Jump toUpdate content
Managing Block Storage volumes with the Scaleway CSI
- You have an account and are logged into the Scaleway console
- You have created a Kubernetes cluster running on Scaleway Instances (v1.17+)
- You have a Scaleway Project or Organization ID, Access and Secret key
The Scaleway Block Volume Container Storage Interface (CSI) driver is an implementation of the CSI interface to provide a way to manage Scaleway Block Volumes through a container orchestration system, like Kubernetes.
This project is under active development and should be considered alpha. You can raise an issue if you think you have found a bug.
CSI Specification Compability Matrix
Scaleway CSI Driver \ CSI Version | v1.2.0 |
---|---|
master branch | yes |
v0.1.0 | yes |
v0.1.1 | yes |
v0.1.2 | yes |
v0.1.3 | yes |
v0.1.4 | yes |
v0.1.5 | yes |
Features
Following is a list of functionalities implemented by the Scaleway CSI driver.
Block device resizing
The Scaleway CSI driver implements the resize feature (example for Kubernetes). It allows an online resize (without the need to detach the block device). However resizing can only be done upwards, decreasing a volume’s size is not supported.
Raw Block Volume
Raw Block Volumes allows the block volume to be exposed directly to the container as a block device, instead of a mounted filesystem. To enable it, the volumeMode
needs to be set to Block
. For instance, here is a PVC in raw block volume mode:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-raw-pvc
spec:
volumeMode: Block
[...]
At-Rest encryption
Support for volume encryption. See in examples
Volume snapshots
Volume snapshots allows the user to create a snapshot of a specific block volume.
Volume statistics
The Scaleway CSI driver implements the NodeGetVolumeStats
CSI method. It is used to gather statistics about the used block volumes. In Kubernetes, kubelet
exposes these metrics.
Kubernetes
This section is Kubernetes specific. Note that Scaleway CSI driver may work for older Kubernetes version than those announced. The CSI driver allows to use Persistent Volumes in Kubernetes.
Kubernetes version compability matrix
Scaleway CSI Driver \ Kubernetes Version | K8S v1.17 | K8S v1.18 | K8S v1.19 |
---|---|---|---|
master branch | yes | yes | yes |
v0.1.x | yes | yes | yes |
Installing the Container Storage Interface (CSI) for Block Storage
These steps will cover how to install the Scaleway CSI driver in your Kubernetes cluster.
Configure the Scaleway secrets.
Edit the secret file in order to set your own secrets.
Once replaced, you can create the secret:
$ kubectl apply -f ./deploy/kubernetes/scaleway-secret.yaml
Deploy the Scaleway CSI driver and the needed sidecars.
It is recommended to deploy the latest tagged version, but you can also deploy the master version. Here we will deploy the latest version
0.1.4
.$ kubectl create -f ./deploy/kubernetes/scaleway-csi-v0.1.4.yaml
Verify that the driver is running:
$ kubectl get pods -n kube-system
[...]
scaleway-csi-controller-76897b577d-b4dgw 5/5 Running 0 3m
scaleway-csi-node-hvkfw 3/3 Running 0 3m
scaleway-csi-node-jmrz2 3/3 Running 0 3m
[...]and you should see the scaleway-csi-controller and the scaleway-csi-node pods.
Creating persistent volumes with Scaleway Block Storage
Create a PersistentVolumeClaim and use it as a volume inside the pod of a deployment, to store nginx’s logs. Create a 3Gi volume:
$ kubectl apply -f pvc-deployment/pvc.yaml
Create the deployment that will use this volume:
$ kubectl apply -f pvc-deployment/deployment.yaml
Creating raw block volumes
Create a block volume and make it available in the pod as a raw block device. In order to do so,
volumeMode
must be set to Block:$ kubectl apply -f raw-volume/pvc.yaml
Create a pod that will use this raw volume. In order to do so,
volumesDevices
must be used, instead of the traditionalvolumeMounts
:$ kubectl apply -f raw-volume/pod.yaml
Exec into the container and use the volume as a classic block device:
$ kubectl exec -it my-awesome-block-volume-app sh
/ # ls -al /dev/xvda
brw-rw---- 1 root disk 8, 32 Mar 23 12:34 /dev/xvda
/ # dd if=/dev/zero of=/dev/xvda bs=1024k count=100
100+0 records in
100+0 records out
104857600 bytes (100.0MB) copied, 0.043702 seconds, 2.2GB/s
Importing existing Scaleway volumes
If you have an already existing volume, with the ID 11111111-1111-1111-111111111111
in the zone fr-par-1
, you can import it by creating the following PV:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
storageClassName: scw-bssd
csi:
driver: csi.scaleway.com
volumeHandle: fr-par-1/11111111-1111-1111-111111111111
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: topology.csi.scaleway.com/zone
operator: In
values:
- fr-par-1
Once the PV is created, create a PVC with the same attributes (here scw-bssd as storage class and a size of 5Gi):
$ kubectl apply -f importing/pvc.yaml
Ceate a pod that uses this volume:
$ kubectl apply -f importing/pod.yaml
Encrypting volumes
This plugin supports at rest encryption of the volumes with Cryptsetup/LUKS.
Resizing an encrypted volume does not work.
Storage class parameters
In order to have an encrypted volume, encrypted: true
needs to be added to the StorageClass parameters.
You will also need an passphrase to encrypt/decrypt the volume, which is take from the secrets passed to the NodeStageVolume
method.
The external-provisioner can be used to pass down the wanted secret to the CSI plugin (v1.0.1+).
Two additional parameters are needed on the StorageClass:
csi.storage.k8s.io/node-stage-secret-name
: The name of the secretcsi.storage.k8s.io/node-stage-secret-namespace
: The namespace of the secret
The secret needs to have the passphrase in the entry with the key encryptionPassphrase
.
For instance with the following secret:
apiVersion: v1
kind: Secret
metadata:
name: enc-secret
namespace: default
type: Opaque
data:
encryptionPassphrase: bXlhd2Vzb21lcGFzc3BocmFzZQ==
and the following StorageClass:
allowVolumeExpansion: false # not yet supported
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: "scw-bssd-enc"
provisioner: csi.scaleway.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
parameters:
encrypted: "true"
csi.storage.k8s.io/node-stage-secret-name: "enc-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "default"
all the PVC created with the StorageClass scw-bssd-enc
will be encrypted at rest with the passphrase myawesomepassphrase
.
The Per Volume Secret can also be used to avoid having one passphrase per StorageClass.