Difference between revisions of "Aws-ebs-csi-driver Installation"
Jump to navigation
Jump to search
(39 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{lc}} | ||
<code>[[aws-ebs-csi-driver]]</code> Installation | <code>[[aws-ebs-csi-driver]]</code> Installation | ||
+ | * https://github.com/kubernetes-sigs/aws-ebs-csi-driver | ||
+ | * See also: [[Configure privileges for EBS CSI using ebs csi irsa role module]] | ||
− | + | == 0) Install driver == | |
− | helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver | + | [[helm repo add aws-ebs-csi-driver]] https://kubernetes-sigs.github.io/aws-ebs-csi-driver |
[[helm repo update]] | [[helm repo update]] | ||
helm upgrade --install aws-ebs-csi-driver --namespace [[kube-system]] aws-ebs-csi-driver/aws-ebs-csi-driver | helm upgrade --install aws-ebs-csi-driver --namespace [[kube-system]] aws-ebs-csi-driver/aws-ebs-csi-driver | ||
Line 16: | Line 19: | ||
To verify that aws-ebs-csi-driver has started, run: | To verify that aws-ebs-csi-driver has started, run: | ||
− | [[kubectl get pod -n kube-system | + | [[kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"]] |
− | NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and [[CRDs]] will no longer be installed as part of this chart and moving forward will be a prerequisite of using the [[snap shotting]] functionality. | + | NOTE: The [ CSI [[Snapshotter]] ](https://github.com/kubernetes-csi/external-snapshotter) controller and [[CRDs]] will no longer be installed as part of this chart and moving forward will be a prerequisite of using the [[snap shotting]] functionality. |
Output after installation: | Output after installation: | ||
[[kubectl get pod -n kube-system]] -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" | [[kubectl get pod -n kube-system]] -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" | ||
NAME READY STATUS RESTARTS AGE | NAME READY STATUS RESTARTS AGE | ||
− | ebs-csi-controller-7687b8974-2t8nf 5/5 Running 0 2m15s | + | [[ebs-csi-controller]]-7687b8974-2t8nf 5/5 Running 0 2m15s |
ebs-csi-controller-7687b8974-vpjln 5/5 Running 0 2m15s | ebs-csi-controller-7687b8974-vpjln 5/5 Running 0 2m15s | ||
− | ebs-csi-node-4nxsp 3/3 Running 0 2m15s | + | [[ebs-csi-node]]-4nxsp 3/3 Running 0 2m15s |
ebs-csi-node-6n8dp 3/3 Running 0 2m15s | ebs-csi-node-6n8dp 3/3 Running 0 2m15s | ||
ebs-csi-node-d4j8z 3/3 Running 0 2m15s | ebs-csi-node-d4j8z 3/3 Running 0 2m15s | ||
− | + | == 1) Grant driver IAM permissions == | |
− | + | Choose '''one''' of the following methods: | |
− | Choose one of the following methods: | ||
* 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the [[instance profile]] IAM role and turn on access to [[instance metadata]] for the instance(s) on which the driver Deployment will run. | * 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the [[instance profile]] IAM role and turn on access to [[instance metadata]] for the instance(s) on which the driver Deployment will run. | ||
* 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment [[service account]], which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default | * 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment [[service account]], which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default | ||
− | * 1.3 Using secret object - create an [[IAM user]], attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials | + | * 1.3 Using [[secret object]] - create an [[IAM user]], attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials |
− | ** Create IAM user: <code>aws iam create-user --user-name </code> | + | ** Create IAM user: <code>[[aws iam create-user --user-name]] [[ebs-csi-user]]</code> |
− | ** [[kubectl create secret generic]] aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}" | + | ** [[Attach policy]]: <code>[[aws iam attach-user-policy --user-name]] [[ebs-csi-user]] --policy-arn [[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> |
+ | ** Create secret: | ||
+ | *** <code>[[aws iam create-access-key]] --user-name ebs-csi-user</code> | ||
+ | *** <code>[[kubectl create secret generic]] aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"</code> | ||
+ | |||
+ | == Related == | ||
+ | * [[Configure privileges for EBS CSI using ebs csi irsa role module]] | ||
+ | |||
+ | |||
+ | [[kubectl get events]] | ||
+ | default 107s Warning [[ProvisioningFailed]] persistentvolumeclaim/myprometheus-server (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-4e14416c-c9c2-4d39-b749-9ce0fa98d597": could not create volume in EC2: [[UnauthorizedOperation]]: You are not authorized to perform this operation. Encoded authorization failure message: Goz6E3qExxxxx.../... | ||
+ | |||
+ | (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-641db932-4715-4f5a-b2d2-9c0c4117dd27": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform [[sts:AssumeRoleWithWebIdentity]] status code: 403, request id: 6bc69eb4-96a6-4167-b5e3-1234567890 | ||
+ | |||
+ | * <code>[[Opensearch]]</code> | ||
+ | * [[Prometheus]] | ||
+ | [[kubectl delete pods -n kube-system -l=app=ebs-csi-controller]] | ||
+ | |||
+ | * [[Kubernetes addons]] | ||
+ | * [[Amazon EBS CSI driver]] | ||
+ | * [[waiting for a volume to be created, either by external provisioner]] | ||
+ | * [[eks.amazonaws.com]]/role-arn: arn:aws:iam::012345678912:role/[[AmazonEKS_EBS_CSI_DriverRole]] | ||
+ | [[aws eks describe-addon-versions --addon-name aws-ebs-csi-driver]] | ||
+ | * [[Managing the Amazon EBS CSI driver as an Amazon EKS add-on]] | ||
== See also == | == See also == | ||
+ | * {{EKS storage}} | ||
* {{EKS}} | * {{EKS}} | ||
[[Category:EKS]] | [[Category:EKS]] |
Latest revision as of 08:44, 18 April 2023
aws-ebs-csi-driver
Installation
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
- See also: Configure privileges for EBS CSI using ebs csi irsa role module
0) Install driver[edit]
helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver helm repo update helm upgrade --install aws-ebs-csi-driver --namespace kube-system aws-ebs-csi-driver/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now. NAME: aws-ebs-csi-driver LAST DEPLOYED: Mon Sep 26 08:02:42 2022 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NOTE: The [ CSI Snapshotter ](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.
Output after installation:
kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NAME READY STATUS RESTARTS AGE ebs-csi-controller-7687b8974-2t8nf 5/5 Running 0 2m15s ebs-csi-controller-7687b8974-vpjln 5/5 Running 0 2m15s ebs-csi-node-4nxsp 3/3 Running 0 2m15s ebs-csi-node-6n8dp 3/3 Running 0 2m15s ebs-csi-node-d4j8z 3/3 Running 0 2m15s
1) Grant driver IAM permissions[edit]
Choose one of the following methods:
- 1.1 Using IAM instance profile - attach
arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
policy to the instance profile IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run. - 1.2 EKS only: Using IAM roles for ServiceAccounts - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value
controller.serviceAccount.name
,ebs-csi-controller-sa
by default - 1.3 Using secret object - create an IAM user, attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials
- Create IAM user:
aws iam create-user --user-name ebs-csi-user
- Attach policy:
aws iam attach-user-policy --user-name ebs-csi-user --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
- Create secret:
aws iam create-access-key --user-name ebs-csi-user
kubectl create secret generic aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"
- Create IAM user:
Related[edit]
kubectl get events default 107s Warning ProvisioningFailed persistentvolumeclaim/myprometheus-server (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-4e14416c-c9c2-4d39-b749-9ce0fa98d597": could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: Goz6E3qExxxxx.../...
(combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-641db932-4715-4f5a-b2d2-9c0c4117dd27": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403, request id: 6bc69eb4-96a6-4167-b5e3-1234567890
kubectl delete pods -n kube-system -l=app=ebs-csi-controller
- Kubernetes addons
- Amazon EBS CSI driver
- waiting for a volume to be created, either by external provisioner
- eks.amazonaws.com/role-arn: arn:aws:iam::012345678912:role/AmazonEKS_EBS_CSI_DriverRole
aws eks describe-addon-versions --addon-name aws-ebs-csi-driver
See also[edit]
- EKS storage, Amazon EBS CSI driver, Amazon EFS CSI driver,
kubectl describe storageclass
- EKS,
eksctl
, EKS add-ons, Amazon EKS cluster role, Terraform EKS, Kubernetes Autoscaler, Karpenter, Terraform module: EKS, Terraform resource: aws eks node group, Terraform data source: aws_eks_cluster, AWS Controllers for Kubernetes, AWS Load Balancer Controller, Amazon EKS Anywhere, Kustomize,aws-iam-authenticator
, ACK, tEKS, Amazon EKS authorization, Amazon EKS authentication, Nodegroup, EKS storage,aws-ebs-csi-driver, aws-efs-csi-driver, aws-load-balancer-controller, amazon-vpc-cni-k8s
, EKS security, EKS Best Practices Guides,hardeneks
, EKS versions,fargate-scheduler
,eks-connector
, Resilience in Amazon EKS, EKS control plane logging, Security groups for Pods in EKS
Advertising: