Difference between revisions of "Aws-ebs-csi-driver"
Jump to navigation
Jump to search
Line 43: | Line 43: | ||
=== 1) Grant driver IAM permissions === | === 1) Grant driver IAM permissions === | ||
Choose one of the following methods: | Choose one of the following methods: | ||
− | * 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the instance profile IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run | + | * 1.1 Using IAM [[instance profile]] - attach <code>[[arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy]]</code> policy to the [[instance profile]] IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run |
* 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default | * 1.2 EKS only: Using [[IAM roles for ServiceAccounts]] - create an [[IAM role]], attach the policy to it, then follow the [[IRSA]] documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value <code>[[controller.serviceAccount.name]]</code>, <code>[[ebs-csi-controller-sa]]</code> by default | ||
* 1.3 Using secret object - create an IAM user, attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials | * 1.3 Using secret object - create an IAM user, attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials |
Revision as of 06:37, 26 September 2022
kubectl get events default 8m51s Warning FailedScheduling pod/myprometheus-alertmanager-5967d4ff85-5glkh running PreBind plugin "VolumeBinding": binding volumes: timed out waiting for the condition default 4m58s Normal ExternalProvisioning persistentvolumeclaim/myprometheus-alertmanager waiting for a volume to be created, either by external provisioner "ebs.csi.aws.com" or manually created by system administrator
Contents
Installation
0) Install driver
helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver helm repo update helm upgrade --install aws-ebs-csi-driver --namespace kube-system aws-ebs-csi-driver/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now. NAME: aws-ebs-csi-driver LAST DEPLOYED: Mon Sep 26 08:02:42 2022 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.
Output after installation:
kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NAME READY STATUS RESTARTS AGE ebs-csi-controller-7687b8974-2t8nf 5/5 Running 0 2m15s ebs-csi-controller-7687b8974-vpjln 5/5 Running 0 2m15s ebs-csi-node-4nxsp 3/3 Running 0 2m15s ebs-csi-node-6n8dp 3/3 Running 0 2m15s ebs-csi-node-d4j8z 3/3 Running 0 2m15s
1) Grant driver IAM permissions
Choose one of the following methods:
- 1.1 Using IAM instance profile - attach
arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
policy to the instance profile IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run - 1.2 EKS only: Using IAM roles for ServiceAccounts - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value
controller.serviceAccount.name
,ebs-csi-controller-sa
by default - 1.3 Using secret object - create an IAM user, attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials
kubectl create secret generic aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"
Related
See also
- CSI, Amazon EBS CSI driver, Kubernetes Filestore CSI driver, GKE CSI Driver
pd.csi.storage.gke.io
, CSI Migration,aws-efs-csi-driver, aws-ebs-csi-driver, gcp_filestore_csi_driver_config
,GcePersistentDiskCsiDriver, kind: CSINode, csi-hostpath-driver
, Kubernetes snapshots - EKS,
eksctl
, EKS add-ons, Amazon EKS cluster role, Terraform EKS, Kubernetes Autoscaler, Karpenter, Terraform module: EKS, Terraform resource: aws eks node group, Terraform data source: aws_eks_cluster, AWS Controllers for Kubernetes, AWS Load Balancer Controller, Amazon EKS Anywhere, Kustomize,aws-iam-authenticator
, ACK, tEKS, Amazon EKS authorization, Amazon EKS authentication, Nodegroup, EKS storage,aws-ebs-csi-driver, aws-efs-csi-driver, aws-load-balancer-controller, amazon-vpc-cni-k8s
, EKS security, EKS Best Practices Guides,hardeneks
, EKS versions,fargate-scheduler
,eks-connector
, Resilience in Amazon EKS, EKS control plane logging, Security groups for Pods in EKS
Advertising: