This directory contains examples demonstrating how to use the Rclone CSI driver with various cloud storage backends.
-
Deploy the CSI driver:
kubectl apply -k ../
-
Choose a storage backend example and follow the specific instructions.
-
Create a PVC and test pod:
kubectl apply -f rclone-pv-example.yaml
rclone-pv-example.yaml- Complete PersistentVolume example with inline rclone configurationrclone-secret.yaml- Secret-based configuration exampletemplate-variable-examples.yaml- Dynamic path substitution examples
minio-deploy.yaml- MinIO S3-compatible storage setupnginx-dynamic-path.yaml- Dynamic path configuration
storageclass-s3.yaml- Amazon S3 storage classstorageclass-gcs.yaml- Google Cloud Storage storage classstorageclass-azure.yaml- Azure Blob Storage storage classstorageclass-minio.yaml- MinIO storage class
secret-s3.yaml- S3 credentials secretsecret-gcs.yaml- GCS service account secretsecret-azure.yaml- Azure credentials secretsecret-dropbox.yaml- Dropbox token secretsecret-rc-auth.yaml- RC API authentication secret (for Remote Control API)
Store sensitive credentials in Kubernetes secrets and reference them in StorageClass:
apiVersion: v1
kind: Secret
metadata:
name: rclone-secret
type: Opaque
stringData:
remote: "s3"
remotePath: "my-bucket"
configData: |
[s3]
type = s3
provider = AWS
access_key_id = YOUR_ACCESS_KEY_ID
secret_access_key = YOUR_SECRET_ACCESS_KEY
region = us-east-1
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rclone-csi
provisioner: rclone.csi.veloxpack.io
parameters:
remote: "s3"
remotePath: "my-bucket"
csi.storage.k8s.io/node-publish-secret-name: "rclone-secret"
csi.storage.k8s.io/node-publish-secret-namespace: "default"Include configuration directly in StorageClass parameters:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rclone-csi
provisioner: rclone.csi.veloxpack.io
parameters:
remote: "s3"
remotePath: "my-bucket"
configData: |
[s3]
type = s3
provider = AWS
access_key_id = YOUR_ACCESS_KEY_ID
secret_access_key = YOUR_SECRET_ACCESS_KEY
region = us-east-1Configure directly in PersistentVolume volumeAttributes:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-rclone
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
csi:
driver: rclone.csi.veloxpack.io
volumeHandle: unique-volume-id
volumeAttributes:
remote: "s3"
remotePath: "my-bucket/folder"
configData: |
[s3]
type = s3
provider = AWS
access_key_id = YOUR_ACCESS_KEY_ID
secret_access_key = YOUR_SECRET_ACCESS_KEY
region = us-east-1The driver supports template variables in the remotePath parameter:
| Variable | Description | Example |
|---|---|---|
${pvc.metadata.name} |
PVC name | my-pvc-12345 |
${pvc.metadata.namespace} |
PVC namespace | default |
${pv.metadata.name} |
PV name | pv-rclone-abc123 |
Example:
parameters:
remote: "s3"
remotePath: "my-bucket/${pvc.metadata.namespace}/${pvc.metadata.name}"- Provider: AWS
- Configuration: Access key, secret key, region
- Example:
storageclass-s3.yaml
- Provider: Google Cloud
- Configuration: Service account JSON or OAuth
- Example:
storageclass-gcs.yaml
- Provider: Microsoft Azure
- Configuration: Storage account name and key
- Example:
storageclass-azure.yaml
- Provider: MinIO (S3-compatible)
- Configuration: Endpoint, access key, secret key
- Example:
storageclass-minio.yaml
- Provider: Dropbox
- Configuration: OAuth token
- Example:
secret-dropbox.yaml
- Provider: SFTP server
- Configuration: Host, username, password/key
- Example:
secret-sftp.yaml
The driver can expose rclone's Remote Control API for programmatic control of mounts. This is useful for:
- VFS Cache Refresh: Trigger cache refresh for specific paths
- Statistics: Get real-time mount statistics
- Operations: Control rclone operations programmatically
-
Create the RC auth secret:
kubectl apply -f secret-rc-auth.yaml
-
Enable RC API in your deployment (via Helm or kustomize)
-
Use the RC API from within your cluster:
# Get RC service endpoint RC_SERVICE=$(kubectl get svc -n veloxpack csi-rclone-node-rc -o jsonpath='{.metadata.name}') # Example: Refresh VFS cache curl -X POST http://${RC_SERVICE}:5573/vfs/refresh \ -u admin:secure-password \ -H "Content-Type: application/json" \ -d '{"recursive": true, "dir": "/path/to/mount"}'
For more information, see the RC API documentation.
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"# Check controller pods
kubectl get pods -n veloxpack -l app=csi-rclone-controller
# Check node pods
kubectl get pods -n veloxpack -l app=csi-rclone-node
# Check logs
kubectl logs -n veloxpack -l app=csi-rclone-controller
kubectl logs -n veloxpack -l app=csi-rclone-node# Check if the driver is working correctly
kubectl exec -n veloxpack -l app=csi-rclone-node -- /rcloneplugin --help
# Check driver version information (shows when driver starts)
kubectl logs -n veloxpack -l app=csi-rclone-node --tail=10 | grep "DRIVER INFORMATION" -A 10# Check driver logs for configuration parsing
kubectl logs -n veloxpack -l app=csi-rclone-node --tail=50 | grep -i config- Use Secrets: Store sensitive credentials in Kubernetes secrets
- RBAC: Ensure proper RBAC permissions are configured
- Network Policies: Consider using network policies to restrict access
- Credential Rotation: Regularly rotate storage backend credentials
- Least Privilege: Use credentials with minimal required permissions
- Authentication failures: Verify credentials in secrets or configData
- Network connectivity: Ensure nodes can reach the storage backend
- Permission errors: Check that credentials have proper access rights
- Configuration format: Ensure configData is valid INI format
- Resource constraints: Verify sufficient memory and disk space
For detailed troubleshooting, see the debug guide.
To add new examples:
- Create a new YAML file with descriptive name
- Include comments explaining the configuration
- Test the example thoroughly
- Update this README with the new example
- Submit a pull request
These examples are based on patterns from the csi-driver-nfs project and inspired by the original csi-rclone implementation.