The Container Storage Interface (CSI) components, csi-plugin and csi-provisioner, automate operations such as dynamic provisioning, mounting, unmounting, and resizing of storage volumes. This allows you to use Alibaba Cloud storage resources, such as cloud disks and NAS, as seamlessly as native Kubernetes resources.
Component overview
Components
CSI components are installed in ACK clusters by default. The csi-plugin and csi-provisioner components work together to manage the lifecycle of storage volumes.
|
Component |
Description |
Deployment type |
|
Runs on each node to perform node-level operations, such as mounting and unmounting storage volumes and formatting file systems. |
DaemonSet |
|
|
Runs as a central controller to handle dynamic provisioning, deletion, resizing, and snapshotting of storage volumes. It supports the management of cloud disk, NAS, and OSS storage volumes. |
Deployment |
Managed and unmanaged modes for csi-provisioner
To improve stability and reduce operational overhead, csi-provisioner provides managed and unmanaged modes. New clusters use managed mode by default.
-
Managed mode (default)
The component pods are managed by ACK and are not visible in the kube-system namespace. ACK maintains the components and tunes their resources. -
Unmanaged mode
The component pods are deployed as a Deployment in the kube-system namespace. You must manage resource configurations (by modifying the Deployment YAML) and troubleshoot issues.
Upgrade CSI components
You can view component versions and perform upgrades on the Add-ons page in the console.
Pre-upgrade checks
-
Check version compatibility: Refer to the changelogs (csi-provisioner, csi-plugin) to confirm that the target CSI version is compatible with your current cluster version.
-
Check FlexVolume migration status: If your cluster previously used the
csi-compatible-controllercomponent to migrate from FlexVolume to CSI, any unfinished migration tasks will block the automatic upgrade of CSI components. Complete the migration first, or see Upgrade components to perform a manual upgrade during the migration. -
Follow the upgrade order: Storage components have dependencies. To ensure compatibility and stability, upgrade them in the following order: storage-operator→csi-provisioner→csi-plugin.
Upgrade process
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Components and Add-ons.
-
Click the Volumes tab. Locate
csi-provisionerandcsi-plugin, and upgrade them in order.If the upgrade fails, see Component upgrade failures.
After the upgrade, you can check the component card to verify that the version is as expected.
Production considerations
-
Security hardening and metadata access conflicts:
The
csi-plugincomponent must access instance metadata to obtain node information, such as the region and availability zone. If you disable metadata access, the component will fail to start or run abnormally. See Access ECS instance metadata in security-hardened mode for the required component version.When you configure a security group or node security policies, ensure that the
csi-plugincomponent pod can access the instance metadata service. -
Keep the default StorageClass:
ACK provides default StorageClass objects such as
alicloud-disk-essd. If you modify their properties, such asprovisionerorparameters, component upgrades might fail.
FAQ
Component issues
Startup failure: exec /usr/bin/plugin.csi.alibabacloud.com: exec format error
Symptom
The csi-plugin container in the csi-plugin Pod fails to start, and the log shows the error: exec /usr/bin/plugin.csi.alibabacloud.com: exec format error.
Cause
This error usually indicates a CPU architecture mismatch. However, csi-plugin supports both amd64 and arm64 architectures by default. Therefore, if this error occurs on a supported node, the most likely cause is a corrupted CSI image file.
This can happen if the image pull process is interrupted, for example, by a forced shutdown. This leaves an incomplete image file on the node. Although the image metadata exists, the binary executable is invalid or damaged, which prevents the csi-plugin container from starting.
Solution
-
Scale out by adding a new node, and then drain the problematic node.
-
If you must keep the current node, perform the following steps:
-
Drain the node to evict its workloads, and then remove the node from the cluster.
-
Log on to the node and delete all containers, if any.
-
Delete all files from the
/var/lib/containerddirectory. -
Add the node back to the cluster.
-
Storage component OOM issues
The sidecar container in the csi-provisioner component pod caches resource information such as pods, PVs, and PVCs. In a large-scale cluster, this can consume a significant amount of memory and might cause the container to experience an Out-of-Memory (OOM) error.
-
Managed
csi-provisioner: Submit a ticket for assistance. -
Unmanaged
csi-provisioner: If an OOM error occurs, adjust the resource limits based on your cluster size.On the Clusters page, click the name of your cluster. In the left navigation pane, click Components and Add-ons.
-
Locate the
csi-provisionercomponent, click the
icon, and then click View in YAML. -
Edit the component YAML to adjust the resource limits according to your cluster size.
containers: - name: external-disk-provisioner image: registry-vpc.cn-huhexxxx.yuncs.com/acs/csi-provisioner:v3.0.0-080f01e64-aliyun resources: requests: cpu: 10m memory: 16Mi limits: cpu: 500m memory: 1024Mi
csi-plugin high network traffic
Symptom
In the cluster pod monitoring dashboard, the csi-plugin component pods show high network traffic.
Cause
This is expected behavior. The csi-plugin component manages the mounting of NAS storage volumes on nodes. When an application pod reads or writes data through a NAS mount point, the resulting network traffic passes through the network namespace of the csi-plugin pod. Therefore, the monitoring system attributes this traffic to the csi-plugin pod.
Solution
No action is required; you can safely ignore this. The traffic is only attributed to the csi-plugin pod for accounting purposes and does not actually consume its resources, nor does it result in double traffic or duplicate billing. This is a monitoring artifact that does not affect performance.
The csi-provisioner component logs report the failed to renew lease xxx timed out waiting for the condition error
Symptom
Run the kubectl logs csi-provisioner-xxxx -n kube-system command to view the CSI logs. The failed to renew lease xxx timed out waiting for the condition error is reported.
Cause
The csi-provisioner component uses a multi-replica model for high availability. To ensure that only one instance serves requests at a time, the replicas use the Kubernetes Lease mechanism for leader election. This mechanism depends heavily on stable communication with the API server.
This error indicates that csi-provisioner cannot access the API server, causing the leader election process to fail. As a result, no replica can become the leader and provide service.
Solution
Check the cluster's network connectivity and the status of the API server. If the issue persists, submit a ticket for assistance.
Component upgrade failures
csi-plugin pre-upgrade check failure
This issue typically occurs during the migration from the FlexVolume storage plug-in to CSI. You can run the following command to confirm whether both storage plug-ins coexist.
kubectl -nkube-system get ds csi-plugin flexvolume
If the output is similar to the following:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
csi-plugin 4 4 4 4 4 kubernetes.io/os=linux 7d
flexvolume 4 4 4 4 4 kubernetes.io/os=linux 7d
This indicates that both storage plug-ins coexist.
FlexVolume and CSI cannot be upgraded while they coexist. To upgrade the CSI component, first migrate all FlexVolume PVs and PVCs to CSI and then uninstall the FlexVolume component. For more information, see Migrate FlexVolume without a storage cluster to CSI.
If this is not the cause and your cluster hosts critical business data, contact us to request an assisted manual upgrade.
csi-plugin upgrade fails after pre-check
The csi-plugin component is deployed as a DaemonSet, which requires all nodes to be in a healthy state. The upgrade fails if the cluster has any nodes in a NotReady or non-Running state.
You must first repair the faulty node and then retry the upgrade. If you cannot identify the cause, contact us to request an assisted manual upgrade.
csi-provisioner missing from console
Earlier versions of csi-provisioner (1.14 and earlier) are deployed as a StatefulSet. If StatefulSet instances of csi-provisioner still exist in the current cluster, you must manually delete them (kubectl delete sts csi-provisioner) before reinstalling.
If you encounter issues during this operation, contact us to request an assisted manual upgrade.
csi-provisioner pre-upgrade check failure
This issue typically occurs during the migration from the FlexVolume storage plug-in to CSI. You can run the following command to confirm whether both storage plug-ins coexist.
kubectl -nkube-system get ds csi-plugin flexvolume
If the output is similar to the following:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
csi-plugin 4 4 4 4 4 kubernetes.io/os=linux 7d
flexvolume 4 4 4 4 4 kubernetes.io/os=linux 7d
This indicates that both storage plug-ins coexist.
FlexVolume and CSI cannot be upgraded while they coexist. To upgrade the CSI component, first migrate all FlexVolume PVs and PVCs to CSI and then uninstall the FlexVolume component. For more information, see Migrate FlexVolume without a storage cluster to CSI.
If this is not the cause and your cluster hosts critical business data, contact us to request an assisted manual upgrade.
csi-provisioner upgrade fails after pre-check
Contact us to request an assisted manual upgrade.
csi-provisioner upgrade failure: Node count or permissions
Symptom
-
Scenario 1: The pre-upgrade check for the
csi-provisionercomponent fails, indicating that the cluster does not have enough nodes. -
Scenario 2: The pre-check for the csi-provisioner component and the upgrade are successful. However, the component's Pod enters the
CrashLoopBackOffstate, and the logs show a403 Forbiddenerror.time="2023-08-05T13:54:00+08:00" level=info msg="Use node id : <?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n <head>\n <title>403 - Forbidden</title>\n </head>\n <body>\n <h1>403 - Forbidden</h1>\n </body>\n</html>\n"
Cause and solution
-
Scenario 1
-
Cause: The
csi-provisionercomponent uses an active-standby deployment model, and its two replicas must be scheduled to different nodes to satisfy anti-affinity requirements. A single-node cluster cannot meet this scheduling condition, causing the second replica to remain in aPendingstate and preventing the upgrade from completing successfully. -
Solution: Add at least one more node to the cluster to ensure that the multiple replicas can be scheduled correctly.
-
-
Scenario 2
-
Cause: The
csi-provisionercomponent must access the node's instance metadata to obtain information such as the instance ID and region, which are required for calling Alibaba Cloud APIs. If security hardening is enabled on the node or strict network policies are configured, access to the metadata service might be blocked. -
Solution: Adjust or disable the security hardening policies on the node to ensure the pod can access the metadata service. Also, check security group rules, OS firewall settings, and any relevant security scripts.
-
csi-provisioner upgrade failure: StorageClass modification
Symptom
The installation or upgrade of csi-provisioner fails its pre-check, indicating that the StorageClass properties do not meet expectations.
Cause
The default StorageClass provided by ACK has a fixed configuration, and its core fields, such as provisioner and parameters, cannot be changed. Manually deleting and recreating a StorageClass with the same name will cause a validation failure and interrupt the component upgrade process.
The CSI installer strictly validates the integrity of these resources to ensure consistent component behavior.
Solution
-
Delete the default StorageClass objects from the cluster, including
alicloud-disk-essd,alicloud-disk-available,alicloud-disk-efficiency,alicloud-disk-ssd, andalicloud-disk-topology.This operation does not affect the normal use of existing PVs and PVCs.
-
After you delete the StorageClass objects, reinstall
csi-provisioner. The installer automatically recreates the StorageClass objects. No further action is needed.
If you need a custom StorageClass, always create a new one with a different name. Do not modify or recreate the default StorageClass objects.
Contact us
To request manual upgrade support, use DingTalk to search for group number 35532895 and join the group for assistance.
References
-
For more information about CSI, see alibaba-cloud-csi-driver.
-
For CSI component changelogs, see csi-provisioner and csi-plugin.
-
For other storage components, see Manage the storage-operator component, Manage the cnfs-nas-daemon component, and Manage the cnfs-controller component.