aws identity provider
image.png
image.png
- Create an IAM policy that allows the CSI driver's service account to make calls to AWS APIs on your behalf
curl -o iam-policy-example.json https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/docs/iam-policy-example.json
- Create the policy. You can change AmazonEKS_EFS_CSI_Driver_Policy to a different name, but if you do, make sure to change it in later steps too
aws iam create-policy \
--policy-name AmazonEKS_EFS_CSI_Driver_Policy \
--policy-document file://iam-policy-example.json
- Create an IAM role and attach the IAM policy to it. Annotate the Kubernetes service account with the IAM role ARN and the IAM role with the Kubernetes service account name. You can create the role using
eksctlor the AWS CLI
aws eks describe-cluster --name test --query "cluster.identity.oidc.issuer" --output text
https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE
- Create the IAM role, granting the Kubernetes service account the AssumeRoleWithWebIdentity action,Copy the following contents to a file named trust-policy.json. Replace 111122223333 with your account ID. Replace EXAMPLED539D4633E53DE1B71EXAMPLE and region-code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
}
}
}
]
}
- Create the role. You can change AmazonEKS_EFS_CSI_DriverRole to a different name, but if you do, make sure to change it in later steps too
aws iam create-role \
--role-name AmazonEKS_EFS_CSI_DriverRole \
--assume-role-policy-document file://"trust-policy.json"
- Attach the IAM policy to the role with the following command. Replace 111122223333 with your account ID (111122223333:policy/AmazonEKS_EFS_CSI_Driver_Policy)
aws iam attach-role-policy \
--policy-arn arn:aws:iam::111122223333:policy/AmazonEKS_EFS_CSI_Driver_Policy \
--role-name AmazonEKS_EFS_CSI_DriverRole
- Create a Kubernetes service account that's annotated with the ARN of the IAM role that you created.Save the following contents to a file named efs-service-account.yaml. Replace 111122223333 with your account ID
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: aws-efs-csi-driver
name: efs-csi-controller-sa
namespace: kube-system
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/AmazonEKS_EFS_CSI_DriverRole
- Create the Kubernetes service account on your cluster. The Kubernetes service account named efs-csi-controller-sa is annotated with the IAM role that you created named AmazonEKS_EFS_CSI_DriverRole
kubectl apply -f efs-service-account.yaml
- Install the Amazon EFS CSI driver using Helm or a manifest.
Add the Helm repo
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver
Update the repo
helm repo update
Install a release of the driver using the Helm chart. Replace the repository address with the cluster's container image address.
helm upgrade -i aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
--namespace kube-system \
--set image.repository=602401143452.dkr.ecr.region-code.amazonaws.com/eks/aws-efs-csi-driver \
--set controller.serviceAccount.create=false \
--set controller.serviceAccount.name=efs-csi-controller-sa
- check efs pod
kubectl get pods -n kube-system | grep efs-csi-controller
kubectl describe pod efs-csi-controller-7d9f679b57-fwr8l -n kube-syste
10 .Create an Amazon EFS file system,Retrieve the VPC ID that your cluster is in and store it in a variable for use in a later step. Replace my-cluster with your cluster name.
vpc_id=$(aws eks describe-cluster \
--name my-cluster \
--query "cluster.resourcesVpcConfig.vpcId" \
--output text)
- Retrieve the CIDR range for your cluster's VPC and store it in a variable for use in a later step.
cidr_range=$(aws ec2 describe-vpcs \
--vpc-ids $vpc_id \
--query "Vpcs[].CidrBlock" \
--output text)
- Create a security group with an inbound rule that allows inbound NFS traffic for your Amazon EFS mount points,Create a security group. Replace the (example values) with your own
security_group_id=$(aws ec2 create-security-group \
--group-name MyEfsSecurityGroup \
--description "My EFS security group" \
--vpc-id $vpc_id \
--output text)
- Create an inbound rule that allows inbound NFS traffic from the CIDR for your cluster's VPC
aws ec2 authorize-security-group-ingress \
--group-id $security_group_id \
--protocol tcp \
--port 2049 \
--cidr $cidr_range
image.png
image.png
- Create an Amazon EFS file system for your Amazon EKS cluster.Create a file system. Replace
region-codewith the AWS Region that your cluster is in.
file_system_id=$(aws efs create-file-system \
--region region-code \
--performance-mode generalPurpose \
--query 'FileSystemId' \
--output text)
image.png
- Create mount targets ,Determine the IDs of the subnets in your VPC and which Availability Zone the subnet is in.
aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=$vpc_id" \
--query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' \
--output table
image.png
15.Check the subnet where the node ip is located, and mount the corresponding node on the subnet
kubectl get nodes
image.png
- Add mount targets for the subnets that your nodes are in. From the output in the previous two steps, the cluster has one node with an IP address of 172.21.0.0. That IP address is within the CidrBlock of the subnet with the ID subnet-EXAMPLEe2ba886490. As a result, the following command creates a mount target for the subnet the node is in. If there were more nodes in the cluster, you'd run the command once for a subnet in each AZ that you had a node in, replacing subnet-EXAMPLEe2ba886490 with the appropriate subnet ID
aws efs create-mount-target \
--file-system-id $file_system_id \
--subnet-id subnet-EXAMPLEe2ba886490 \
--security-groups $security_group_id
image.png
- You can deploy a sample app that dynamically creates a persistent volume, or you can manually create a persistent volume. You can replace the examples given in this section with a different application
git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git
cd aws-efs-csi-driver/examples/kubernetes/multiple_pods
aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text
- Edit the
specs/pv.yamlfile and replace thevolumeHandlevalue with your Amazon EFS file system ID.
kubectl apply -f specs/pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: fs-582a03f3
-
kubectl describe sa -n kube-system efs-csi-controller-sa
image.png
网友评论