Using a Custom Access Key (AK/SK) to Mount an OBS Volume
CCE Container Storage (Everest) supports custom access keys. In this way, IAM users can use their own custom access keys to mount an OBS volume. You can use IAM to control the OBS access permissions of IAM users. For details, see Differences Between OBS Permissions Control Methods.
Prerequisites
- The CCE Container Storage (Everest) version must be 1.2.8 or later.
- The cluster version must be 1.15.11 or later.
Constraints
- When an OBS volume is mounted using custom access keys (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.
- Custom access keys cannot be configured for secure containers.
Disabling Access Keys
When creating an OBS volume on the console of the old edition, you need to upload the AK/SK, which are global access keys used for mounting OBS volumes. As a result, all IAM users in your account will use the same keys to mount OBS buckets as volumes, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.
If you have uploaded the AK/SK (specifically, if paas.longaksk exists in the kube-system namespace of the cluster), you should disable the global access secret to prevent IAM users from performing unauthorized operations. This ensures that the uploaded global access secret in the console will not be used when OBS volumes are used. If you have not uploaded any AK/SK, skip this section.
- Before disabling the global access secret, ensure that no OBS volume is used by the current cluster. Otherwise, this volume fails to be mounted when the workload that has the volume mounted is scaled out or restarted because the access keys must be specified.
- After the global access secret is disabled, you must specify the access keys when creating a PV and PVC. Otherwise, the OBS volume fails to be mounted.
To disable the global access secret, do as follows:
- Disable the automatic mounting of access secrets in the Everest add-on by setting disable_auto_mount_secret to true.
To do so, take the following steps:
- In the Settings > Cluster Settings area, disable the global access secret of the cluster. The global access secret (paas.longaksk) in the kube-system namespace of the cluster will be deleted.
Obtaining Access Keys
- Access the My Credentials page.
- In the navigation pane, choose Access Keys.
- Click Create Access Key. The Create Access Key dialog box is displayed.
- Click OK to download the access key.
Creating a Secret Using Access Keys
- Obtain access keys.
- Encode the access keys using Base64. (Assume that the AK is xxx and the SK is yyy.)
echo -n xxx|base64 echo -n yyy|base64
Record the encoded AK and SK.
- Create a YAML file for the secret, for example, test-user.yaml.
apiVersion: v1 data: access.key: WE5WWVhVNU***** secret.key: Nnk4emJyZ0***** kind: Secret metadata: name: test-user namespace: default labels: secret.kubernetes.io/used-by: csi type: cfe/secure-opaqueSpecifically:
Parameter
Description
access.key
A Base64-encoded AK
secret.key
A Base64-encoded SK
name
Secret name
namespace
Namespace of the secret
secret.kubernetes.io/used-by: csi
Add this label if you want to make it available on the CCE console when you create an OBS PV/PVC.
type
Secret type. The value must be cfe/secure-opaque.
When this type is used, the data entered by users is automatically encrypted.
- Create the secret.
kubectl create -f test-user.yaml
Mounting a Secret to an OBS Volume
The method of mounting an OBS volume varies depending on how the volume was created.
After a secret is created using the AK/SK, you can associate the secret with the PV to be created and then use the AK/SK in the secret to mount an OBS volume.
- Log in to the OBS console, create an OBS bucket, and record the bucket name and StorageClass. The parallel file system is used as an example.
- Create a YAML file for the PV, for example, pv-example.yaml.
apiVersion: v1 kind: PersistentVolume metadata: name: pv-obs-example annotations: pv.kubernetes.io/provisioned-by: everest-csi-provisioner spec: accessModes: - ReadWriteMany capacity: storage: 1Gi csi: nodePublishSecretRef: name: test-user namespace: default driver: obs.csi.everest.io fsType: obsfs volumeAttributes: everest.io/obs-volume-type: STANDARD everest.io/region: ap-southeast-1 storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner volumeHandle: obs-normal-static-pv persistentVolumeReclaimPolicy: Delete storageClassName: csi-obsParameter
Description
nodePublishSecretRef
Secret specified during the mounting.
- name: name of the secret
- namespace: namespace of the secret
fsType
File type, which can be s3fs or obsfs. If the value is s3fs, an OBS bucket is created. If the value is obsfs, an OBS parallel file system is created.
volumeHandle
OBS volume name.
- Create a PV.
kubectl create -f pv-example.yaml
After a PV is created, you can create a PVC and associate it with the PV.
- Create a YAML file for the PVC, for example, pvc-example.yaml.
Example YAML file for the PVC:
apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: csi.storage.k8s.io/node-publish-secret-name: test-user csi.storage.k8s.io/node-publish-secret-namespace: default volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner everest.io/obs-volume-type: STANDARD csi.storage.k8s.io/fstype: obsfs name: obs-secret namespace: default spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: csi-obs volumeName: pv-obs-exampleParameter
Description
csi.storage.k8s.io/node-publish-secret-name
Secret name
csi.storage.k8s.io/node-publish-secret-namespace
Namespace of the secret
- Create a PVC.
kubectl create -f pvc-example.yaml
After the PVC is created, you can create a workload and associate it with the PVC to create volumes.
When dynamically creating an OBS volume, you can use the following method to specify a secret:
- Create a YAML file for the PVC, for example, pvc-example.yaml.
apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: csi.storage.k8s.io/node-publish-secret-name: test-user csi.storage.k8s.io/node-publish-secret-namespace: default everest.io/obs-volume-type: STANDARD csi.storage.k8s.io/fstype: obsfs name: obs-secret namespace: default spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: csi-obsParameter
Description
csi.storage.k8s.io/node-publish-secret-name
Secret name
csi.storage.k8s.io/node-publish-secret-namespace
Namespace of the secret
- Create a PVC.
kubectl create -f pvc-example.yaml
After the PVC is created, you can create a workload and associate it with the PVC to create volumes.
Verification
- Query the name of the workload pod.
kubectl get pod | grep obs-secret
Expected outputs:
obs-secret-5cd558f76f-vxslv 1/1 Running 0 3m22s
- Query the objects in the mount path. In this example, the query is successful.
kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/ - Write data into the mount path. In this example, the write operation failed.
kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/testExpected outputs:
touch: setting times of '/temp/test': No such file or directory command terminated with exit code 1
- Set the read/write permissions for the IAM user who mounted the OBS volume by referring to the bucket policy configuration.
- Write data into the mount path again. In this example, the write operation succeeded.
kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test - Check the mount path in the container to see whether the data is successfully written.
kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/Expected outputs:
-rwxrwxrwx 1 root root 0 Jun 7 01:52 test
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot

