Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Container Engine/ User Guide (Paris Regions)/ Storage/ Object Storage Service (OBS)/ Using a Custom Access Key (AK/SK) to Mount an OBS Volume

Using a Custom Access Key (AK/SK) to Mount an OBS Volume

Updated on 2024-01-26 GMT+08:00

Scenario

You can solve this issue by using everest 1.2.8 or later to use custom access keys for different IAM users.

Prerequisites

  • The everest add-on version must be 1.2.8 or later.
  • The cluster version must be 1.15.11 or later.

Constraints

  • When an OBS volume is mounted using a custom access key (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.

Disabling Auto Key Mounting

The key you uploaded is used by default when mounting an OBS volume. That is, all IAM users under your account will use the same key to mount OBS buckets, and they have the same permissions on buckets. This setting does not allow you to configure differentiated permissions for different IAM users.

If you have uploaded the AK/SK, disable the automatic mounting of access keys by enabling the disable_auto_mount_secret parameter in the everest add-on to prevent IAM users from performing unauthorized operations. In this way, the access keys uploaded on the console will not be used when creating OBS volumes.

NOTE:
  • When enabling disable-auto-mount-secret, ensure that no OBS volume exists in the cluster. A workload mounted with an OBS volume, when scaled or restarted, will fail to remount the OBS volume because it needs to specify the access key but is prohibited by disable-auto-mount-secret.
  • If disable-auto-mount-secret is set to true, an access key must be specified when a PV or PVC is created. Otherwise, the OBS volume fails to be mounted.

kubectl edit ds everest-csi-driver -nkube-system

Search for disable-auto-mount-secret and set it to true.

Run :wq to save the settings and exit. Wait until the pod is restarted.

Obtaining an Access Key

  1. Log in to the console.
  2. Hover the cursor over the username in the upper right corner and choose My Credentials from the drop-down list.
  3. In the navigation pane, choose Access Keys.
  4. Click Create Access Key. The Create Access Key dialog box is displayed.
  5. Click OK to download the access key.

Creating a Secret Using an Access Key

  1. Obtain an access key.
  2. Encode the keys using Base64. (Assume that the AK is xxx and the SK is yyy.)

    echo -n xxx|base64

    echo -n yyy|base64

    Record the encoded AK and SK.

  3. Create a YAML file for the secret, for example, test-user.yaml.

    apiVersion: v1
    data:
      access.key: WE5WWVhVNU*****
      secret.key: Nnk4emJyZ0*****
    kind: Secret
    metadata:
      name: test-user
      namespace: default
      labels:
        secret.kubernetes.io/used-by: csi
    type: cfe/secure-opaque

    Specifically:

    Parameter

    Description

    access.key

    Base64-encoded AK.

    secret.key

    Base64-encoded SK.

    name

    Secret name.

    namespace

    Namespace of the secret.

    secret.kubernetes.io/used-by: csi

    Add this label in the YAML file if you want to make it available on the CCE console when you create an OBS PV/PVC.

    type

    Secret type. The value must be cfe/secure-opaque.

    When this type is used, the data entered by users is automatically encrypted.

  4. Create the secret.

    kubectl create -f test-user.yaml

Mounting a Secret When Statically Creating an OBS Volume

After a secret is created using the AK/SK, you can associate the secret with the PV to be created and then use the AK/SK in the secret to mount an OBS volume.

  1. Log in to the OBS console, create an OBS bucket, and record the bucket name and storage class. The parallel file system is used as an example.
  2. Create a YAML file for the PV, for example, pv-example.yaml.

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-obs-example
      annotations:
        pv.kubernetes.io/provisioned-by: everest-csi-provisioner
    spec:
      accessModes:
      - ReadWriteMany
      capacity:
        storage: 1Gi
      csi:
        nodePublishSecretRef:
          name: test-user
          namespace: default
        driver: obs.csi.everest.io
        fsType: obsfs
        volumeAttributes:
          everest.io/obs-volume-type: STANDARD
          everest.io/region: eu-west-0
          storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
        volumeHandle: obs-normal-static-pv
      persistentVolumeReclaimPolicy: Delete
      storageClassName: csi-obs

    Parameter

    Description

    nodePublishSecretRef

    Secret specified during the mounting.

    • name: name of the secret
    • namespace: namespace of the secret

    fsType

    File type. The value can be obsfs or s3fs. If the value is s3fs, an OBS bucket is created and mounted using s3fs. If the value is obsfs, an OBS parallel file system is created and mounted using obsfs. You are advised to set this field to obsfs.

    volumeHandle

    OBS bucket name.

  3. Create a PV.

    kubectl create -f pv-example.yaml

    After a PV is created, you can create a PVC and associate it with the PV.

  4. Create a YAML file for the PVC, for example, pvc-example.yaml.

    Example YAML file for the PVC:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      annotations:
        csi.storage.k8s.io/node-publish-secret-name: test-user
        csi.storage.k8s.io/node-publish-secret-namespace: default
        volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
        everest.io/obs-volume-type: STANDARD
        csi.storage.k8s.io/fstype: obsfs
      name: obs-secret
      namespace: default
    spec:
      accessModes:
      - ReadWriteMany
      resources:
        requests:
          storage: 1Gi
      storageClassName: csi-obs
      volumeName: pv-obs-example

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    Name of the secret

    csi.storage.k8s.io/node-publish-secret-namespace

    Namespace of the secret

  5. Create a PVC.

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

Mounting a Secret When Dynamically Creating an OBS Volume

When dynamically creating an OBS volume, you can use the following method to specify a secret:

  1. Create a YAML file for the PVC, for example, pvc-example.yaml.

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      annotations:
        csi.storage.k8s.io/node-publish-secret-name: test-user
        csi.storage.k8s.io/node-publish-secret-namespace: default
        everest.io/obs-volume-type: STANDARD
        csi.storage.k8s.io/fstype: obsfs
      name: obs-secret
      namespace: default
    spec:
      accessModes:
      - ReadWriteMany
      resources:
        requests:
          storage: 1Gi
      storageClassName: csi-obs

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    Name of the secret

    csi.storage.k8s.io/node-publish-secret-namespace

    Namespace of the secret

  2. Create a PVC.

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

Verification

You can use a secret of an IAM user to mount an OBS volume. Assume that a workload named obs-secret is created, the mount path in the container is /temp, and the IAM user has the CCE ReadOnlyAccess and Tenant Guest permissions.
  1. Query the name of the workload pod.

    kubectl get po | grep obs-secret

    Expected outputs:

    obs-secret-5cd558f76f-vxslv          1/1     Running   0          3m22s
  2. Query the objects in the mount path. In this example, the query is successful.

    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/

  3. Write data into the mount path. In this example, the write operation failed.

    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test

    Expected outputs:

    touch: setting times of '/temp/test': No such file or directory
    command terminated with exit code 1
  4. Set the read/write permissions for the IAM user who mounted the OBS volume by referring to the bucket policy configuration.

  5. Write data into the mount path again. In this example, the write operation succeeded.

    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test

  6. Check the mount path in the container to see whether the data is successfully written.

    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/

    Expected outputs:

    -rwxrwxrwx 1 root root 0 Jun  7 01:52 test

Usamos cookies para aprimorar nosso site e sua experiência. Ao continuar a navegar em nosso site, você aceita nossa política de cookies. Saiba mais

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback