Jump toUpdate content

Managing Block Storage volumes with the Scaleway CSI

Published on 12 August 2021
Identity and Access Management (IAM):

If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets

The Scaleway Block Volume Container Storage Interface (CSI) driver is an implementation of the CSI interface to provide a way to manage Scaleway Block Volumes through a container orchestration system, like Kubernetes. It is installed by default on every Kubernetes Kapsule and Kosmos cluster.


Following is a list of functionalities implemented by the Scaleway CSI driver.

Block device resizing

The Scaleway CSI driver implements the resize feature (example for Kubernetes). It allows an online resize (without the need to detach the block device). However resizing can only be done upwards, decreasing a volume’s size is not supported.

Raw Block Volume

Raw Block Volumes allows the block volume to be exposed directly to the container as a block device, instead of a mounted filesystem. To enable it, the volumeMode needs to be set to Block. For instance, here is a PVC in raw block volume mode:

apiVersion: v1
kind: PersistentVolumeClaim
name: my-raw-pvc
volumeMode: Block

At-Rest encryption

Support for volume encryption. See in examples

Volume snapshots

Volume snapshots allows the user to create a snapshot of a specific block volume.

Volume statistics

The Scaleway CSI driver implements the NodeGetVolumeStats CSI method. It is used to gather statistics about the used block volumes. In Kubernetes, kubelet exposes these metrics.


This section is Kubernetes specific. Note that Scaleway CSI driver may work for older Kubernetes version than those announced. The CSI driver allows to use Persistent Volumes in Kubernetes.

Creating persistent volumes with Scaleway Block Storage

  1. Create a PersistentVolumeClaim and use it as a volume inside the pod of a deployment.
    $ kubectl apply -f pvc-deployment/pvc.yaml
  2. Create the deployment that will use this volume:
    $ kubectl apply -f pvc-deployment/deployment.yaml

Creating raw block volumes

  1. Create a block volume and make it available in the pod as a raw block device. In order to do so, volumeMode must be set to Block:
    $ kubectl apply -f raw-volume/pvc.yaml
  2. Create a pod that will use this raw volume. In order to do so, volumesDevices must be used, instead of the traditional volumeMounts:
    $ kubectl apply -f raw-volume/pod.yaml
  3. Exec into the container and use the volume as a classic block device:
    $ kubectl exec -it my-awesome-block-volume-app sh
    / # ls -al /dev/xvda
    brw-rw---- 1 root disk 8, 32 Mar 23 12:34 /dev/xvda
    / # dd if=/dev/zero of=/dev/xvda bs=1024k count=100
    100+0 records in
    100+0 records out
    104857600 bytes (100.0MB) copied, 0.043702 seconds, 2.2GB/s

Importing existing Scaleway volumes

  1. If you have an already existing volume, with the ID 11111111-1111-1111-111111111111 in the zone fr-par-1, you can import it by creating the following PV:
    apiVersion: v1
    kind: PersistentVolume
    name: test-pv
    storage: 5Gi
    volumeMode: Filesystem
    - ReadWriteOnce
    storageClassName: scw-bssd
    driver: csi.scaleway.com
    volumeHandle: fr-par-1/11111111-1111-1111-111111111111
    - matchExpressions:
    - key: topology.csi.scaleway.com/zone
    operator: In
    - fr-par-1
  2. Once the PV is created, create a PVC with the same attributes (here scw-bssd as storage class and a size of 5Gi):
    $ kubectl apply -f importing/pvc.yaml
  3. Ceate a pod that uses this volume:
    $ kubectl apply -f importing/pod.yaml

Encrypting volumes

This plugin supports at rest encryption of the volumes with Cryptsetup/LUKS.


Resizing an encrypted volume does not work.

Storage class parameters

In order to have an encrypted volume, encrypted: true needs to be added to the StorageClass parameters. You will also need an passphrase to encrypt/decrypt the volume, which is take from the secrets passed to the NodeStageVolume method.

The external-provisioner can be used to pass down the wanted secret to the CSI plugin (v1.0.1+).

Two additional parameters are needed on the StorageClass:

  • csi.storage.k8s.io/node-stage-secret-name: The name of the secret
  • csi.storage.k8s.io/node-stage-secret-namespace: The namespace of the secret

The secret needs to have the passphrase in the entry with the key encryptionPassphrase.

For instance with the following secret:

apiVersion: v1
kind: Secret
name: enc-secret
namespace: default
type: Opaque
encryptionPassphrase: bXlhd2Vzb21lcGFzc3BocmFzZQ==

and the following StorageClass:

allowVolumeExpansion: false # not yet supported
apiVersion: storage.k8s.io/v1
kind: StorageClass
name: "scw-bssd-enc"
provisioner: csi.scaleway.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
encrypted: "true"
csi.storage.k8s.io/node-stage-secret-name: "enc-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "default"

all the PVC created with the StorageClass scw-bssd-enc will be encrypted at rest with the passphrase myawesomepassphrase.

The Per Volume Secret can also be used to avoid having one passphrase per StorageClass.

See Also