Using an Agency to Mount an OBS Volume

When deploying applications on CCE, mounting OBS as persistent storage normally requires manually configuring an access key (AK/SK). To enhance security, CCE allows you to use an agency to mount OBS volumes, enabling fine-grained permissions control. With this approach, you no longer need to manually create or manage AKs or SKs.

Prerequisites

The CCE Container Storage (Everest) version must be 2.5.1 or later.
The cluster version must be v1.28 or later. The specific versions are:
- v1.28: v1.28.15-r80 or later
- v1.29: v1.29.15-r40 or later
- v1.30: v1.30.14-r40 or later
- v1.31: v1.31.14-r0 or later
- v1.32: v1.32.9-r0 or later
- v1.33: v1.33.7-r0 or later
- v1.34: v1.34.2-r0 or later
- Other clusters of later versions

Constraints

When an OBS volume is mounted using an agency, the associated agency cannot be deleted. If the agency is removed, the service container will no longer be able to access the mounted OBS volume.
Secure containers are not supported.

Mounting an OBS Volume Using an Agency

CCE currently supports two types of agencies for mounting OBS volumes:

Global agencies: Use the agency configured in the CCE Container Storage (Everest) add-on to mount OBS volumes.
Workload agencies: Use the agency permissions associated with the workload that uses the volume to mount OBS volumes. This enables fine-grained permissions control. It requires you to preconfigure the association between the workload's service account and the agency. For details, see Using Pod Identities to Obtain IAM Credentials in a CCE Cluster.

Dynamically Creating an OBS Volume

You can use either of the following ways.

Log in to the CCE console and click the cluster name to access the cluster console.
In the navigation pane, choose Storage. On the right pane, click the PVCs tab and click Create PVC in the upper right corner. In the window that slides out from the right, set PVC Type to OBS and Creation Method to Dynamically provision.
In the AK/SK area, select Global agency or Workload agency as required.
Configure other parameters as required. For details about the parameters, see Using the Console.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-obs-auto
  namespace: default
  annotations:
    everest.io/obs-volume-type: STANDARD    # Object storage type
    csi.storage.k8s.io/fstype: obsfs        # Instance type
    everest.io/csi.authentication-source: "driver"  # Agency used. driver indicates that the add-on agency is used, and pod indicates that the workload agency is used.
spec:
  accessModes:
    - ReadWriteMany             # The value must be ReadWriteMany for OBS volumes.
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-obs    # The StorageClass is OBS.

**Table 1** Key parameters
Parameter	Description
everest.io/csi.authentication-source	How an OBS volume is mounted using an agency Value: driver or pod driver: The global agency of the add-on is used to mount and connect to the OBS volume. pod: The workload agency is used to mount and connect to the OBS volume. CAUTION: When configuring agency-based mounting, do not specify a custom key (csi.storage.k8s.io/node-publish-secret-name and csi.storage.k8s.io/node-publish-secret-namespace). If a custom key is specified, it takes precedence and will be used for OBS volume mounting instead of the agencies.

For details about other parameters, see Using kubectl.

Statically Creating an OBS Volume

You can use either of the following ways.

Log in to the CCE console and click the cluster name to access the cluster console.
In the navigation pane, choose Storage. On the right pane, click the PVCs tab and click Create PVC in the upper right corner. In the window that slides out from the right, set PVC Type to OBS and Creation Method to Create new.
In the AK/SK area, select Global agency or Workload agency as required.
Configure other parameters as required. For details about the parameters, see Through the Console.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-obs-example
  annotations:
    pv.kubernetes.io/provisioned-by: everest-csi-provisioner
spec:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 1Gi
  csi:
    driver: obs.csi.everest.io
    fsType: obsfs
    volumeAttributes:
      everest.io/obs-volume-type: STANDARD
      everest.io/region: cn-north-4
      storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
      everest.io/csi.authentication-source: driver # Mount an OBS volume using an agency.
    volumeHandle: obs-normal-static-pv
  persistentVolumeReclaimPolicy: Delete
  storageClassName: csi-obs

**Table 2** Key parameters
Parameter	Description
everest.io/csi.authentication-source	How an OBS volume is mounted using an agency Value: driver or pod driver: The global agency of the add-on is used to mount and connect to the OBS volume. pod: The workload agency is used to mount and connect to the OBS volume.

For details about other parameters, see Through kubectl.

Parent Topic: OBS

Previous topic: Using a Temporary Custom Access Key (AK/SK) to Mount an OBS Volume

Next topic: Automatically Applying Updated Access Keys (AK/SK) for an OBS Volume

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot