All Products
Search

This Product

    Container Service for Kubernetes:Mount an OSS bucket as a volume

    Document Center

    Container Service for Kubernetes:Mount an OSS bucket as a volume

    Last Updated:Apr 30, 2024

    Object Storage Service (OSS) is a secure, cost-effective, and high-durability cloud storage service provided by Alibaba Cloud to store large amounts of unstructured data such as images, audio data, and video data. This topic describes how to mount an OSS bucket to elastic container instance-based pods in an ACK Serverless cluster by using a persistent volume claim (PVC).

    Prerequisites

    An ACK Serverless cluster is created. For more information, see Create a cluster.

    Usage notes

    • OSS is a shared storage service. You can mount an OSS bucket to multiple pods.

    • We recommend that you store no more than 1,000 files in the mount directory. If you store a large number of files in the mount directory, ossfs consumes high memory. This may cause out of memory (OOM) errors in pods.

    Procedure

    1. Obtain the information about the OSS bucket that you want to use.

      If no OSS bucket is available, create one in the OSS console. For more information, see Create an ACK Serverless cluster.

      1. Log on to the OSS console. In the left-side navigation pane, click Buckets.

      2. On the Buckets page, find the OSS bucket that you want to use and click the bucket name.

      3. On the bucket details page, click the Overview tab. In the Port section, copy an endpoint based on the following information:

        • If the bucket and your cluster are deployed in the same region, copy the internal endpoint.

        • If the bucket and your cluster are deployed in different regions, copy the public endpoint.

    2. Use one of the following methods to grant the permissions to access OSS:

      • Method 1: (Recommended) Use a RAM role to grant permissions

        Create a Resource Access Management (RAM) role and attach a RAM policy to the RAM role. When you create the RAM role, select Alibaba Cloud Service for the Select Trusted Entity parameter, Normal Service Role for the Role Type parameter, and Elastic Compute Service for the Select Trusted Service parameter. When you grant permissions to the RAM role, attach the AliyunOSSFullAccess policy to the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

      • Method 2: Use an AccessKey pair to grant permissions

        Obtain the AccessKey ID and AccessKey secret of the RAM user that you use. For more information, see Obtain an AccessKey pair.

    3. Create a file named test-ack-oss.yaml and copy the following content to the file:

      Note

      In this example, a VPC is used. Make sure that the instance, the image repository, and the OSS bucket reside in the same region, such as China (Beijing).

      If you want to mount an OSS bucket or pull an image across regions, you must configure access over the Internet and change the address of the image or the URL of the OSS bucket to a valid format. You must modify the image and url fields in the following code for Internet access.

      • image: Set the value to registry.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2.

      • url: Set the value to the public endpoint. 

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-ack-oss
  labels:
    alibabacloud.com/eci: "true"
spec:
  replicas: 2
  selector:
    matchLabels:
      alibabacloud.com/eci: "true"
  template:
    metadata:
      labels:
        alibabacloud.com/eci: "true"
    spec:
      containers:
      - name: nginx
        image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2
        ports:
        - containerPort: 80
        volumeMounts:
          - name: cache-volume
            mountPath: /cache-test
      volumes:
        - name: cache-volume
          persistentVolumeClaim:
            claimName: oss-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: oss-pvc
  namespace: test
spec:
  storageClassName: test
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      alicloud-pvname: pv-oss
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-csi-pv
  labels:
    alicloud-pvname: pv-oss
spec:
  storageClassName: test
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: oss-csi-pv
    volumeAttributes:
      bucket: "oss-test"
      url: "oss-cn-beijing-internal.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      ramRole: "<your RAM Role Name>"

      In the preceding example, a RAM role is used to grant permissions. If you want to use your AccessKey pair for authorization, replace ramRole: "<your RAM Role Name>" with the following lines:

            akId: "<your AccessKey ID>"
      akSecret: "<your AccessKey Secret>"
      Note

      If the OSS bucket and the cluster to which you want to mount the bucket belong to different Alibaba Cloud accounts, you must specify the AccessKey pair of the account to which the OSS bucket belongs.

      The following table describes the parameters that can be configured in the volumeAttributes section.

      Parameter

      Description

      bucket

      The name of the OSS bucket. Only OSS buckets can be mounted to pods. Subdirectories or files in OSS buckets cannot be mounted to pods.

      url

      The endpoint of the OSS bucket, which is obtained in Step 1.

      • If the bucket and the cluster reside in the same region, use the internal endpoint.

      • If the bucket and the cluster reside in different regions, use the public endpoint.

      otherOpts

      The custom options that are specified to mount the OSS bucket. Format: -o *** -o ***. Example: -o max_stat_cache_size=0 -o allow_other.

      ramRole

      The RAM role that is used to grant permissions.

      akId

      The AccessKey ID that is used to grant permissions.

      akSecret

      The AccessKey secret that is used to grant permissions.

    4. Run the following command to create elastic container instance-based pods that have the OSS bucket mounted: 

      kubectl create -f test-ack-oss.yaml

    5. Run the following command to query the pods: 

      kubectl get pods -o wide

      Expected output:

      NAME                              READY   STATUS    RESTARTS   AGE     IP              NODE                           NOMINATED NODE   READINESS GATES
test-ack-oss-655db9d64d-5q7d9     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>
test-ack-oss-655db9d64d-m5vct     1/1     Running   0          46s     172.16.XX.XXX   virtual-kubelet-cn-****-k   <none>           <none>

      Check the file directories in the pods and verify that the /cache-test mount directory is generated for the OSS bucket. In addition, verify that the files written to one pod are displayed in the other pod. This indicates that the two pods share the OSS bucket.查看Pod

    References

    For more information about OSS volumes, see OSS volume overview.