All Products
Search
Document Center

Container Service for Kubernetes:Mount an OSS bucket as a volume

Last Updated:Apr 30, 2024

Object Storage Service (OSS) is a secure, cost-effective, and high-durability cloud storage service provided by Alibaba Cloud to store large amounts of unstructured data such as images, audio data, and video data. This topic describes how to mount an OSS bucket to elastic container instance-based pods in an ACK Serverless cluster by using a persistent volume claim (PVC).

Prerequisites

An ACK Serverless cluster is created. For more information, see Create a cluster.

Usage notes

  • OSS is a shared storage service. You can mount an OSS bucket to multiple pods.

  • We recommend that you store no more than 1,000 files in the mount directory. If you store a large number of files in the mount directory, ossfs consumes high memory. This may cause out of memory (OOM) errors in pods.

Procedure

  1. Obtain the information about the OSS bucket that you want to use.

    If no OSS bucket is available, create one in the OSS console. For more information, see Create an ACK Serverless cluster.

    1. Log on to the OSS console. In the left-side navigation pane, click Buckets.

    2. On the Buckets page, find the OSS bucket that you want to use and click the bucket name.

    3. On the bucket details page, click the Overview tab. In the Port section, copy an endpoint based on the following information:

      • If the bucket and your cluster are deployed in the same region, copy the internal endpoint.

      • If the bucket and your cluster are deployed in different regions, copy the public endpoint.

  2. Use one of the following methods to grant the permissions to access OSS:

    • Method 1: (Recommended) Use a RAM role to grant permissions

      Create a Resource Access Management (RAM) role and attach a RAM policy to the RAM role. When you create the RAM role, select Alibaba Cloud Service for the Select Trusted Entity parameter, Normal Service Role for the Role Type parameter, and Elastic Compute Service for the Select Trusted Service parameter. When you grant permissions to the RAM role, attach the AliyunOSSFullAccess policy to the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

    • Method 2: Use an AccessKey pair to grant permissions

      Obtain the AccessKey ID and AccessKey secret of the RAM user that you use. For more information, see Obtain an AccessKey pair.

  3. Create a file named test-ack-oss.yaml and copy the following content to the file:

    Note

    In this example, a VPC is used. Make sure that the instance, the image repository, and the OSS bucket reside in the same region, such as China (Beijing).

    If you want to mount an OSS bucket or pull an image across regions, you must configure access over the Internet and change the address of the image or the URL of the OSS bucket to a valid format. You must modify the image and url fields in the following code for Internet access.

    • image: Set the value to registry.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2.

    • url: Set the value to the public endpoint.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: test-ack-oss
      labels:
        alibabacloud.com/eci: "true"
    spec:
      replicas: 2
      selector:
        matchLabels:
          alibabacloud.com/eci: "true"
      template:
        metadata:
          labels:
            alibabacloud.com/eci: "true"
        spec:
          containers:
          - name: nginx
            image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2
            ports:
            - containerPort: 80
            volumeMounts:
              - name: cache-volume
                mountPath: /cache-test
          volumes:
            - name: cache-volume
              persistentVolumeClaim:
                claimName: oss-pvc
    ---
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: oss-pvc
      namespace: test
    spec:
      storageClassName: test
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 5Gi
      selector:
        matchLabels:
          alicloud-pvname: pv-oss
    ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: oss-csi-pv
      labels:
        alicloud-pvname: pv-oss
    spec:
      storageClassName: test
      capacity:
        storage: 5Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: oss-csi-pv
        volumeAttributes:
          bucket: "oss-test"
          url: "oss-cn-beijing-internal.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          ramRole: "<your RAM Role Name>"

    In the preceding example, a RAM role is used to grant permissions. If you want to use your AccessKey pair for authorization, replace ramRole: "<your RAM Role Name>" with the following lines:

          akId: "<your AccessKey ID>"
          akSecret: "<your AccessKey Secret>"
    Note

    If the OSS bucket and the cluster to which you want to mount the bucket belong to different Alibaba Cloud accounts, you must specify the AccessKey pair of the account to which the OSS bucket belongs.

    The following table describes the parameters that can be configured in the volumeAttributes section.

    Parameter

    Description

    bucket

    The name of the OSS bucket. Only OSS buckets can be mounted to pods. Subdirectories or files in OSS buckets cannot be mounted to pods.

    url

    The endpoint of the OSS bucket, which is obtained in Step 1.

    • If the bucket and the cluster reside in the same region, use the internal endpoint.

    • If the bucket and the cluster reside in different regions, use the public endpoint.

    otherOpts

    The custom options that are specified to mount the OSS bucket. Format: -o *** -o ***. Example: -o max_stat_cache_size=0 -o allow_other.

    ramRole

    The RAM role that is used to grant permissions.

    akId

    The AccessKey ID that is used to grant permissions.

    akSecret

    The AccessKey secret that is used to grant permissions.

  4. Run the following command to create elastic container instance-based pods that have the OSS bucket mounted:

    kubectl create -f test-ack-oss.yaml
  5. Run the following command to query the pods:

    kubectl get pods -o wide

    Expected output:

    NAME                              READY   STATUS    RESTARTS   AGE     IP              NODE                           NOMINATED NODE   READINESS GATES
    test-ack-oss-655db9d64d-5q7d9     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>
    test-ack-oss-655db9d64d-m5vct     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>

    Check the file directories in the pods and verify that the /cache-test mount directory is generated for the OSS bucket. In addition, verify that the files written to one pod are displayed in the other pod. This indicates that the two pods share the OSS bucket.查看Pod

References

For more information about OSS volumes, see OSS volume overview.