- You have an account and are logged into the Scaleway console
- You have created a Kubernetes cluster running on Scaleway Instances (v1.21+)
- You have a Scaleway Project or Organization ID, Access and Secret key
Managing Block Storage volumes with the Scaleway CSI
Before you start
To complete the actions presented on this page, you must have:
The Scaleway Block Volume Container Storage Interface (CSI) driver is an implementation of the CSI interface to provide a way to manage Scaleway Block Volumes through a container orchestration system, like Kubernetes. It is installed by default on every Kubernetes Kapsule and Kosmos cluster.
Features
Following is a list of functionalities implemented by the Scaleway CSI driver.
Block device resizing
The Scaleway CSI driver implements the resize feature (example for Kubernetes). It allows an online resize (without the need to detach the block device). However, resizing can only be done upwards, decreasing a volume’s size is not supported.
Raw Block Volume
Raw Block Volumes allows the block volume to be exposed directly to the container as a block device, instead of a mounted filesystem. To enable it, the volumeMode
needs to be set to Block
. For instance, here is a PVC in raw block volume mode:
apiVersion: v1kind: PersistentVolumeClaimmetadata:name: my-raw-pvcspec:volumeMode: Block[...]
At-Rest encryption
Support for volume encryption. See in examples
Volume snapshots
Volume snapshots allow the user to create a snapshot of a specific block volume.
Volume statistics
The Scaleway CSI driver implements the NodeGetVolumeStats
CSI method. It is used to gather statistics about the used block volumes. In Kubernetes, kubelet
exposes these metrics.
Kubernetes
This section is Kubernetes specific. Note that Scaleway CSI driver may work for older Kubernetes version than those announced. The CSI driver allows you to use Persistent Volumes in Kubernetes.
Creating persistent volumes with Scaleway Block Storage
- Create a PersistentVolumeClaim and use it as a volume inside the pod of a deployment.
kubectl apply -f pvc-deployment/pvc.yaml
- Create the deployment that will use this volume:
kubectl apply -f pvc-deployment/deployment.yaml
Creating raw block volumes
- Create a block volume and make it available in the pod as a raw block device. In order to do so,
volumeMode
must be set to Block:kubectl apply -f raw-volume/pvc.yaml - Create a pod that will use this raw volume. In order to do so,
volumesDevices
must be used, instead of the traditionalvolumeMounts
:kubectl apply -f raw-volume/pod.yaml - Exec into the container and use the volume as a classic block device:
kubectl exec -it my-awesome-block-volume-app sh/ # ls -al /dev/xvdabrw-rw---- 1 root disk 8, 32 Mar 23 12:34 /dev/xvda/ # dd if=/dev/zero of=/dev/xvda bs=1024k count=100100+0 records in100+0 records out104857600 bytes (100.0MB) copied, 0.043702 seconds, 2.2GB/s
Importing existing Scaleway volumes
- If you have an already existing volume, with the ID
11111111-1111-1111-111111111111
in the zonefr-par-1
, you can import it by creating the following PV:apiVersion: v1kind: PersistentVolumemetadata:name: test-pvspec:capacity:storage: 5GivolumeMode: FilesystemaccessModes:- ReadWriteOncestorageClassName: scw-bssdcsi:driver: csi.scaleway.comvolumeHandle: fr-par-1/11111111-1111-1111-111111111111nodeAffinity:required:nodeSelectorTerms:- matchExpressions:- key: topology.csi.scaleway.com/zoneoperator: Invalues:- fr-par-1 - Once the PV is created, create a PVC with the same attributes (here scw-bssd as storage class and a size of 5Gi):
kubectl apply -f importing/pvc.yaml
- Create a pod that uses this volume:
kubectl apply -f importing/pod.yaml
Encrypting volumes
This plugin supports at rest encryption of the volumes with Cryptsetup/LUKS.
Storage Class parameters
In order to have an encrypted volume, encrypted: true
needs to be added to the
StorageClass parameters. You will also need a passphrase to encrypt/decrypt the volume,
which is taken from the secrets passed to the NodeStageVolume
and NodeExpandVolume
method.
The external-provisioner can be used to pass down the wanted secret to the CSI plugin (v1.0.1+).
Some additional parameters are needed on the StorageClass:
csi.storage.k8s.io/node-stage-secret-name
: The name of the secretcsi.storage.k8s.io/node-stage-secret-namespace
: The namespace of the secretcsi.storage.k8s.io/node-expand-secret-name
: The name of the secret (see note below).csi.storage.k8s.io/node-expand-secret-namespace
: The namespace of the secret (see note below).
Volume expansion for encrypted volumes is only supported with the
CSINodeExpandSecret
feature gate which is available sincev1.25.0
and by default sincev1.27.0
.
The secret needs to have the passphrase in the entry with the key encryptionPassphrase
.
For instance, with the following secret:
apiVersion: v1kind: Secretmetadata:name: enc-secretnamespace: defaulttype: Opaquedata:encryptionPassphrase: bXlhd2Vzb21lcGFzc3BocmFzZQ==
and the following StorageClass:
# Volume expansion is supported with CSINodeExpandSecret feature gate since v1.25.0 or by default since v1.27.0allowVolumeExpansion: trueapiVersion: storage.k8s.io/v1kind: StorageClassmetadata:name: "sbs-default-enc"provisioner: csi.scaleway.comreclaimPolicy: DeletevolumeBindingMode: Immediateparameters:encrypted: "true"csi.storage.k8s.io/node-stage-secret-name: "enc-secret"csi.storage.k8s.io/node-stage-secret-namespace: "default"# Required for volume expansioncsi.storage.k8s.io/node-expand-secret-name: "enc-secret"csi.storage.k8s.io/node-expand-secret-namespace: "default"
all the PVC created with the StorageClass sbs-default-enc
will be encrypted at
rest with the passphrase myawesomepassphrase
.
The Per Volume Secret can also be used to avoid having one passphrase per StorageClass.
Note that before v0.2.1
the expansion of encrypted volumes was not possible.
PersistentVolumes
created without the csi.storage.k8s.io/node-stage-secret
annotations must be manually patched if the expansion is necessary. Be careful when doing so, as the required fields are immutable, and the patch will need to be forced. We recommend taking preventative measures such as backing up your data and switching the reclaimPolicy
of the volume to Retain
.