All Products
Search
Document Center

File Storage NAS:(Recommended) Mount a NAS file system by using the CSI plug-in provided by Alibaba Cloud

Last Updated:Nov 01, 2024

This topic describes how to use the Container Storage Interface (CSI) plug-in provided by Alibaba Cloud in a registered cluster of ACK One to mount File Storage NAS (NAS) file systems on a Kubernetes cluster.

Prerequisites

Precautions

  • If the external cluster is deployed on Alibaba Cloud and Elastic Compute Service (ECS) instances are added to the cluster, you must add labels to the ECS instances. For more information about how to add labels to ECS instances, see Add labels to ECS instances in an external cluster that is registered with ACK.

  • If you use the node pool feature to add ECS instances to the external cluster, the alibabacloud.com/external=true label is automatically added to the ECS instances.

Step 1: Grant a RAM user the permissions to manage the CSI plug-in

Use onectl

  1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

  2. onectl uses the AccessKey pair of a Resource Access Management (RAM) user to access Alibaba Cloud resources. Run the following command to grant the RAM user the permissions to manage the CSI component:

    onectl ram-user grant --addon csi-plugin

    Expected output:

    Ram policy ack-one-registered-cluster-policy-csi-plugin granted to ram user ack-one-user-ce313528c3 successfully.

Use the console

Before you install the CSI plug-in in a registered external cluster, you must set an AccessKey pair in the cluster to access related cloud resources. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Create a custom policy.

    For more information about how to create a custom policy, see Create a custom policy.

    The following examples are custom permission policies that you can use to grant the permissions to manage disks, snapshots, snapshot policies, resource labels, instances, file systems, and repositories. For more information about relevant API operations, see List of operations by function.

    Show sample code

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:AttachDisk",
                    "ecs:DetachDisk",
                    "ecs:DescribeDisks",
                    "ecs:CreateDisk",
                    "ecs:ResizeDisk",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteSnapshot",
                    "ecs:CreateAutoSnapshotPolicy",
                    "ecs:ApplyAutoSnapshotPolicy",
                    "ecs:CancelAutoSnapshotPolicy",
                    "ecs:DeleteAutoSnapshotPolicy",
                    "ecs:DescribeAutoSnapshotPolicyEX",
                    "ecs:ModifyAutoSnapshotPolicyEx",
                    "ecs:AddTags",
                    "ecs:DescribeTags",
                    "ecs:DescribeSnapshots",
                    "ecs:ListTagResources",
                    "ecs:TagResources",
                    "ecs:UntagResources",
                    "ecs:ModifyDiskSpec",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteDisk",
                    "ecs:DescribeInstanceAttribute",
                    "ecs:DescribeInstances"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "nas:DescribeFileSystems",
                    "nas:DescribeMountTargets",
                    "nas:AddTags",
                    "nas:DescribeTags",
                    "nas:RemoveTags",
                    "nas:CreateFileSystem",
                    "nas:DeleteFileSystem",
                    "nas:ModifyFileSystem",
                    "nas:CreateMountTarget",
                    "nas:DeleteMountTarget",
                    "nas:ModifyMountTarget",
                    "nas:TagResources",
                    "nas:SetDirQuota",
                    "nas:EnableRecycleBin",
                    "nas:GetRecycleBinAttribute"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:PutBucket",
                    "oss:GetObjectTagging",
                    "oss:ListBuckets",
                    "oss:PutBucketTags",
                    "oss:GetBucketTags",
                    "oss:PutBucketEncryption",
                    "oss:GetBucketInfo"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  3. Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.

  4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.

  5. Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.

    The system automatically uses the AccessKey pair to access cloud resources when you install the CSI component.

    kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'
    Note

    Replace <your access key id> and <your access key secret> with the AccessKey pair that you obtained in the previous step.

Step 2: Install the CSI plug-in

Use onectl

Run the following commands to install the CSI plug-in:

onectl addon install csi-plugin
onectl addon install csi-provisioner

Expected output:

Addon csi-plugin, version **** installed.
Addon csi-provisioner, version **** installed.

Use the console

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.

  3. Click the Storage tab, find csi-plugin and csi-provisioner, and then click Install.

  4. In the Note message, confirm the versions of the plug-ins and click OK.

Mount a NAS file system by using a built-in Kubernetes volume

You can use the following methods to mount a NAS file system to persist application data: