yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
218900ecfc237f6c0ba9f9684f9afa10f1d5ea9a
doc-exports/docs/cce/umn/cce_10_0336.html
qiujiandong1 218900ecfc CCE UMN 20260128 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-03-11 15:13:02 +00:00

246 lines
24 KiB
HTML
Raw Blame History

<a name="cce_10_0336"></a><a name="cce_10_0336"></a>
<h1 class="topictitle1">Using a Custom Access Key (AK/SK) to Mount an OBS Volume</h1>
<div id="body0000001118652158"><p id="cce_10_0336__p195616516813"><a href="cce_10_0066.html">CCE Container Storage (Everest)</a> supports custom access keys. In this way, IAM users can use their own custom access keys to mount an OBS volume. </p>
<div class="section" id="cce_10_0336__section1356645410223"><h4 class="sectiontitle">Prerequisites</h4><ul id="cce_10_0336__ul169942513238"><li id="cce_10_0336__li1799112511235">The <a href="cce_10_0066.html">CCE Container Storage (Everest)</a> version must be 1.2.8 or later.</li><li id="cce_10_0336__li599172552311">The cluster version must be 1.15.11 or later.</li></ul>
</div>
<div class="section" id="cce_10_0336__section19922155718332"><h4 class="sectiontitle">Notes and Constraints</h4><ul id="cce_10_0336__ul17628134021916"><li id="cce_10_0336__li71531542161916">When an OBS volume is mounted using custom access keys (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.</li><li id="cce_10_0336__li17628174017192">Custom access keys cannot be configured for secure containers.</li></ul>
</div>
<div class="section" id="cce_10_0336__section1045502219184"><h4 class="sectiontitle">Disabling a Global AK</h4><p id="cce_10_0336__p1419516122419">When creating an OBS volume on the console of an earlier version, you need to upload the AK/SK (global access key), which is then used by default for mounting the OBS volume. As a result, all IAM users within your account will use the same key to mount the OBS buckets, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.</p>
<p id="cce_10_0336__p3972105715910">If you have uploaded the AK/SK (specifically, if <strong id="cce_10_0336__b13454124614335">paas.longaksk</strong> exists in the <strong id="cce_10_0336__b1218135111339">kube-system</strong> namespace of the cluster), you should disable the global access secret to prevent IAM users from performing unauthorized operations. This ensures that the uploaded global access secret in the console will not be used when OBS volumes are used. <strong id="cce_10_0336__b20581192720255">If you have not uploaded any AK/SK, skip this section.</strong></p>
<div class="note" id="cce_10_0336__note1108139105415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0336__ul1910810965420"><li id="cce_10_0336__li111084911542">Before disabling the global access secret, ensure that there are no OBS volumes in the cluster. Workloads using OBS volumes may fail to remount after scaling or restart due to missing access keys.</li><li id="cce_10_0336__li21082096542">After the global access secret is disabled, you must specify the access keys when creating a PV and PVC. Otherwise, the OBS volume fails to be mounted.</li></ul>
</div></div>
<p id="cce_10_0336__p13592810115515">To disable the global access secret, do as follows:</p>
<ul id="cce_10_0336__ul8428106143719"><li id="cce_10_0336__li1842910613376">Disable the automatic mounting of access secrets in the CCE Container Storage (Everest) add-on by setting <strong id="cce_10_0336__b14642205952716">disable_auto_mount_secret</strong> to <strong id="cce_10_0336__b4642165912719">true</strong>.<p id="cce_10_0336__p191634623720">The following steps apply to CCE Container Storage (Everest) 2.<em id="cce_10_0336__i282483118288">x</em> (2.1.42 or later):</p>
<ol id="cce_10_0336__ol1416646193719"><li id="cce_10_0336__li111694613719">Log in to the <span id="cce_10_0336__en-us_topic_0000001199181148_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</li><li id="cce_10_0336__li2171046193715">In the navigation pane, choose <strong id="cce_10_0336__b31431635142812"><span id="cce_10_0336__text20143435152810">Add-ons</span></strong>. In the right pane, find the CCE Container Storage (Everest) add-on and click <strong id="cce_10_0336__b111438356285">Edit</strong>.</li><li id="cce_10_0336__li91712469378">Configure the add-on parameters. Set <strong id="cce_10_0336__b13649124719284">Prohibit Global Secret from Mounting Object Storage (disable_auto_mount_secret)</strong> to <strong id="cce_10_0336__b1364920472289">Yes</strong>.</li><li id="cce_10_0336__li91774623711">Click <strong id="cce_10_0336__b970224318403">OK</strong>.</li></ol>
<p id="cce_10_0336__p517134617377">The following steps apply to CCE Container Storage (Everest) 1.<em id="cce_10_0336__i13539327298">x</em>. The modified settings cannot be retained during the add-on upgrades. You are advised to use the add-on of 2.<em id="cce_10_0336__i235319326299">x</em>.</p>
<ol id="cce_10_0336__ol1017446103719"><li id="cce_10_0336__li917446163715">Use kubectl to access the cluster and run the following command to modify the add-on settings:<pre class="screen" id="cce_10_0336__screen191774633719">kubectl edit ds everest-csi-driver -nkube-system</pre>
</li><li id="cce_10_0336__li11710463377">Search for <strong id="cce_10_0336__b4640456292">disable-auto-mount-secret</strong> and set it to <strong id="cce_10_0336__b19641245192916">true</strong>.<p id="cce_10_0336__p2017124619376"><span><img id="cce_10_0336__image71713466373" src="en-us_image_0000002518226090.png"></span></p>
</li><li id="cce_10_0336__li5178464379">Run <strong id="cce_10_0336__b141214484293">:wq</strong> to save the settings and exit. Wait until the pod is restarted.</li></ol>
</li><li id="cce_10_0336__li1242814619374">In the <a href="cce_10_0782.html#cce_10_0782__section138274223718">Settings &gt; Cluster Settings</a> area, disable the global access secret of the cluster. The global access secret (<strong id="cce_10_0336__b15227556132916">paas.longaksk</strong>) in the <strong id="cce_10_0336__b82273561299">kube-system</strong> namespace of the cluster will be deleted.</li></ul>
</div>
<div class="section" id="cce_10_0336__section4633162355911"><a name="cce_10_0336__section4633162355911"></a><a name="section4633162355911"></a><h4 class="sectiontitle">Obtaining an Access Key</h4><ol id="cce_10_0336__ol481110401303"><li id="cce_10_0336__li481114401906"><span>Access the <span id="cce_10_0336__ph56626221444"><strong id="cce_10_0336__en-us_topic_0000002359963906_b7366185612613"></strong><strong id="cce_10_0336__en-us_topic_0000002359963906_b1522414182271">My Credentials</strong> page</span>.</span></li><li id="cce_10_0336__li68111402005"><span>In the navigation pane, choose <strong id="cce_10_0336__b612017294126">Access Keys</strong>.</span></li><li id="cce_10_0336__li28119401016"><span>Click <strong id="cce_10_0336__b194083251210">Create Access Key</strong>. The <strong id="cce_10_0336__b14412324125">Create Access Key</strong> dialog box is displayed.</span></li><li id="cce_10_0336__li1381116402013"><span>Click <strong id="cce_10_0336__b12537122719392">OK</strong> to download the access key.</span></li></ol>
</div>
<div class="section" id="cce_10_0336__section12416824164618"><h4 class="sectiontitle">Creating a Secret Using an Access Key</h4><ol id="cce_10_0336__ol2051283471018"><li id="cce_10_0336__li45111634121014"><span>Obtain an access key.</span></li><li id="cce_10_0336__li751113431018"><span>Encode the keys using Base64. (Assume that the obtained AK is <strong id="cce_10_0336__b1816101165815">xxx</strong> and the SK is <strong id="cce_10_0336__b1422375819571">yyy</strong>.)</span><p><pre class="screen" id="cce_10_0336__screen79891220203119">echo -n xxx|base64
echo -n yyy|base64</pre>
<p id="cce_10_0336__p95111934171018">Record the encoded AK and SK.</p>
</p></li><li id="cce_10_0336__li155129343104"><span>Create a YAML file for the secret, for example, <strong id="cce_10_0336__b182331215125818">test-user.yaml</strong>.</span><p><pre class="screen" id="cce_10_0336__screen2051217347105">apiVersion: v1
data:
access.key: WE5WWVhVNU*****
secret.key: Nnk4emJyZ0*****
kind: Secret
metadata:
name: test-user
namespace: default
labels:
secret.kubernetes.io/used-by: csi
type: cfe/secure-opaque</pre>
<p id="cce_10_0336__p10512934101016">Specifically:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0336__table551243410100" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_0336__row951223481012"><th align="left" class="cellrowborder" valign="top" width="26.43%" id="mcps1.3.6.2.3.2.3.1.3.1.1"><p id="cce_10_0336__p55121341100">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.57000000000001%" id="mcps1.3.6.2.3.2.3.1.3.1.2"><p id="cce_10_0336__p451233461016">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0336__row551203451016"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p13512734101015">access.key</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p181011819163211">A Base64-encoded AK</p>
</td>
</tr>
<tr id="cce_10_0336__row5512123420106"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p6512143431020">secret.key</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p710161910323">A Base64-encoded SK</p>
</td>
</tr>
<tr id="cce_10_0336__row7512834131017"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p25121534181016">name</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p71612372326">Secret name</p>
</td>
</tr>
<tr id="cce_10_0336__row95121534191014"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p16512834121016">namespace</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p51673717329">Namespace of a secret</p>
</td>
</tr>
<tr id="cce_10_0336__row16799198182814"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p0245182232816">secret.kubernetes.io/used-by: csi</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p21618378327">Add this label if you want to make it available on the CCE console when you create an OBS PV/PVC.</p>
</td>
</tr>
<tr id="cce_10_0336__row1451283421016"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.6.2.3.2.3.1.3.1.1 "><p id="cce_10_0336__p25121234161018">type</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.6.2.3.2.3.1.3.1.2 "><p id="cce_10_0336__p216163718329">Secret type. The value must be <strong id="cce_10_0336__b15235642195816">cfe/secure-opaque</strong>.</p>
<p id="cce_10_0336__p71719373324">When this type is used, the data entered by users is automatically encrypted.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="cce_10_0336__li16512193412108"><span>Create the secret.</span><p><pre class="screen" id="cce_10_0336__screen834504744418">kubectl create -f test-user.yaml</pre>
</p></li></ol>
</div>
<div class="section" id="cce_10_0336__section14417324114618"><h4 class="sectiontitle">Specifying a Secret for Mounting During Static Creation of an OBS Volume</h4><p id="cce_10_0336__p93554114272">After a secret is created using the AK/SK, you can associate the secret with the PV to be created and then use the AK/SK in the secret to mount an OBS volume.</p>
<ol id="cce_10_0336__ol697018298268"><li id="cce_10_0336__li4106132410256"><span>Log in to the <span id="cce_10_0336__ph197171312134618">OBS console</span>, create an OBS bucket, and record the bucket name and StorageClass. The parallel file system is used as an example.</span></li><li id="cce_10_0336__li597052912264"><span>Create a YAML file for the PV, for example, <strong id="cce_10_0336__b1526916511581">pv-example.yaml</strong>.</span><p><pre class="screen" id="cce_10_0336__screen653473412187">apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-obs-example
annotations:
pv.kubernetes.io/provisioned-by: everest-csi-provisioner
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 1Gi
csi:
nodePublishSecretRef:
name: test-user
namespace: default
driver: obs.csi.everest.io
fsType: obsfs
volumeAttributes:
everest.io/obs-volume-type: STANDARD
everest.io/region: <span id="cce_10_0336__text4408152285215">eu-de</span>
storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
volumeHandle: obs-normal-static-pv
persistentVolumeReclaimPolicy: Delete
storageClassName: csi-obs</pre>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0336__table6615161819296" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_0336__row1361531813296"><th align="left" class="cellrowborder" valign="top" width="26.43%" id="mcps1.3.7.3.2.2.2.1.3.1.1"><p id="cce_10_0336__p5615151822915">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.57000000000001%" id="mcps1.3.7.3.2.2.2.1.3.1.2"><p id="cce_10_0336__p461519185298">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0336__row12615101802919"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.7.3.2.2.2.1.3.1.1 "><p id="cce_10_0336__p96441230162919">nodePublishSecretRef</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.7.3.2.2.2.1.3.1.2 "><p id="cce_10_0336__p26152189295">Secret specified during the mounting</p>
<ul id="cce_10_0336__ul1061862010115"><li id="cce_10_0336__li186183201911"><strong id="cce_10_0336__b872611595583">name</strong>: name of the secret</li><li id="cce_10_0336__li1261818209118"><strong id="cce_10_0336__b121961230599">namespace</strong>: The namespace of the secret</li></ul>
</td>
</tr>
<tr id="cce_10_0336__row17768552185616"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.7.3.2.2.2.1.3.1.1 "><p id="cce_10_0336__p98321261573">fsType</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.7.3.2.2.2.1.3.1.2 "><p id="cce_10_0336__p168323610576">File type, which can be <strong id="cce_10_0336__b8655186185917">s3fs</strong> or <strong id="cce_10_0336__b6655196135911">obsfs</strong>. If the value is <strong id="cce_10_0336__b1865510613592">s3fs</strong>, an OBS bucket is created. If the value is <strong id="cce_10_0336__b19655264594">obsfs</strong>, an OBS parallel file system is created.</p>
</td>
</tr>
<tr id="cce_10_0336__row78891119135511"><td class="cellrowborder" valign="top" width="26.43%" headers="mcps1.3.7.3.2.2.2.1.3.1.1 "><p id="cce_10_0336__p17889141914554">volumeHandle</p>
</td>
<td class="cellrowborder" valign="top" width="73.57000000000001%" headers="mcps1.3.7.3.2.2.2.1.3.1.2 "><p id="cce_10_0336__p12890141918554">OBS bucket name.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="cce_10_0336__li1613414199588"><span>Create a PV.</span><p><pre class="screen" id="cce_10_0336__screen11715346193312">kubectl create -f pv-example.yaml</pre>
<p id="cce_10_0336__p1994220111813">After a PV is created, you can create a PVC and associate it with the PV.</p>
</p></li><li id="cce_10_0336__li1623335911249"><span>Create a YAML file for the PVC, for example, <strong id="cce_10_0336__b1194617122598">pvc-example.yaml</strong>.</span><p><p id="cce_10_0336__li147777204119p0"><strong id="cce_10_0336__b124006161595">Example YAML file for the PVC:</strong></p>
<pre class="screen" id="cce_10_0336__screen29933615125">apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
csi.storage.k8s.io/node-publish-secret-name: test-user
csi.storage.k8s.io/node-publish-secret-namespace: default
volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
everest.io/obs-volume-type: STANDARD
csi.storage.k8s.io/fstype: obsfs
name: obs-secret
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: csi-obs
volumeName: pv-obs-example</pre>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0336__table36670218280" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_0336__row166713212813"><th align="left" class="cellrowborder" valign="top" width="44.89%" id="mcps1.3.7.3.4.2.3.1.3.1.1"><p id="cce_10_0336__p16675202812">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="55.11000000000001%" id="mcps1.3.7.3.4.2.3.1.3.1.2"><p id="cce_10_0336__p156674217284">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0336__row866717219285"><td class="cellrowborder" valign="top" width="44.89%" headers="mcps1.3.7.3.4.2.3.1.3.1.1 "><p id="cce_10_0336__p196674219287">csi.storage.k8s.io/node-publish-secret-name</p>
</td>
<td class="cellrowborder" valign="top" width="55.11000000000001%" headers="mcps1.3.7.3.4.2.3.1.3.1.2 "><p id="cce_10_0336__p1466715214280">The name of a secret</p>
</td>
</tr>
<tr id="cce_10_0336__row1966762142811"><td class="cellrowborder" valign="top" width="44.89%" headers="mcps1.3.7.3.4.2.3.1.3.1.1 "><p id="cce_10_0336__p866718272816">csi.storage.k8s.io/node-publish-secret-namespace</p>
</td>
<td class="cellrowborder" valign="top" width="55.11000000000001%" headers="mcps1.3.7.3.4.2.3.1.3.1.2 "><p id="cce_10_0336__p11667142182814">The namespace of a secret</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="cce_10_0336__li5978123641714"><span>Create a PVC.</span><p><pre class="screen" id="cce_10_0336__screen2057318613341">kubectl create -f pvc-example.yaml</pre>
<p id="cce_10_0336__p1897815365173">After the PVC is created, you can create a workload and associate it with the PVC to create volumes.</p>
</p></li></ol>
</div>
<div class="section" id="cce_10_0336__section204171024144619"><h4 class="sectiontitle">Specifying a Secret for Mounting During Dynamic Creation of an OBS Volume</h4><p id="cce_10_0336__p103621416379">When dynamically creating an OBS volume, you can use the following method to specify a secret:</p>
<ol id="cce_10_0336__ol55461938716"><li id="cce_10_0336__li16546183175"><span>Create a YAML file for the PVC, for example, <strong id="cce_10_0336__b64161444155911">pvc-example.yaml</strong>.</span><p><pre class="screen" id="cce_10_0336__screen181936371482">apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
csi.storage.k8s.io/node-publish-secret-name: test-user
csi.storage.k8s.io/node-publish-secret-namespace: default
everest.io/obs-volume-type: STANDARD
csi.storage.k8s.io/fstype: obsfs
name: obs-secret
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: csi-obs</pre>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0336__table1911916210118" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_0336__row711972201120"><th align="left" class="cellrowborder" valign="top" width="44.89%" id="mcps1.3.8.3.1.2.2.1.3.1.1"><p id="cce_10_0336__p15120821110">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="55.11000000000001%" id="mcps1.3.8.3.1.2.2.1.3.1.2"><p id="cce_10_0336__p71209271119">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0336__row1112012271110"><td class="cellrowborder" valign="top" width="44.89%" headers="mcps1.3.8.3.1.2.2.1.3.1.1 "><p id="cce_10_0336__p61203218111">csi.storage.k8s.io/node-publish-secret-name</p>
</td>
<td class="cellrowborder" valign="top" width="55.11000000000001%" headers="mcps1.3.8.3.1.2.2.1.3.1.2 "><p id="cce_10_0336__p12398112713346">The name of a secret</p>
</td>
</tr>
<tr id="cce_10_0336__row266117185118"><td class="cellrowborder" valign="top" width="44.89%" headers="mcps1.3.8.3.1.2.2.1.3.1.1 "><p id="cce_10_0336__p1662151891115">csi.storage.k8s.io/node-publish-secret-namespace</p>
</td>
<td class="cellrowborder" valign="top" width="55.11000000000001%" headers="mcps1.3.8.3.1.2.2.1.3.1.2 "><p id="cce_10_0336__p173981627123411">The namespace of a secret</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="cce_10_0336__li11614552151116"><span>Create a PVC.</span><p><pre class="screen" id="cce_10_0336__screen1640461817346">kubectl create -f pvc-example.yaml</pre>
<p id="cce_10_0336__p4255338215">After the PVC is created, you can create a workload and associate it with the PVC to create volumes.</p>
</p></li></ol>
</div>
<div class="section" id="cce_10_0336__section1698122173919"><h4 class="sectiontitle">Verification</h4><div class="p" id="cce_10_0336__p11504721521">You can use a secret of an IAM user to mount an OBS volume. Assume that a workload named <strong id="cce_10_0336__b0143114517314">obs-secret</strong> is created, the mount path in the container is <strong id="cce_10_0336__b3806513123217">/temp</strong>, and the IAM user has the CCE <strong id="cce_10_0336__b14155556183219">ReadOnlyAccess</strong> and <strong id="cce_10_0336__b742055918322">Tenant Guest</strong> permissions.<ol id="cce_10_0336__ol656171774216"><li id="cce_10_0336__li2561170423">Query the name of the workload pod.<pre class="screen" id="cce_10_0336__screen643673512344">kubectl get pod | grep obs-secret</pre>
<p id="cce_10_0336__p1654921194617">Expected outputs:</p>
<pre class="screen" id="cce_10_0336__screen175211232114611">obs-secret-5cd558f76f-vxslv 1/1 Running 0 3m22s</pre>
</li><li id="cce_10_0336__li239217408467">Query the objects in the mount path. In this example, the query is successful.<pre class="screen" id="cce_10_0336__screen11413184516349">kubectl exec <i><span class="varname" id="cce_10_0336__varname7535115583414">obs-secret-5cd558f76f-vxslv</span></i> -- ls -l /temp/</pre>
</li><li id="cce_10_0336__li97510533467">Write data into the mount path. In this example, the write operation failed.<pre class="screen" id="cce_10_0336__screen16882125873418">kubectl exec <i><span class="varname" id="cce_10_0336__varname16959754353">obs-secret-5cd558f76f-vxslv</span></i> -- touch /temp/test</pre>
<p id="cce_10_0336__p667716518493">Expected outputs:</p>
<pre class="screen" id="cce_10_0336__screen14869155884916">touch: setting times of '/temp/test': No such file or directory
command terminated with exit code 1</pre>
</li><li id="cce_10_0336__li1375318184504">Set the read/write permissions for the IAM user who mounted the OBS volume by referring to the bucket policy configuration.<p id="cce_10_0336__p7818145635018"><a name="cce_10_0336__li1375318184504"></a><a name="li1375318184504"></a></p>
<p id="cce_10_0336__p144121440195011"><span><img id="cce_10_0336__image1660992315485" src="en-us_image_0000002516079657.png"></span></p>
</li><li id="cce_10_0336__li3633175615112">Write data into the mount path again. In this example, the write operation succeeded.<pre class="screen" id="cce_10_0336__screen469981218356">kubectl exec <i><span class="varname" id="cce_10_0336__varname148941425113517">obs-secret-5cd558f76f-vxslv</span></i> -- touch /temp/test</pre>
</li><li id="cce_10_0336__li185365479522">Check the mount path in the container to see whether the data is successfully written.<pre class="screen" id="cce_10_0336__screen1413816290357">kubectl exec <i><span class="varname" id="cce_10_0336__varname171293643515">obs-secret-5cd558f76f-vxslv</span></i> -- ls -l /temp/</pre>
<p id="cce_10_0336__p1123745195313">Expected outputs:</p>
<pre class="screen" id="cce_10_0336__screen18702181485316">-rwxrwxrwx 1 root root 0 Jun 7 01:52 test</pre>
</li></ol>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0160.html">OBS</a></div>
</div>
</div>
View Git Blame Copy Permalink