Manage the lifecycle of OSS buckets

Container Service for Kubernetes (ACK) uses Container Network File System (CNFS) to separately manage the lifecycle of Object Storage Service (OSS) buckets. This topic describes how to use CNFS to manage the lifecycle of OSS buckets and mount OSS buckets to workloads.

Prerequisites

An ACK cluster is created. The Container Storage Interface (CSI) plug-in is used as the volume plug-in. For more information, see Create an ACK managed cluster.
The versions of csi-plugin and csi-provisioner are 1.24.2-5b34494d-aliyun or later. For more information about how to update csi-plugin and csi-provisioner, see Update csi-plugin and csi-provisioner.
The version of storage-operator is 1.24.95-e2d0756-aliyun or later. For more information about how to update storage-operator, see Manage components.
A kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Introduction

To manage the lifecycle of an OSS bucket by using CNFS, you can use one of the following methods:

Method 1: Use CNFS to create an OSS bucket named in the cnfs-oss- format
Use CNFS to create an OSS bucket that can be mounted to your cluster as a dynamically provisioned persistent volume (PV). In this example, an OSS bucket named cnfs-oss-<UUID e.g. clusterid> is created and mounted to a Deployment and a StatefulSet as a dynamically provisioned volume.
Method 2: Create a CNFS CRD to specify an existing OSS bucket
Create a CNFS CRD to specify an existing OSS bucket. Then, you can use the CNFS CRD to mount the OSS bucket to a Deployment as a statically or dynamically provisioned volume.

Note

When you create the CNFS CRD, the following limits apply to BucketName: cnfs-oss-<UUID e.g. clusterid>:

If an existing OSS bucket has the same name as the bucket name that you specify, the existing OSS bucket is associated with the ContainerNetworkFileSystem object.
If no existing OSS bucket has the same name as the bucket name that you specify, a new OSS bucket with the specified name is created and associated with the ContainerNetworkFileSystem object that you create. For example, if you specify cnfs-oss-<clusterid> as the bucket name, the system creates an OSS bucket named cnfs-oss-<clusterid>. Replace <clusterid> with the ID of your cluster. Make sure that the bucket name is unique.

Method 1: Use CNFS to create an OSS bucket named cnfs-oss-<UUID e.g. clusterid>

Use the following YAML template to create an OSS bucket named cnfs-oss-<UUID e.g. clusterid> by using CNFS and mount the bucket to a Deployment and a StatefulSet as a dynamically provisioned volume.

Replace <clusterid> with the ID of your cluster.

# Create the following objects: a CNFS, a StorageClass, a Deployment, and a StatefulSet. 
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: oss-secret
stringData:
  akId: "xxxx"     # The AccessKey pair that is required for mounting the OSS bucket. 
  akSecret: "xxxx"
---
apiVersion: storage.alibabacloud.com/v1beta1
kind: ContainerNetworkFileSystem
metadata:
  name: cnfs-oss-<clusterid>   # We recommend that you set the CNFS CRD name to the bucket name. 
spec:
  description: "cnfs-oss"
  type: oss
  reclaimPolicy: Retain # Only the Retain policy is supported. If the CNFS CRD is deleted, the associated OSS bucket is retained. 
  parameters:
    bucketName: cnfs-oss-<clusterid>  # If an existing bucket has the same name as the bucket name that you specify, the existing bucket is associated with the CNFS. If no existing OSS bucket has the same name as the bucket name that you specify, a new OSS bucket named cnfs-oss-clusterid is created. Replace clusterid with the ID of your cluster and make sure that the bucket name is unique. 
    encryptType: "AES256"   # If an existing OSS bucket is used, the encryption algorithm of the existing bucket is changed to AES-256. If a new OSS bucket is created, AES-256 is used as the encryption algorithm for the bucket. 
    storageType: "Standard"  # The storage type of the OSS bucket is Standard. 
    aclType: "private"       # Only the bucket owner and authorized users have read and write permissions on the bucket. 
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: alibabacloud-cnfs-oss
parameters:
  containerNetworkFileSystem: cnfs-oss-<clusterid>   # The StorageClass references the OSS bucket that is associated with the cnfs-oss-clusterid CNFS CRD. 
  otherOpts: -o max_stat_cache_size=0 -o allow_other # Cache settings. 
  path: /
  # volumeAs: subpath # A subpath is automatically created for each PV under the specified path.
  csi.storage.k8s.io/node-publish-secret-name: oss-secret      # Mount the oss-secret Secret to the CNFS CRD. 
  csi.storage.k8s.io/node-publish-secret-namespace: default    # The namespace to which the oss-secret Secret belongs. 
provisioner: ossplugin.csi.alibabacloud.com
reclaimPolicy: Retain
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: cnfs-oss-pvc
spec:
  accessModes:
    - ReadOnlyMany
  storageClassName: alibabacloud-cnfs-oss   # Set the persistent volume claim (PVC) to use the alibabacloud-cnfs-oss StorageClass. 
  resources:
    requests:
      storage: 100Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cnfs-oss-deployment
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - mountPath: "/data"
          name: cnfs-oss-pvc
      volumes:
      - name: cnfs-oss-pvc   # Mount the cnfs-oss-pvc PVC to the Deployment. 
        persistentVolumeClaim:
          claimName: cnfs-oss-pvc
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: cnfs-oss-sts
  labels:
    app: nginx
spec:
  serviceName: "nginx"
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - mountPath: "/data"
          name: www
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadOnlyMany" ]
      storageClassName: "alibabacloud-cnfs-oss"   # Mount the cnfs-oss-pvc PVC to the StatefulSet. 
      resources:
        requests:
          storage: 100Gi
EOF

The following table describes the parameters of the CNFS CRD.

Parameter	Description

Parameter	Description
description	The description of the CNFS file system.
type	The type of the volume that you want to create.
reclaimPolicy	The reclaim policy of the OSS bucket. Only the Retain policy is supported. If the CNFS CRD is deleted, the associated OSS bucket is retained.
parameters.bucketName	The name of the OSS bucket.
parameters.storageType	The storage type of the OSS bucket. Default value: Standard. Valid values: Valid values: Standard: Standard IA: Infrequent Access (IA) Archive: Archive ColdArchive: Cold Archive Note You must restore an Archive or Cold Archive object before you can read or write the object.
parameters.redundancyType	The storage redundancy type. Default value: ZRS. Valid values: LRS: Locally redundant storage (LRS) stores multiple copies of your data on multiple devices of different facilities in the same zone. LRS ensures data durability and availability even if hardware failures occur. ZRS: Zone-redundant storage (ZRS) stores multiple copies of your data across multiple zones in the same region. Your data is still accessible even if a zone becomes unavailable. Important The parameter is supported only by storage-operator v1.26.2-1de13b6-aliyun and later. If you set the value to ZRS, Cold Archive and Deep Cold Archive are not supported. For more information about the billing rules of different storage types and storage redundancy types, see Billable items.
parameters.encryptType	The encryption method of the OSS bucket. Valid values: None: No encryption algorithm is used by the OSS server. AES256: The AES-256 algorithm is used by the OSS server. SM4: The SM4 algorithm is used by the OSS server.
parameters.aclType	The type of the access control list (ACL) used by the OSS bucket. Default value: private. Valid values: public-read-write: All users, including anonymous users, can read and write objects in the bucket. Exercise caution when you specify this value. public-read: Only the bucket owner or authorized users can read and write objects in the bucket. Other users can only read objects in the bucket. Exercise caution when you specify this value. private: Only the bucket owner or authorized users can read and write objects in the bucket. Other users cannot access objects in the bucket.
parameters.enableVersioning	The versioning status of the bucket. Valid values: Valid values: enabled: Versioning is enabled for the bucket. suspended: Versioning is suspended for the bucket. None: Versioning is disabled for the bucket. Important The parameter is supported only by storage-operator v1.26.2-1de13b6-aliyun and later. If you enable versioning for a bucket, you can no longer configure retention policies or OSS-HDFS for the bucket. To configure retention policies or OSS-HDFS, you must set enableVersioning to `None`. After versioning is `enabled` for a bucket, you cannot `disable` versioning for the bucket. However, you can suspend versioning for the bucket. If you enable versioning for a bucket, you are charged for the storage of all versions of objects in the bucket. You can configure lifecycle rules for a bucket to recycle historical versions of objects in the bucket. For more information, see Overview.

Run the following command to query the OSS bucket that is created:

kubectl get cnfs/cnfs-oss-<clusterid> -o yaml

Expected output:

apiVersion: storage.alibabacloud.com/v1beta1
kind: ContainerNetworkFileSystem
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"storage.alibabacloud.com/v1beta1","kind":"ContainerNetworkFileSystem","metadata":{"annotations":{},"name":"cnfs-oss-xxxxxxxxxx"},"spec":{"description":"cnfs-oss","parameters":{"aclType":"private","bucketName":"cnfs-oss-clusterid","encryptType":"AES256","storageType":"Standard"},"reclaimPolicy":"Retain","type":"oss"}}
  creationTimestamp: "2022-09-18T07:02:34Z"
  finalizers:
  - protection.alibabacloud.com/cnfs
  generation: 6
  name: cnfs-oss-****
  resourceVersion: "8091291"
  uid: ca187b2a-3bfa-4a5f-82d8-ca1b1f69****
spec:
  description: cnfs-oss
  parameters:
    aclType: private
    bucketName: cnfs-oss-****
    encryptType: AES256
    storageType: Standard
  reclaimPolicy: Retain
  type: oss
status:
  conditions:
  - lastProbeTime: "2022-09-18 15:02:39"
    reason: The oss bucket is complete initialization.
    status: Ready
  fsAttributes:
    accessGroupName: DEFAULT_VPC_GROUP_NAME
    aclType: private
    bucketName: cnfs-oss-****
    encryptType: AES256
    endPoint:
      extranet: oss-****.aliyuncs.com
      internal: oss-****-internal.aliyuncs.com
    regionId: ****
    storageType: Standard
  status: Available

The following table describes the parameters of the CNFS CRD.

Parameter	Description

Parameter	Description
status	The status of the CNFS CRD. Valid values: Pending: The CNFS CRD is pending. Creating: The CNFS CRD is being created. Initialization: The CNFS file system is being created. Available: The CNFS CRD is available. Unavailable: The CNFS CRD is unavailable. You can restore the CNFS CRD to the Available state. Fatal: The CNFS CRD is unavailable and cannot be restored to the Available state. Terminating: The CNFS CRD is being deleted.
conditions.lastProbeTime	The time when the last probe was sent.
conditions.reason	The reason for the current status.
conditions.status	Indicates whether the CNFS CRD is ready for use. Valid values: Ready: The CNFS CRD is ready for use. NotReady: The CNFS CRD is not ready for use.
fsAttributes.accessGroupName	The name of the permission group used by the mount point. Set the value to DEFAULT_VPC_GROUP_NAME. This indicates the default permission group for virtual private clouds (VPCs).
fsAttributes.encryptType	The encryption method. Valid values: None: No encryption algorithm is used by the OSS server. AES256: The AES-256 algorithm is used by the OSS server. SM4: The SM4 algorithm is used by the OSS server.
fsAttributes.regionId	The region in which your ACK cluster resides.
fsAttributes.storageType	The storage class of the OSS bucket. Default value: Standard. Valid values: Standard: Standard IA: IA Archive: Archive ColdArchive: Cold Archive Note You must restore an Archive or Cold Archive object before you can read or write the object.
fsAttributes.redundancyType	The storage redundancy type. Default value: ZRS. Valid values: LRS: Locally redundant storage (LRS) stores multiple copies of your data on multiple devices of different facilities in the same zone. LRS ensures data durability and availability even if hardware failures occur. ZRS: Zone-redundant storage (ZRS) stores multiple copies of your data across multiple zones in the same region. Your data is still accessible even if a zone becomes unavailable. Important The parameter is supported only by storage-operator v1.26.2-1de13b6-aliyun and later. If you set the value to ZRS, Cold Archive and Deep Cold Archive are not supported. For more information about the billing rules of different storage types and storage redundancy types, see Billable items.
fsAttributes.aclType	The type of the ACL used by the OSS bucket. Default value: private.
fsAttributes.endPoint	The endpoint of the CNFS CRD. Valid values: extranet: a public endpoint internal: an internal endpoint
fsAttributes.enableVersioning	The versioning status of the bucket. Valid values: Valid values: enabled: Versioning is enabled for the bucket. suspended: Versioning is suspended for the bucket. None: Versioning is disabled for the bucket. Important The parameter is supported only by storage-operator v1.26.2-1de13b6-aliyun and later. If you enable versioning for a bucket, you can no longer configure retention policies or OSS-HDFS for the bucket. To configure retention policies or OSS-HDFS, you must set enableVersioning to `None`. After versioning is `enabled` for a bucket, you cannot `disable` versioning for the bucket. However, you can suspend versioning for the bucket. If you enable versioning for a bucket, you are charged for the storage of all versions of objects in the bucket. You can configure lifecycle rules for a bucket to recycle historical versions of objects in the bucket. For more information, see Overview.

Run the following command to query the application that is created:

kubectl get pod

Expected output:

NAME                                   READY   STATUS    RESTARTS   AGE
cnfs-oss-deployment-5864fd8d98-4****   1/1     Running   0          2m21s
cnfs-oss-sts-0                         1/1     Running   0          2m21s
cnfs-oss-sts-1                         1/1     Running   0          2m16s

The output shows that the Deployment and the StatefulSet are in the Running state, and the CNFS CRD is mounted to the Deployment.

Method 2: Create a CNFS CRD to specify an existing OSS bucket

Create a CNFS CRD to specify an existing OSS bucket. Then, you can use the CNFS CRD to mount the OSS bucket to a Deployment as a statically or dynamically provisioned volume.

Run the following command to create a CNFS CRD that specifies an existing OSS bucket:

cat <<EOF | kubectl apply -f -
apiVersion: storage.alibabacloud.com/v1beta1
kind: ContainerNetworkFileSystem
metadata:
  name: cnfs-oss-exist-bucket-name
spec:
  description: "cnfs-oss"
  type: oss
  reclaimPolicy: Retain
  parameters:
    bucketName: bucket-name # The name of the existing OSS bucket that you want to use. 
EOF

Run the following command to query information about the OSS bucket:

kubectl get cnfs/cnfs-oss-exist-bucket-name -o yaml

Expected output:

apiVersion: storage.alibabacloud.com/v1beta1
kind: ContainerNetworkFileSystem
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"storage.alibabacloud.com/v1beta1","kind":"ContainerNetworkFileSystem","metadata":{"annotations":{},"name":"cnfs-oss-xxxx"},"spec":{"description":"cnfs-oss","parameters":{"bucketName":"exist-bucket-name"},"reclaimPolicy":"Retain","type":"oss"}}
  creationTimestamp: "2022-09-14T09:21:10Z"
  finalizers:
  - protection.alibabacloud.com/cnfs
  generation: 7
  name: cnfs-oss-exist-bucket-name
  resourceVersion: "6504134"
  uid: 921564ac-0cd8-4a89-997d-c2393afd****
spec:
  description: cnfs-oss
  parameters:
    bucketName: exist-bucket-name
  reclaimPolicy: Retain
  type: oss
status:
  conditions:
  - lastProbeTime: "2022-09-14 17:00:21"
    reason: The oss bucket is complete initialization.
    status: Ready
  fsAttributes:
    accessGroupName: DEFAULT_VPC_GROUP_NAME
    aclType: private
    bucketName: exist-bucket-name
    encryptType: AES256
    endPoint:
      extranet: oss-****.aliyuncs.com           
      internal: oss-****-internal.aliyuncs.com
    regionId: ****
    storageType: Standard
  status: Available

Use the CNFS CRD to mount the OSS bucket as a dynamically provisioned volume to an application.
For more information, see Method 1: Use CNFS to create an OSS bucket named in the cnfs-oss- format

Prerequisites

Introduction

Method 1: Use CNFS to create an OSS bucket named cnfs-oss-<UUID e.g. clusterid>

Method 2: Create a CNFS CRD to specify an existing OSS bucket

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)