1、创建 Amazon EBS CSI 驱动程序 IAM 角色
相关文档
先决条件,是否有 IAM OIDC 提供商,详情 IAM OIDC 提供商创建文档
IAM OIDC 提供商id
在 Select trusted entity(选择受信任的实体)页面上操作,最后点击下一步
在 Add permissions(添加权限)页面上筛选AmazonEBSCSIDriverPolicy勾选后,然后点击下一步
在 Name, review, and create(命名、查看和创建)页面中,取名AmazonEKS_EBS_CSI_DriverRole,然后滑倒最后点击创建角色
创建后,我们重新编辑
将原来的id全部改成我们eks集群的id: 523E4251EE6E3D0855D8BCF7AAAD8206
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Federated": "arn:aws:iam::XXXXXXX:oidc-provider/oidc.eks.ap-east-1.amazonaws.com/id/523E4251EE6E3D0855D8BCF7AAAD8206"},"Action": "sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals": {"oidc.eks.ap-east-1.amazonaws.com/id/523E4251EE6E3D0855D8BCF7AAAD8206:aud": "sts.amazonaws.com","oidc.eks.ap-east-1.amazonaws.com/id/523E4251EE6E3D0855D8BCF7AAAD8206:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"}}}]
}
最后点击更新策略
创建AmazonEBSVolumePolicy角色
不创建的话可能会报错
AttachVolume.Attach failed for volume "aws-pv2" : rpc error: code = Internal desc = Could not attach volume "vol-07b297f1ae13f164a" to node "i-0900340d8108b7fe8": could not attach volume "vol-07b297f1ae13f164a" to node "i-0900340d8108b7fe8": operation error EC2: AttachVolume, https response error StatusCode: 400, RequestID: ecab32b9-1bb5-45df-b669-1ad61836d792, api error InvalidVolume.ZoneMismatch: The volume 'vol-07b297f1ae13f164a' is not in the same availability zone as instance 'i-0900340d8108b7fe8'
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ec2:DescribeVolumes","ec2:DescribeVolumeAttachment", "ec2:AttachVolume","ec2:DetachVolume"],"Resource": "*"}]
}
并将该策略添加到node角色AmazonEKSNodeRole中
2、将 Amazon EBS CSI 驱动程序作为 Amazon EKS 附加组件管理
相关文档
# eksctl create addon --name aws-ebs-csi-driver --cluster eks-test --service-account-role-arn arn:aws:iam::369180331248:role/AmazonEKS_EBS_CSI_DriverRole2 --force
2024-05-03 18:02:46 [!] no IAM OIDC provider associated with cluster, try 'eksctl utils associate-iam-oidc-provider --region=ap-east-1 --cluster=eks-test'
2024-05-03 18:02:46 [ℹ] Kubernetes version "1.29" in use by cluster "eks-test"
2024-05-03 18:02:46 [!] OIDC is disabled but policies are required/specified for this addon. Users are responsible for attaching the policies to all nodegroup roles
2024-05-03 18:02:46 [ℹ] creating addon
如果您删除 --force 选项,并且任何 Amazon EKS 附加组件设置与您的现有设置冲突,那么更新 Amazon EKS 附加组件将会失败,而且您会收到一条帮助您解决冲突的错误消息。在指定此选项之前,请确保 Amazon EKS 附加组件不会管理您需要管理的设置,因为这些设置会被此选项覆盖
查询附加的组件是否正常
# kubectl get csidrivers
NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY TOKENREQUESTS REQUIRESREPUBLISH MODES AGE
ebs.csi.aws.com true false false <unset> false Persistent 119m
3、部署示例应用程序并验证 CSI 驱动程序是否正常运行
相关文档
1)拉取aws-ebs-csi-driver驱动代码
# git clone https://github.com/kubernetes-sigs/aws-ebs-csi-driver.git
Cloning into 'aws-ebs-csi-driver'...
remote: Enumerating objects: 30626, done.
remote: Counting objects: 100% (8952/8952), done.
remote: Compressing objects: 100% (2710/2710), done.
remote: Total 30626 (delta 6965), reused 6522 (delta 6168), pack-reused 21674
Receiving objects: 100% (30626/30626), 27.11 MiB | 13.63 MiB/s, done.
Resolving deltas: 100% (17521/17521), done.
# cd aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/
2)默认情况下,manifests/storageclass.yaml 文件预置 gp2 Amazon EBS 卷。要改用 gp3 卷,请将 type: gp3 添加到 manifests/storageclass.yaml
echo "parameters:type: gp3" >> manifests/storageclass.yaml
3)从 manifests 目录部署 ebs-sc 存储类、ebs-claim 持久性卷声明和 app 示例应用程序
# kubectl apply -f manifests/
persistentvolumeclaim/ebs-claim created
pod/app created
storageclass.storage.k8s.io/ebs-sc created4)描述查询存储类
# kubectl describe storageclass ebs-sc
Name: ebs-sc
IsDefaultClass: No
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"ebs-sc"},"parameters":{"type":"gp3"},"provisioner":"ebs.csi.aws.com","volumeBindingMode":"WaitForFirstConsumer"}Provisioner: ebs.csi.aws.com
Parameters: type=gp3
AllowVolumeExpansion: <unset>
MountOptions: <none>
ReclaimPolicy: Delete
VolumeBindingMode: WaitForFirstConsumer
Events: <none>
)
详解)
)
)