Object Storage Service (OSS) is a secure, cost-effective, and high-durability cloud storage service provided by Alibaba Cloud to store large amounts of unstructured data such as images, audio data, and video data. This topic describes how to mount an OSS bucket to elastic container instance-based pods in an ACK Serverless cluster by using a persistent volume claim (PVC).
Prerequisites
An ACK Serverless cluster is created. For more information, see Create a cluster.
Usage notes
OSS is a shared storage service. You can mount an OSS bucket to multiple pods.
We recommend that you store no more than 1,000 files in the mount directory. If you store a large number of files in the mount directory, ossfs consumes high memory. This may cause out of memory (OOM) errors in pods.
Procedure
Obtain the information about the OSS bucket that you want to use.
If no OSS bucket is available, create one in the OSS console. For more information, see Create an ACK Serverless cluster.
Log on to the OSS console. In the left-side navigation pane, click Buckets.
On the Buckets page, find the OSS bucket that you want to use and click the bucket name.
On the bucket details page, click the Overview tab. In the Port section, copy an endpoint based on the following information:
If the bucket and your cluster are deployed in the same region, copy the internal endpoint.
If the bucket and your cluster are deployed in different regions, copy the public endpoint.
Use one of the following methods to grant the permissions to access OSS:
Method 1: (Recommended) Use a RAM role to grant permissions
Create a Resource Access Management (RAM) role and attach a RAM policy to the RAM role. When you create the RAM role, select Alibaba Cloud Service for the Select Trusted Entity parameter, Normal Service Role for the Role Type parameter, and Elastic Compute Service for the Select Trusted Service parameter. When you grant permissions to the RAM role, attach the AliyunOSSFullAccess policy to the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.
Method 2: Use an AccessKey pair to grant permissions
Obtain the AccessKey ID and AccessKey secret of the RAM user that you use. For more information, see Obtain an AccessKey pair.
Create a file named test-ack-oss.yaml and copy the following content to the file:
NoteIn this example, a VPC is used. Make sure that the instance, the image repository, and the OSS bucket reside in the same region, such as China (Beijing).
If you want to mount an OSS bucket or pull an image across regions, you must configure access over the Internet and change the address of the image or the URL of the OSS bucket to a valid format. You must modify the
image
andurl
fields in the following code for Internet access.image
: Set the value toregistry.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2
.url
: Set the value to the public endpoint.
apiVersion: apps/v1 kind: Deployment metadata: name: test-ack-oss labels: alibabacloud.com/eci: "true" spec: replicas: 2 selector: matchLabels: alibabacloud.com/eci: "true" template: metadata: labels: alibabacloud.com/eci: "true" spec: containers: - name: nginx image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2 ports: - containerPort: 80 volumeMounts: - name: cache-volume mountPath: /cache-test volumes: - name: cache-volume persistentVolumeClaim: claimName: oss-pvc --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: oss-pvc namespace: test spec: storageClassName: test accessModes: - ReadWriteMany resources: requests: storage: 5Gi selector: matchLabels: alicloud-pvname: pv-oss --- apiVersion: v1 kind: PersistentVolume metadata: name: oss-csi-pv labels: alicloud-pvname: pv-oss spec: storageClassName: test capacity: storage: 5Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: oss-csi-pv volumeAttributes: bucket: "oss-test" url: "oss-cn-beijing-internal.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" ramRole: "<your RAM Role Name>"
In the preceding example, a RAM role is used to grant permissions. If you want to use your AccessKey pair for authorization, replace
ramRole: "<your RAM Role Name>"
with the following lines:akId: "<your AccessKey ID>" akSecret: "<your AccessKey Secret>"
NoteIf the OSS bucket and the cluster to which you want to mount the bucket belong to different Alibaba Cloud accounts, you must specify the AccessKey pair of the account to which the OSS bucket belongs.
The following table describes the parameters that can be configured in the volumeAttributes section.
Parameter
Description
bucket
The name of the OSS bucket. Only OSS buckets can be mounted to pods. Subdirectories or files in OSS buckets cannot be mounted to pods.
url
The endpoint of the OSS bucket, which is obtained in Step 1.
If the bucket and the cluster reside in the same region, use the internal endpoint.
If the bucket and the cluster reside in different regions, use the public endpoint.
otherOpts
The custom options that are specified to mount the OSS bucket. Format: -o *** -o ***. Example: -o max_stat_cache_size=0 -o allow_other.
ramRole
The RAM role that is used to grant permissions.
akId
The AccessKey ID that is used to grant permissions.
akSecret
The AccessKey secret that is used to grant permissions.
Run the following command to create elastic container instance-based pods that have the OSS bucket mounted:
kubectl create -f test-ack-oss.yaml
Run the following command to query the pods:
kubectl get pods -o wide
Expected output:
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES test-ack-oss-655db9d64d-5q7d9 1/1 Running 0 46s 172.16.XX.XXX virtual-kubelet-cn-****-k <none> <none> test-ack-oss-655db9d64d-m5vct 1/1 Running 0 46s 172.16.XX.XXX virtual-kubelet-cn-****-k <none> <none>
Check the file directories in the pods and verify that the /cache-test mount directory is generated for the OSS bucket. In addition, verify that the files written to one pod are displayed in the other pod. This indicates that the two pods share the OSS bucket.
References
For more information about OSS volumes, see OSS volume overview.