forked from docs/doc-exports
Dong, Qiu Jian
86fb05065f
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com> Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com> Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
123 lines
18 KiB
HTML
123 lines
18 KiB
HTML
<a name="cce_bestpractice_00199"></a><a name="cce_bestpractice_00199"></a>
|
|
|
|
<h1 class="topictitle1">Mounting an Object Storage Bucket of a Third-Party Tenant</h1>
|
|
<div id="body1596848144770"><p id="cce_bestpractice_00199__p297671310586">This section describes how to mount OBS buckets and OBS parallel file systems (preferred) of third-party tenants.</p>
|
|
<div class="section" id="cce_bestpractice_00199__section3528113716314"><h4 class="sectiontitle">Application Scenarios</h4><p id="cce_bestpractice_00199__p1358132815418">The CCE cluster of a SaaS service provider needs to be mounted with the OBS bucket of a third-party tenant, as shown in <a href="#cce_bestpractice_00199__fig1315433183918">Figure 1</a>.</p>
|
|
<div class="fignone" id="cce_bestpractice_00199__fig1315433183918"><a name="cce_bestpractice_00199__fig1315433183918"></a><a name="fig1315433183918"></a><span class="figcap"><b>Figure 1 </b>Mounting an OBS bucket of a third-party tenant</span><br><span><img id="cce_bestpractice_00199__image715415317393" src="en-us_image_0000001898024613.png"></span></div>
|
|
<ol id="cce_bestpractice_00199__ol9553203045414"><li id="cce_bestpractice_00199__li1804183225414"><a href="#cce_bestpractice_00199__section193471249193310">The third-party tenant authorizes the SaaS service provider to access the OBS buckets or parallel file systems</a> by setting the bucket policy and bucket ACL.</li><li id="cce_bestpractice_00199__li211712725511"><a href="#cce_bestpractice_00199__en-us_topic_0196817407_section155006183017">The SaaS service provider statically imports the OBS buckets and parallel file systems of the third-party tenant</a>.</li><li id="cce_bestpractice_00199__li632118155551">The SaaS service provider processes the service and writes the processing result (result file or result data) back to the OBS bucket of the third-party tenant.</li></ol>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00199__section15714753924"><h4 class="sectiontitle">Precautions</h4><ul id="cce_bestpractice_00199__ul12160175611"><li id="cce_bestpractice_00199__li11642893612">Only parallel file systems and OBS buckets of third-party tenants in the same region can be mounted.</li><li id="cce_bestpractice_00199__li079611425113">Only clusters where the everest add-on of v1.1.11 or later has been installed (the cluster version must be v1.15 or later) can be mounted with OBS buckets of third-party tenants.</li><li id="cce_bestpractice_00199__li740473311506">The service platform of the SaaS service provider needs to manage the lifecycle of the third-party bucket PVs. When a PVC is deleted separately, the PV is not deleted. Instead, it will be retained. To do so, call the native Kubernetes APIs to create and delete static PVs.</li></ul>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00199__section193471249193310"><a name="cce_bestpractice_00199__section193471249193310"></a><a name="section193471249193310"></a><h4 class="sectiontitle">Authorizing the SaaS Service Provider to Access the OBS Buckets</h4><p id="cce_bestpractice_00199__p1875516136566">The following uses an OBS bucket as an example to describe how to set a bucket policy and bucket ACL to authorize the SaaS service provider. The configuration for an OBS parallel file system is the same.</p>
|
|
<ol id="cce_bestpractice_00199__ol833253975212"><li id="cce_bestpractice_00199__li633253935210"><span>Log in to the OBS console.</span></li><li id="cce_bestpractice_00199__li3463735310"><span>In the bucket list, click a bucket name and access the <strong id="cce_bestpractice_00199__b18829181715363">Overview</strong> page.</span></li></ol><ol start="3" id="cce_bestpractice_00199__ol99282343911"><li id="cce_bestpractice_00199__li554574744910"><span>In the navigation pane, choose <strong id="cce_bestpractice_00199__b7328142203915">Permissions</strong> > <strong id="cce_bestpractice_00199__b143281221398">Bucket Policies</strong>. On the displayed page, click <strong id="cce_bestpractice_00199__b3415314205710">Create</strong> to create a bucket policy.</span><p><div class="fignone" id="cce_bestpractice_00199__fig1854564754912"><span class="figcap"><b>Figure 2 </b>Creating a bucket policy</span><br><span><img id="cce_bestpractice_00199__image511271072710" src="en-us_image_0000001851585700.png"></span></div>
|
|
<ul id="cce_bestpractice_00199__ul11545124714494"><li id="cce_bestpractice_00199__li063716875214"><strong id="cce_bestpractice_00199__b11511194133413">Policy Mode</strong>: Select <strong id="cce_bestpractice_00199__b2095371013342">Customized</strong>.</li><li id="cce_bestpractice_00199__li10545647174914"><strong id="cce_bestpractice_00199__b168516157348">Effect</strong>: Select <strong id="cce_bestpractice_00199__b108611513341">Allow</strong>.</li><li id="cce_bestpractice_00199__li1454594715494"><strong id="cce_bestpractice_00199__b1032533447">Principal</strong>: Select <strong id="cce_bestpractice_00199__b1932183317419">Include</strong>, select <strong id="cce_bestpractice_00199__b133217337419">Cloud service user</strong>, and enter the account ID and user ID. The bucket policy is applied to the specified user.</li><li id="cce_bestpractice_00199__li16545164794920"><strong id="cce_bestpractice_00199__b93249094015">Resources</strong>: Select the resources that can be operated.</li><li id="cce_bestpractice_00199__li8545144714495"><strong id="cce_bestpractice_00199__b172896563376">Actions</strong>: Select the actions that can be operated.</li></ul>
|
|
</p></li><li id="cce_bestpractice_00199__li13503613502"><span>In the navigation pane, choose <strong id="cce_bestpractice_00199__b426954616379">Permissions</strong> > <strong id="cce_bestpractice_00199__b72695464374">Bucket ACLs</strong>. In the right pane, click <strong id="cce_bestpractice_00199__b92691946173719">Add</strong>. Enter the account ID or account name of the authorized user, select <strong id="cce_bestpractice_00199__b726910468375">Read</strong> and <strong id="cce_bestpractice_00199__b15269114614372">Write</strong> for <strong id="cce_bestpractice_00199__b18270144614370">Access to Bucket</strong>, select <strong id="cce_bestpractice_00199__b192701946113720">Read</strong> and <strong id="cce_bestpractice_00199__b52701246133718">Write</strong> for <strong id="cce_bestpractice_00199__b162701646193716">Access to ACL</strong>, and click <strong id="cce_bestpractice_00199__b18270846193715">OK</strong>.</span></li></ol>
|
|
</div>
|
|
<div class="section" id="cce_bestpractice_00199__en-us_topic_0196817407_section155006183017"><a name="cce_bestpractice_00199__en-us_topic_0196817407_section155006183017"></a><a name="en-us_topic_0196817407_section155006183017"></a><h4 class="sectiontitle">Statically Importing OBS Buckets and Parallel File Systems</h4><ul id="cce_bestpractice_00199__ul79216315179"><li id="cce_bestpractice_00199__li354212402246"><strong id="cce_bestpractice_00199__b580115524189">Static PV of an OBS bucket:</strong><pre class="screen" id="cce_bestpractice_00199__screen7813151101315">apiVersion: v1
|
|
kind: PersistentVolume
|
|
metadata:
|
|
name: <strong id="cce_bestpractice_00199__b138883416190">objbucket</strong> #Replace the name with the actual PV name of the bucket.
|
|
annotations:
|
|
pv.kubernetes.io/provisioned-by: everest-csi-provisioner
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
capacity:
|
|
storage: 1Gi
|
|
<strong id="cce_bestpractice_00199__b10922444151419">mountOptions: </strong>
|
|
<strong id="cce_bestpractice_00199__b893345171915"> - default_acl=bucket-owner-full-control </strong> #New OBS mounting parameters
|
|
csi:
|
|
driver: obs.csi.everest.io
|
|
fsType: s3fs
|
|
volumeAttributes:
|
|
everest.io/obs-volume-type: STANDARD
|
|
everest.io/region: <strong id="cce_bestpractice_00199__b1035933031610">eu-de</strong> #Set it to the ID of the current region.
|
|
storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
|
|
volumeHandle: <strong id="cce_bestpractice_00199__b249514404235">objbucket</strong> #Replace the name with the actual bucket name of the third-party tenant.
|
|
persistentVolumeReclaimPolicy: <strong id="cce_bestpractice_00199__b341545032418">Retain</strong> #This parameter must be set to <strong id="cce_bestpractice_00199__b146658142412">Retain</strong> to ensure that the bucket will not be deleted when a PV is deleted.
|
|
storageClassName: <strong id="cce_bestpractice_00199__b10185165532510">csi-obs-mountoption</strong> #You can associate a new custom OBS storage class or the built-in csi-obs of the cluster.</pre>
|
|
<ul id="cce_bestpractice_00199__ul1595124103911"><li id="cce_bestpractice_00199__li171531846194420"><strong id="cce_bestpractice_00199__b118161262818">mountOptions</strong>: This field contains the new OBS mounting parameters that allow the bucket owner to have full access to the data in the bucket. This field solves the problem that the bucket owner cannot read the data written into a mounted third-party bucket. If the object storage of a third-party tenant is mounted, <strong id="cce_bestpractice_00199__b1249929191416">default_acl</strong> must be set to <strong id="cce_bestpractice_00199__b949929171412">bucket-owner-full-control</strong>. For details about other values of <strong id="cce_bestpractice_00199__b649929121419">default_acl</strong>, see <a href="https://docs.otc.t-systems.com/usermanual/obs/en-us_topic_0066088967.html" target="_blank" rel="noopener noreferrer">Bucket ACLs and Object ACLs</a>.</li><li id="cce_bestpractice_00199__li17913438433"><strong id="cce_bestpractice_00199__b102548414420">persistentVolumeReclaimPolicy</strong>: When the object storage of a third-party tenant is mounted, this field must be set to <strong id="cce_bestpractice_00199__b184185634410">Retain</strong>. In this way, the OBS bucket will not be deleted when a PV is deleted. The service platform of the SaaS service provider needs to manage the lifecycle of the third-party bucket PVs. When a PVC is deleted separately, the PV is not deleted. Instead, it will be retained. To do so, call the native Kubernetes APIs to create and delete static PVs.</li><li id="cce_bestpractice_00199__li524945474217"><strong id="cce_bestpractice_00199__b259155884515">storageClassName</strong>: You can associate a new custom OBS storage class (<a href="#cce_bestpractice_00199__li1235812419467">click here</a>) or the built-in csi-obs of the cluster.</li></ul>
|
|
<div class="p" id="cce_bestpractice_00199__p201991729111715"><strong id="cce_bestpractice_00199__b4729131224817">PVC of a bound OBS bucket:</strong><pre class="screen" id="cce_bestpractice_00199__screen25531018167">apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
annotations:
|
|
csi.storage.k8s.io/fstype: obsfs
|
|
everest.io/obs-volume-type: STANDARD
|
|
volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
|
|
name: <strong id="cce_bestpractice_00199__b576533810480">objbucketpvc</strong> #Replace the name with the actual PVC name of the bucket.
|
|
namespace: default
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
storageClassName: csi-obs-mountoption #The value must be the same as the storage class associated with the bound PV.
|
|
volumeName: objbucket #Replace the name with the actual PV name of the bucket to be bound.</pre>
|
|
</div>
|
|
</li><li id="cce_bestpractice_00199__li162888148182"><strong id="cce_bestpractice_00199__b1526719614528">Static PV of an OBS parallel file system:</strong><pre class="screen" id="cce_bestpractice_00199__screen210918941814">apiVersion: v1
|
|
kind: PersistentVolume
|
|
metadata:
|
|
name: <strong id="cce_bestpractice_00199__b1188381612526">obsfscheck</strong> #Replace the name with the actual PV name of the parallel file system.
|
|
annotations:
|
|
pv.kubernetes.io/provisioned-by: everest-csi-provisioner
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
capacity:
|
|
storage: 1Gi
|
|
<strong id="cce_bestpractice_00199__b189013419182"> mountOptions:</strong>
|
|
<strong id="cce_bestpractice_00199__b48995413185"> - default_acl=bucket-owner-full-control </strong> #New OBS mounting parameters
|
|
csi:
|
|
driver: obs.csi.everest.io
|
|
fsType: obsfs
|
|
volumeAttributes:
|
|
everest.io/obs-volume-type: STANDARD
|
|
everest.io/region: eu-de
|
|
storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
|
|
volumeHandle: <strong id="cce_bestpractice_00199__b9314144765316">obsfscheck</strong> #Replace the name with the actual name of the parallel file system of the third-party tenant.
|
|
persistentVolumeReclaimPolicy: <strong id="cce_bestpractice_00199__b217875914534">Retain</strong> #This parameter must be set to <strong id="cce_bestpractice_00199__b41831859205318">Retain</strong> to ensure that the bucket will not be deleted when a PV is deleted.
|
|
storageClassName: <strong id="cce_bestpractice_00199__b4661138541">csi-obs-mountoption</strong> #You can associate a new custom OBS storage class or the built-in csi-obs of the cluster.</pre>
|
|
<ul id="cce_bestpractice_00199__ul53721653124616"><li id="cce_bestpractice_00199__cce_bestpractice_00199_li171531846194420"><strong id="cce_bestpractice_00199__cce_bestpractice_00199_b118161262818">mountOptions</strong>: This field contains the new OBS mounting parameters that allow the bucket owner to have full access to the data in the bucket. This field solves the problem that the bucket owner cannot read the data written into a mounted third-party bucket. If the object storage of a third-party tenant is mounted, <strong id="cce_bestpractice_00199__cce_bestpractice_00199_b1249929191416">default_acl</strong> must be set to <strong id="cce_bestpractice_00199__cce_bestpractice_00199_b949929171412">bucket-owner-full-control</strong>. For details about other values of <strong id="cce_bestpractice_00199__cce_bestpractice_00199_b649929121419">default_acl</strong>, see <a href="https://docs.otc.t-systems.com/usermanual/obs/en-us_topic_0066088967.html" target="_blank" rel="noopener noreferrer">Bucket ACLs and Object ACLs</a>.</li><li id="cce_bestpractice_00199__cce_bestpractice_00199_li17913438433"><strong id="cce_bestpractice_00199__cce_bestpractice_00199_b102548414420">persistentVolumeReclaimPolicy</strong>: When the object storage of a third-party tenant is mounted, this field must be set to <strong id="cce_bestpractice_00199__cce_bestpractice_00199_b184185634410">Retain</strong>. In this way, the OBS bucket will not be deleted when a PV is deleted. The service platform of the SaaS service provider needs to manage the lifecycle of the third-party bucket PVs. When a PVC is deleted separately, the PV is not deleted. Instead, it will be retained. To do so, call the native Kubernetes APIs to create and delete static PVs.</li><li id="cce_bestpractice_00199__cce_bestpractice_00199_li524945474217"><strong id="cce_bestpractice_00199__cce_bestpractice_00199_b259155884515">storageClassName</strong>: You can associate a new custom OBS storage class (<a href="cce_bestpractice_00199.html#cce_bestpractice_00199__li1235812419467">click here</a>) or the built-in csi-obs of the cluster.</li></ul>
|
|
<div class="p" id="cce_bestpractice_00199__p126984225451">PVC of a bound OBS parallel file system:<pre class="screen" id="cce_bestpractice_00199__screen76981822194516">apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
annotations:
|
|
csi.storage.k8s.io/fstype: obsfs
|
|
everest.io/obs-volume-type: STANDARD
|
|
volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
|
|
name: <strong id="cce_bestpractice_00199__b7631950175413">obsfscheckpvc</strong> #Replace the name with the actual PVC name of the parallel file system.
|
|
namespace: default
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
storageClassName: <strong id="cce_bestpractice_00199__b61231484557">csi-obs-mountoption</strong> #The value must be the same as the storage class associated with the bound PV.
|
|
volumeName: <strong id="cce_bestpractice_00199__b10363151611551">obsfscheck</strong> #Replace the name with the actual PV name of the parallel file system.</pre>
|
|
</div>
|
|
</li><li id="cce_bestpractice_00199__li1235812419467"><a name="cce_bestpractice_00199__li1235812419467"></a><a name="li1235812419467"></a><strong id="cce_bestpractice_00199__b1882510012561">(Optional) Creating a custom OBS storage class to associate with a static PV:</strong><pre class="screen" id="cce_bestpractice_00199__screen311019201818">apiVersion: storage.k8s.io/v1
|
|
kind: StorageClass
|
|
metadata:
|
|
name: <strong id="cce_bestpractice_00199__b1495613411479">csi-obs-mountoption</strong>
|
|
mountOptions:
|
|
- default_acl=bucket-owner-full-control
|
|
parameters:
|
|
csi.storage.k8s.io/csi-driver-name: obs.csi.everest.io
|
|
csi.storage.k8s.io/fstype: <strong id="cce_bestpractice_00199__b106501846191220">obsfs</strong>
|
|
everest.io/obs-volume-type: STANDARD
|
|
provisioner: everest-csi-provisioner
|
|
reclaimPolicy: <strong id="cce_bestpractice_00199__b206884384409">Retain</strong>
|
|
volumeBindingMode: Immediate</pre>
|
|
<ul id="cce_bestpractice_00199__ul187295111124"><li id="cce_bestpractice_00199__li1097918427123"><strong id="cce_bestpractice_00199__b1620910137564">csi.storage.k8s.io/fstype</strong>: File type. The value can be <strong id="cce_bestpractice_00199__b20812925195618">obsfs</strong> or <strong id="cce_bestpractice_00199__b9234027135615">s3fs</strong>. If the value is <strong id="cce_bestpractice_00199__b1086513487569">s3fs</strong>, an OBS bucket is created and mounted using s3fs. If the value is <strong id="cce_bestpractice_00199__b19954115185616">obsfs</strong>, an OBS parallel file system is created and mounted using obsfs.</li><li id="cce_bestpractice_00199__li1529511132129"><strong id="cce_bestpractice_00199__b7241165795618">reclaimPolicy</strong>: Reclaim policy of a PV. The value will be set in <strong id="cce_bestpractice_00199__b18152714720">PV.spec.persistentVolumeReclaimPolicy</strong> dynamically created based on the new PVC associated with the storage class. If the value is <strong id="cce_bestpractice_00199__b8571175713215">Delete</strong>, the external OBS bucket and the PV will be deleted when the PVC is deleted. If the value is <strong id="cce_bestpractice_00199__b78551245345">Retain</strong>, the PV and external storage are retained when the PVC is deleted. In this case, clear the PV separately. In the scenario where an imported third-party bucket is associated, the storage class is used only for associating static PVs (with this field set to <strong id="cce_bestpractice_00199__b17519614712">Retain</strong>). Dynamic creation is not involved.</li></ul>
|
|
</li></ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0053.html">Storage</a></div>
|
|
</div>
|
|
</div>
|
|
|