美文网首页
AWS install EFS CSI driver

AWS install EFS CSI driver

作者: HaoDongZ | 来源:发表于2023-04-25 18:01 被阅读0次

aws identity provider


image.png image.png
  1. Create an IAM policy that allows the CSI driver's service account to make calls to AWS APIs on your behalf
curl -o iam-policy-example.json https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/docs/iam-policy-example.json
  1. Create the policy. You can change AmazonEKS_EFS_CSI_Driver_Policy to a different name, but if you do, make sure to change it in later steps too
aws iam create-policy \
    --policy-name AmazonEKS_EFS_CSI_Driver_Policy \
    --policy-document file://iam-policy-example.json
  1. Create an IAM role and attach the IAM policy to it. Annotate the Kubernetes service account with the IAM role ARN and the IAM role with the Kubernetes service account name. You can create the role using eksctl or the AWS CLI
aws eks describe-cluster --name test --query "cluster.identity.oidc.issuer" --output text

https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE
  1. Create the IAM role, granting the Kubernetes service account the AssumeRoleWithWebIdentity action,Copy the following contents to a file named trust-policy.json. Replace 111122223333 with your account ID. Replace EXAMPLED539D4633E53DE1B71EXAMPLE and region-code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
        }
      }
    }
  ]
}
  1. Create the role. You can change AmazonEKS_EFS_CSI_DriverRole to a different name, but if you do, make sure to change it in later steps too
aws iam create-role \
  --role-name AmazonEKS_EFS_CSI_DriverRole \
  --assume-role-policy-document file://"trust-policy.json"
  1. Attach the IAM policy to the role with the following command. Replace 111122223333 with your account ID (111122223333:policy/AmazonEKS_EFS_CSI_Driver_Policy)

aws iam attach-role-policy \
  --policy-arn arn:aws:iam::111122223333:policy/AmazonEKS_EFS_CSI_Driver_Policy \
  --role-name AmazonEKS_EFS_CSI_DriverRole
  1. Create a Kubernetes service account that's annotated with the ARN of the IAM role that you created.Save the following contents to a file named efs-service-account.yaml. Replace 111122223333 with your account ID
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
  name: efs-csi-controller-sa
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/AmazonEKS_EFS_CSI_DriverRole
  1. Create the Kubernetes service account on your cluster. The Kubernetes service account named efs-csi-controller-sa is annotated with the IAM role that you created named AmazonEKS_EFS_CSI_DriverRole
kubectl apply -f efs-service-account.yaml
  1. Install the Amazon EFS CSI driver using Helm or a manifest.

Add the Helm repo

helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver

Update the repo

helm repo update

Install a release of the driver using the Helm chart. Replace the repository address with the cluster's container image address.

helm upgrade -i aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
    --namespace kube-system \
    --set image.repository=602401143452.dkr.ecr.region-code.amazonaws.com/eks/aws-efs-csi-driver \
    --set controller.serviceAccount.create=false \
    --set controller.serviceAccount.name=efs-csi-controller-sa
  1. check efs pod
  kubectl get pods -n kube-system | grep efs-csi-controller

kubectl describe pod efs-csi-controller-7d9f679b57-fwr8l  -n kube-syste

10 .Create an Amazon EFS file system,Retrieve the VPC ID that your cluster is in and store it in a variable for use in a later step. Replace my-cluster with your cluster name.


vpc_id=$(aws eks describe-cluster \
    --name my-cluster \
    --query "cluster.resourcesVpcConfig.vpcId" \
    --output text)
  1. Retrieve the CIDR range for your cluster's VPC and store it in a variable for use in a later step.
cidr_range=$(aws ec2 describe-vpcs \
    --vpc-ids $vpc_id \
    --query "Vpcs[].CidrBlock" \
    --output text)
  1. Create a security group with an inbound rule that allows inbound NFS traffic for your Amazon EFS mount points,Create a security group. Replace the (example values) with your own

security_group_id=$(aws ec2 create-security-group \
    --group-name MyEfsSecurityGroup \
    --description "My EFS security group" \
    --vpc-id $vpc_id \
    --output text)
  1. Create an inbound rule that allows inbound NFS traffic from the CIDR for your cluster's VPC

aws ec2 authorize-security-group-ingress \
    --group-id $security_group_id \
    --protocol tcp \
    --port 2049 \
    --cidr $cidr_range
image.png image.png
  1. Create an Amazon EFS file system for your Amazon EKS cluster.Create a file system. Replace region-code with the AWS Region that your cluster is in.
file_system_id=$(aws efs create-file-system \
    --region region-code \
    --performance-mode generalPurpose \
    --query 'FileSystemId' \
    --output text)
image.png
  1. Create mount targets ,Determine the IDs of the subnets in your VPC and which Availability Zone the subnet is in.

aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=$vpc_id" \
    --query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' \
    --output table
image.png

15.Check the subnet where the node ip is located, and mount the corresponding node on the subnet

kubectl get nodes
image.png
  1. Add mount targets for the subnets that your nodes are in. From the output in the previous two steps, the cluster has one node with an IP address of 172.21.0.0. That IP address is within the CidrBlock of the subnet with the ID subnet-EXAMPLEe2ba886490. As a result, the following command creates a mount target for the subnet the node is in. If there were more nodes in the cluster, you'd run the command once for a subnet in each AZ that you had a node in, replacing subnet-EXAMPLEe2ba886490 with the appropriate subnet ID

aws efs create-mount-target \
    --file-system-id $file_system_id \
    --subnet-id subnet-EXAMPLEe2ba886490 \
    --security-groups $security_group_id
image.png
  1. You can deploy a sample app that dynamically creates a persistent volume, or you can manually create a persistent volume. You can replace the examples given in this section with a different application
git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git
cd aws-efs-csi-driver/examples/kubernetes/multiple_pods
aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text
  1. Edit the specs/pv.yaml file and replace the volumeHandle value with your Amazon EFS file system ID.

kubectl apply -f specs/pv.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-582a03f3

  1. kubectl describe sa -n kube-system efs-csi-controller-sa


    image.png

相关文章

网友评论

      本文标题:AWS install EFS CSI driver

      本文链接:https://www.haomeiwen.com/subject/wermjdtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|AWS install EFS CSI driver|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!