On Amazon EKS, the open-source EBS Container Storage Interface (CSI) driver is used to manage the attachment of Amazon EBS block storage volumes to Kubernetes Pods.
The CSI driver is deployed as set of Kubernetes Pods. These Pods must have permission to perform EBS API operations, such as creating and deleting volumes, and attaching volumes to the EC2 worker nodes that comprise the cluster.
First, let’s download the policy JSON document, and create an IAM Policy from it:
mkdir ~/environment/ebs_csi_driver
cd ~/environment/ebs_csi_driver
curl -sSL -o ebs-cni-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/v0.4.0/docs/example-iam-policy.json
export EBS_CNI_POLICY_NAME="Amazon_EBS_CSI_Driver"
aws iam create-policy \
--region ${AWS_REGION} \
--policy-name ${EBS_CNI_POLICY_NAME} \
--policy-document file://ebs-cni-policy.json
export EBS_CNI_POLICY_ARN=$(aws --region ${AWS_REGION} iam list-policies --query 'Policies[?PolicyName==`'$EBS_CNI_POLICY_NAME'`].Arn' --output text)
Next, we’ll ask eksctl to create an IAM Role that contains the IAM Policy we
created, and associate it with a Kubernetes Service Account called
ebs-csi-controller-irsa that will be used by the CSI Driver:
eksctl utils associate-iam-oidc-provider --region=$AWS_REGION --cluster=eksworkshop-eksctl --approve
eksctl create iamserviceaccount --cluster eksworkshop-eksctl \
--name ebs-csi-controller-irsa \
--namespace kube-system \
--attach-policy-arn $EBS_CNI_POLICY_ARN \
--override-existing-serviceaccounts \
--approve
Finally, we can deploy the driver.
First, we’ll need to download a few files. Run:
cd ~/environment/ebs_csi_driver
for file in kustomization.yml deployment.yml attacher-binding.yml provisioner-binding.yml; do
curl -sSLO https://raw.githubusercontent.com/aws-samples/eks-workshop/main/content/beginner/170_statefulset/ebs_csi_driver.files/$file
done
To complete the deployment:
kubectl apply -k ~/environment/ebs_csi_driver