Difference between revisions of "Aws-ebs-csi-driver Installation"

From wikieduonline
Jump to navigation Jump to search
 
(35 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{lc}}
 
<code>[[aws-ebs-csi-driver]]</code> Installation
 
<code>[[aws-ebs-csi-driver]]</code> Installation
 +
* https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 +
* See also: [[Configure privileges for EBS CSI using ebs csi irsa role module]]
  
=== 0) Install driver ===
+
== 0) Install driver ==
  helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
+
  [[helm repo add aws-ebs-csi-driver]] https://kubernetes-sigs.github.io/aws-ebs-csi-driver
 
  [[helm repo update]]
 
  [[helm repo update]]
 
  helm upgrade --install aws-ebs-csi-driver --namespace [[kube-system]] aws-ebs-csi-driver/aws-ebs-csi-driver
 
  helm upgrade --install aws-ebs-csi-driver --namespace [[kube-system]] aws-ebs-csi-driver/aws-ebs-csi-driver
Line 16: Line 19:
 
  To verify that aws-ebs-csi-driver has started, run:
 
  To verify that aws-ebs-csi-driver has started, run:
 
   
 
   
     [[kubectl get pod -n kube-system]] -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"
+
     [[kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"]]
 
   
 
   
  NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and [[CRDs]] will no longer be installed as part of this chart and moving forward will be a prerequisite of using the [[snap shotting]] functionality.
+
  NOTE: The [ CSI [[Snapshotter]] ](https://github.com/kubernetes-csi/external-snapshotter) controller and [[CRDs]] will no longer be installed as part of this chart and moving forward will be a prerequisite of using the [[snap shotting]] functionality.
  
 
Output after installation:
 
Output after installation:
 
  [[kubectl get pod -n kube-system]] -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"
 
  [[kubectl get pod -n kube-system]] -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"
 
  NAME                                READY  STATUS    RESTARTS  AGE
 
  NAME                                READY  STATUS    RESTARTS  AGE
  ebs-csi-controller-7687b8974-2t8nf  5/5    Running  0          2m15s
+
  [[ebs-csi-controller]]-7687b8974-2t8nf  5/5    Running  0          2m15s
 
  ebs-csi-controller-7687b8974-vpjln  5/5    Running  0          2m15s
 
  ebs-csi-controller-7687b8974-vpjln  5/5    Running  0          2m15s
  ebs-csi-node-4nxsp                  3/3    Running  0          2m15s
+
  [[ebs-csi-node]]-4nxsp                  3/3    Running  0          2m15s
 
  ebs-csi-node-6n8dp                  3/3    Running  0          2m15s  
 
  ebs-csi-node-6n8dp                  3/3    Running  0          2m15s  
 
  ebs-csi-node-d4j8z                  3/3    Running  0          2m15s
 
  ebs-csi-node-d4j8z                  3/3    Running  0          2m15s
  
 
+
== 1) Grant driver IAM permissions ==
=== 1) Grant driver IAM permissions ===
+
Choose '''one''' of the following methods:
Choose one of the following methods:
 
 
* 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the [[instance profile]] IAM role and turn on access to [[instance metadata]] for the instance(s) on which the driver Deployment will run.
 
* 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the [[instance profile]] IAM role and turn on access to [[instance metadata]] for the instance(s) on which the driver Deployment will run.
 
* 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment [[service account]], which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default
 
* 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment [[service account]], which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default
* 1.3 Using secret object - create an [[IAM user]], attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials
+
* 1.3 Using [[secret object]] - create an [[IAM user]], attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials
 
** Create IAM user: <code>[[aws iam create-user --user-name]] [[ebs-csi-user]]</code>
 
** Create IAM user: <code>[[aws iam create-user --user-name]] [[ebs-csi-user]]</code>
** [[Attach policy]]: <code>aws iam attach-user-policy --user-name [[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code>
+
** [[Attach policy]]: <code>[[aws iam attach-user-policy --user-name]] [[ebs-csi-user]] --policy-arn [[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code>
** [[kubectl create secret generic]] aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"
+
** Create secret:
 +
*** <code>[[aws iam create-access-key]] --user-name ebs-csi-user</code>
 +
*** <code>[[kubectl create secret generic]] aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"</code>
 +
 
 +
== Related ==
 +
* [[Configure privileges for EBS CSI using ebs csi irsa role module]]
 +
 
 +
 
 +
[[kubectl get events]]
 +
default      107s        Warning  [[ProvisioningFailed]]    persistentvolumeclaim/myprometheus-server        (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-4e14416c-c9c2-4d39-b749-9ce0fa98d597": could not create volume in EC2: [[UnauthorizedOperation]]: You are not authorized to perform this operation. Encoded authorization failure message: Goz6E3qExxxxx.../...
 +
 
 +
(combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-641db932-4715-4f5a-b2d2-9c0c4117dd27": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform [[sts:AssumeRoleWithWebIdentity]] status code: 403, request id: 6bc69eb4-96a6-4167-b5e3-1234567890
 +
 
 +
* <code>[[Opensearch]]</code>
 +
* [[Prometheus]]
 +
[[kubectl delete pods -n kube-system -l=app=ebs-csi-controller]]
 +
 
 +
* [[Kubernetes addons]]
 +
* [[Amazon EBS CSI driver]]
 +
* [[waiting for a volume to be created, either by external provisioner]]
 +
* [[eks.amazonaws.com]]/role-arn: arn:aws:iam::012345678912:role/[[AmazonEKS_EBS_CSI_DriverRole]]
 +
[[aws eks describe-addon-versions --addon-name aws-ebs-csi-driver]]
 +
* [[Managing the Amazon EBS CSI driver as an Amazon EKS add-on]]
  
 
== See also ==
 
== See also ==
 +
* {{EKS storage}}
 
* {{EKS}}
 
* {{EKS}}
  
 
[[Category:EKS]]
 
[[Category:EKS]]

Latest revision as of 08:44, 18 April 2023

aws-ebs-csi-driver Installation

0) Install driver[edit]

helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
helm repo update
helm upgrade --install aws-ebs-csi-driver --namespace kube-system aws-ebs-csi-driver/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now.
NAME: aws-ebs-csi-driver
LAST DEPLOYED: Mon Sep 26 08:02:42 2022
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
To verify that aws-ebs-csi-driver has started, run:

    kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"

NOTE: The [ CSI Snapshotter ](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.

Output after installation:

kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver"
NAME                                 READY   STATUS    RESTARTS   AGE
ebs-csi-controller-7687b8974-2t8nf   5/5     Running   0          2m15s
ebs-csi-controller-7687b8974-vpjln   5/5     Running   0          2m15s
ebs-csi-node-4nxsp                   3/3     Running   0          2m15s
ebs-csi-node-6n8dp                   3/3     Running   0          2m15s 
ebs-csi-node-d4j8z                   3/3     Running   0          2m15s

1) Grant driver IAM permissions[edit]

Choose one of the following methods:

Related[edit]


kubectl get events
default       107s        Warning   ProvisioningFailed     persistentvolumeclaim/myprometheus-server         (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-4e14416c-c9c2-4d39-b749-9ce0fa98d597": could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: Goz6E3qExxxxx.../...
(combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-641db932-4715-4f5a-b2d2-9c0c4117dd27": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403, request id: 6bc69eb4-96a6-4167-b5e3-1234567890
kubectl delete pods -n kube-system -l=app=ebs-csi-controller
aws eks describe-addon-versions --addon-name aws-ebs-csi-driver

See also[edit]

Advertising: