yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/cce/umn/cce_10_0336.html
qiujiandong1 ab1e53a279 CCE UMN 20251031 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-01-15 10:25:22 +00:00

23 KiB
Raw Blame History

Using a Custom Access Key (AK/SK) to Mount an OBS Volume

CCE Container Storage (Everest) supports custom access keys. In this way, IAM users can use their own custom access keys to mount an OBS volume.

Prerequisites

Constraints

  • When an OBS volume is mounted using a custom access key (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.
  • Custom access keys cannot be configured for secure containers.

Disabling a Global AK

When creating an OBS volume on the console of an earlier version, you need to upload the AK/SK (global access key), which is then used by default for mounting the OBS volume. As a result, all IAM users within your account will use the same key to mount the OBS buckets, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.

If you have uploaded the AK/SK, disable the automatic mounting of global access keys by enabling the DISABLE_AUTO_MOUNT_SECRET parameter in the CCE Container Storage (Everest) add-on to prevent IAM users from performing unauthorized operations. In this way, the global access keys uploaded on the console will not be used when you use OBS volumes.

  • Before enabling DISABLE_AUTO_MOUNT_SECRET, ensure that there are no OBS volumes in the cluster. Workloads using OBS volumes may fail to remount after scaling or restart due to missing access keys, which are blocked by DISABLE_AUTO_MOUNT_SECRET.
  • If DISABLE_AUTO_MOUNT_SECRET is set to true, an access key must be specified when a PV or PVC is created. Otherwise, mounting the OBS volume will fail.

The following steps apply to CCE Container Storage (Everest) 2.x (2.1.42 or later):

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Add-ons. In the right pane, find the CCE Container Storage (Everest) add-on and click Edit.
  3. Configure the add-on parameters. Set Prohibit Global Secret from Mounting Object Storage (disable_auto_mount_secret) to Yes.
  4. Click OK.

The following steps apply to CCE Container Storage (Everest) 1.x. (The modified settings cannot be retained during the add-on upgrades. You are advised to use the add-on of 2.x.)

  1. Use kubectl to access the cluster and run the following command to modify the add-on settings:
    kubectl edit ds everest-csi-driver -nkube-system
  2. Search for disable-auto-mount-secret and set it to true.

  3. Run :wq to save the settings and exit. Wait until the pod is restarted.

Obtaining an Access Key

  1. Access the My Credentials page.
  2. In the navigation pane, choose Access Keys.
  3. Click Create Access Key. The Create Access Key dialog box is displayed.
  4. Click OK to download the access key.

Creating a Secret Using an Access Key

  1. Obtain an access key.
  2. Encode the keys using Base64. (Assume that the obtained AK is xxx and the SK is yyy.)

    echo -n xxx|base64
echo -n yyy|base64

    Record the encoded AK and SK.

  3. Create a YAML file for the secret, for example, test-user.yaml.

    apiVersion: v1
data:
  access.key: WE5WWVhVNU*****
  secret.key: Nnk4emJyZ0*****
kind: Secret
metadata:
  name: test-user
  namespace: default
  labels:
    secret.kubernetes.io/used-by: csi
type: cfe/secure-opaque

    Specifically:

    Parameter

    Description

    access.key

    A Base64-encoded AK

    secret.key

    A Base64-encoded SK

    name

    Secret name

    namespace

    Namespace of a secret

    secret.kubernetes.io/used-by: csi

    Add this label if you want to make it available on the CCE console when you create an OBS PV/PVC.

    type

    Secret type. The value must be cfe/secure-opaque.

    When this type is used, the data entered by users is automatically encrypted.

  4. Create the secret.

    kubectl create -f test-user.yaml

Specifying a Secret for Mounting During Static Creation of an OBS Volume

After a secret is created using the AK/SK, you can associate the secret with the PV to be created and then use the AK/SK in the secret to mount an OBS volume.

  1. Log in to the OBS console, create an OBS bucket, and record the bucket name and StorageClass. The parallel file system is used as an example.
  2. Create a YAML file for the PV, for example, pv-example.yaml.

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-obs-example
  annotations:
    pv.kubernetes.io/provisioned-by: everest-csi-provisioner
spec:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 1Gi
  csi:
    nodePublishSecretRef:
      name: test-user
      namespace: default
    driver: obs.csi.everest.io
    fsType: obsfs
    volumeAttributes:
      everest.io/obs-volume-type: STANDARD
      everest.io/region: eu-de
      storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
    volumeHandle: obs-normal-static-pv
  persistentVolumeReclaimPolicy: Delete
  storageClassName: csi-obs

    Parameter

    Description

    nodePublishSecretRef

    Secret specified during the mounting

    • name: name of the secret
    • namespace: The namespace of the secret

    fsType

    File type, which can be s3fs or obsfs. If the value is s3fs, an OBS bucket is created. If the value is obsfs, an OBS parallel file system is created.

    volumeHandle

    OBS bucket name.

  3. Create a PV.

    kubectl create -f pv-example.yaml

    After a PV is created, you can create a PVC and associate it with the PV.

  4. Create a YAML file for the PVC, for example, pvc-example.yaml.

    Example YAML file for the PVC:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    csi.storage.k8s.io/node-publish-secret-name: test-user
    csi.storage.k8s.io/node-publish-secret-namespace: default
    volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
    everest.io/obs-volume-type: STANDARD
    csi.storage.k8s.io/fstype: obsfs
  name: obs-secret
  namespace: default
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-obs
  volumeName: pv-obs-example

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    The name of a secret

    csi.storage.k8s.io/node-publish-secret-namespace

    The namespace of a secret

  5. Create a PVC.

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

Specifying a Secret for Mounting During Dynamic Creation of an OBS Volume

When dynamically creating an OBS volume, you can use the following method to specify a secret:

  1. Create a YAML file for the PVC, for example, pvc-example.yaml.

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    csi.storage.k8s.io/node-publish-secret-name: test-user
    csi.storage.k8s.io/node-publish-secret-namespace: default
    everest.io/obs-volume-type: STANDARD
    csi.storage.k8s.io/fstype: obsfs
  name: obs-secret
  namespace: default
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-obs

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    The name of a secret

    csi.storage.k8s.io/node-publish-secret-namespace

    The namespace of a secret

  2. Create a PVC.

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

Verification

You can use a secret of an IAM user to mount an OBS volume. Assume that a workload named obs-secret is created, the mount path in the container is /temp, and the IAM user has the CCE ReadOnlyAccess and Tenant Guest permissions.
  1. Query the name of the workload pod.
    kubectl get pod | grep obs-secret

    Expected outputs:

    obs-secret-5cd558f76f-vxslv          1/1     Running   0          3m22s
  2. Query the objects in the mount path. In this example, the query is successful.
    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/
  3. Write data into the mount path. In this example, the write operation failed.
    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test

    Expected outputs:

    touch: setting times of '/temp/test': No such file or directory
command terminated with exit code 1
  4. Set the read/write permissions for the IAM user who mounted the OBS volume by referring to the bucket policy configuration.

  5. Write data into the mount path again. In this example, the write operation succeeded.
    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test
  6. Check the mount path in the container to see whether the data is successfully written.
    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/

    Expected outputs:

    -rwxrwxrwx 1 root root 0 Jun  7 01:52 test
Parent topic: OBS