All Products
Search
Document Center

Container Service for Kubernetes:ossfs version upgrade and mounting process optimization in CSI, Product changes: changes to OSS mounting method in CSI

Last Updated:Sep 03, 2024

When you use Container Storage Interface (CSI) to mount Object Storage Service (OSS) volumes, the CSI component launches ossfs to mount OSS buckets to the node file system. The v1.30.4-* of the CSI component, which includes the csi-plugin and the csi-provisioner, upgraded the default version of ossfs and optimized the mounting process.

Changes and solutions

ossfs version upgrade

In v1.30.4-*, the default version of ossfs used by the csi-plugin and the csi-provisioner is upgraded to 1.91.3. For more information about the ossfs versions, see ossfs versions. For information about ossfs version 1.91 or later, see Features of ossfs 1.91 and later and ossfs performance benchmarking.

If you still prefer ossfs version 1.88, perform the following steps.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.

  3. Click the Storage tab, find the csi-plugin and the csi-provisioner components, click Configuration on the two component cards respectively, and configure the FeatureGate of the two components to UpdatedOssfsVersion=false.

Switch the ossfs namespace to ack-csi-fuse

In the earlier version, when mounting OSS buckets, the CSI automatically creates ossfs pods under the kube-system namespace. Since v1.30.4-*, the namespace to which the ossfs pods belong are switched to ack-csi-fuse.

If you use RAM Roles for Service Accounts (RRAS) authentication for OSS volumes in versions earlier than 1.30.4-*, due to the namespace change of the pod, you must grant permissions to the RAM role before upgrading to v1.30.4-*. Otherwise, the pod that mounts the new OSS volume will fail to start.

Follow the steps below to modify the trust policy.

  1. Log on to the RAM console using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, search for the corresponding RAM role, click the role name, and then click the Trust Policy tab. Edit the trust policy as prompted.

    You can refer to the following example to modify the trust policy. The sample code adds the ServiceAccount in the ack-csi-fuse namespace at oidc:sub.

    Sample original trust policy for the role:

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "oidc:aud": [
                "sts.aliyuncs.com"
              ],
              "oidc:iss": "https://oidc-ack-cn-beijing.oss-cn-beijing.aliyuncs.com/c747b09ddd6664d33ad3939**********",
              "oidc:sub": "system:serviceaccount:kube-system:csi-fuse-ossfs"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "Federated": [
              "acs:ram::130155**********:oidc-provider/ack-rrsa-c747b09ddd6664d33ad3939**********"
            ]
          }
        }
      ],
      "Version": "1"
    }

    The modified trust policy:

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "oidc:aud": [
                "sts.aliyuncs.com"
              ],
              "oidc:iss": "https://oidc-ack-cn-beijing.oss-cn-beijing.aliyuncs.com/c747b09ddd6664d33ad3939**********",
              "oidc:sub": "system:serviceaccount:kube-system:csi-fuse-ossfs"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "Federated": [
              "acs:ram::130155**********:oidc-provider/ack-rrsa-c747b09ddd6664d33ad3939**********"
            ]
          }
        },
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "oidc:aud": [
                "sts.aliyuncs.com"
              ],
              "oidc:iss": "https://oidc-ack-cn-beijing.oss-cn-beijing.aliyuncs.com/c747b09ddd6664d33ad3939**********",
              "oidc:sub": "system:serviceaccount:ack-csi-fuse:csi-fuse-ossfs" 
            }
          },
          "Effect": "Allow",
          "Principal": {
            "Federated": [
              "acs:ram::130155**********:oidc-provider/ack-rrsa-c747b09ddd6664d33ad3939**********"
            ]
          }
        }
      ],
      "Version": "1"
    }

Custom ossfs images are no longer supported

CSI v1.30.4-* no longer supports customizing ossfs images by using the ConfigMap of the csi-plugin.

Precautions

  • Before you upgrade the csi-plugin to v1.30.4-* or later, install the latest version of the csi-provisioner, or upgrade the csi-provisioner (managed or unmanaged) to v1.30.4-* or later.

  • After you upgrade the csi-plugin to v1.30.4-* or later through the Add-ons page of the Container Service for Kubernetes (ACK) console, the cluster automatically uses the new mounting process. Existing pods to which the OSS volumes are mounted continue to run normally.

References

For the change records and descriptions of the CSI component, see csi-plugin and csi-provisioner.