Aws-ebs-csi-driver Installation
Revision as of 07:04, 26 September 2022 by Welcome (talk | contribs) (→1) Grant driver IAM permissions)
aws-ebs-csi-driver
Installation
0) Install driver
helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver helm repo update helm upgrade --install aws-ebs-csi-driver --namespace kube-system aws-ebs-csi-driver/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now. NAME: aws-ebs-csi-driver LAST DEPLOYED: Mon Sep 26 08:02:42 2022 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.
Output after installation:
kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-ebs-csi-driver,app.kubernetes.io/instance=aws-ebs-csi-driver" NAME READY STATUS RESTARTS AGE ebs-csi-controller-7687b8974-2t8nf 5/5 Running 0 2m15s ebs-csi-controller-7687b8974-vpjln 5/5 Running 0 2m15s ebs-csi-node-4nxsp 3/3 Running 0 2m15s ebs-csi-node-6n8dp 3/3 Running 0 2m15s ebs-csi-node-d4j8z 3/3 Running 0 2m15s
1) Grant driver IAM permissions
Choose one of the following methods:
- 1.1 Using IAM instance profile - attach
arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
policy to the instance profile IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run. - 1.2 EKS only: Using IAM roles for ServiceAccounts - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value
controller.serviceAccount.name
,ebs-csi-controller-sa
by default - 1.3 Using secret object - create an IAM user, attach the policy to it, then create a generic secret called aws-secret in the kube-system namespace with the user's credentials
- Create IAM user:
aws iam create-user --user-name ebs-csi-user
- Attach policy:
aws iam attach-user-policy --user-name ebs-csi-user --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
- Create secret:
aws iam create-access-key --user-name ebs-csi-user
kubectl create secret generic aws-secret --namespace kube-system --from-literal "key_id=${AWS_ACCESS_KEY_ID}" --from-literal "access_key=${AWS_SECRET_ACCESS_KEY}"
- Create IAM user:
See also
- EKS,
eksctl
, EKS add-ons, Amazon EKS cluster role, Terraform EKS, Kubernetes Autoscaler, Karpenter, Terraform module: EKS, Terraform resource: aws eks node group, Terraform data source: aws_eks_cluster, AWS Controllers for Kubernetes, AWS Load Balancer Controller, Amazon EKS Anywhere, Kustomize,aws-iam-authenticator
, ACK, tEKS, Amazon EKS authorization, Amazon EKS authentication, Nodegroup, EKS storage,aws-ebs-csi-driver, aws-efs-csi-driver, aws-load-balancer-controller, amazon-vpc-cni-k8s
, EKS security, EKS Best Practices Guides,hardeneks
, EKS versions,fargate-scheduler
,eks-connector
, Resilience in Amazon EKS, EKS control plane logging, Security groups for Pods in EKS
Advertising: