For more information, see Initialize ECS nodes after an external cluster is connected to an ACK One registered cluster.
-
If you scale out an external cluster in a data center using the node pool feature with ECS nodes, the node label
alibabacloud.com/external=trueis added to those nodes automatically.
Prerequisites
Before you begin, ensure that you have:
-
Created an ACK One registered cluster and connected an external Kubernetes cluster to it. For more information, see Create an ACK One registered cluster.
-
A registered cluster running Kubernetes 1.24 or later.
-
(Required for data center deployments) An Express Connect circuit connecting your data center to Alibaba Cloud.
Step 1: Configure RAM permissions
The CSI plug-in needs an AccessKey pair to call Alibaba Cloud APIs on your behalf. If you skip this step, the plug-in cannot access cloud storage services after installation.
Choose either of the following methods:
Use onectl
-
Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.
-
Run the following command to grant the RAM user the permissions required by the CSI plug-in:
onectl ram-user grant --addon csi-pluginThe expected output is similar to:
Ram policy ack-one-registered-cluster-policy-csi-plugin granted to ram user ack-one-user-ce313528c3 successfully.
Use the console
-
Create a custom policy using the following sample. The policy grants permissions to manage disks, snapshots, snapshot policies, resource tags, instances, NAS file systems, and OSS buckets.
-
Create an AccessKey for the RAM user.
WarningConfigure a network policy to restrict AccessKey calls to trusted network environments. For more information, see AccessKey network access restriction policy.
-
Create a Kubernetes Secret named
alibaba-addon-secretin thekube-systemnamespace using the AccessKey pair. The CSI plug-in reads this Secret to authenticate with Alibaba Cloud services.kubectl -n kube-system create secret generic alibaba-addon-secret \ --from-literal='access-key-id=<your-access-key-id>' \ --from-literal='access-key-secret=<your-access-key-secret>'Replace
<your-access-key-id>and<your-access-key-secret>with the AccessKey pair you created in the previous step.
Step 2: Install the CSI plug-in
Install both csi-plugin and csi-provisioner.
Use onectl
Run the following commands:
onectl addon install csi-plugin
onectl addon install csi-provisionerThe expected output is similar to:
Addon csi-plugin, version **** installed.
Addon csi-provisioner, version **** installed.Use the console
-
Log on to the ACK console. In the left navigation pane, click Clusters.
-
Click the name of your cluster. In the left navigation pane, click Add-ons.
-
Click the Volumes tab. Find the csi-plugin and csi-provisioner cards, then click Install on each card.
-
In the Message dialog box, confirm the versions and click OK.
Step 3: Use volumes
After the CSI plug-in is installed, refer to the following topics to mount different volume types in your registered cluster.
What's next
-
To manage or remove the CSI plug-in add-ons, navigate to the Add-ons page in the ACK console, or refer to the onectl documentation for the corresponding commands.
-
To manage storage at scale across multiple registered clusters, see ACK One fleet management.