Creating a Service Account for the EBS CSI Driver on EKS
When using Kubernetes EKS v1.23 or higher with Amazon FSX or EFS, you need to configure a few management and security updates. The steps below will:
- Create a service account named ebs-csi-controller-sa on your Kubernetes cluster (EKS), under the kube-system namespace.
- Assign the service account with an IAM role that contains the relevant permissions.
Note:
This is not required if you deployed EKS cluster v1.23 or higher using the Sisense script in Deployment Script for Sisense on Amazon EKS.
If you used the script to deploy an older version of EKS and then upgraded to v1.23 or higher, you need to perform the instructions on this page.
Prerequisites
The following are required before performing the steps to set up your management and security updates:
- The EKS cluster using version 1.23 or higher on AWS must be deployed.
- From a Bash shell, you need to be connected to your AWS account.
- You need to be connected to your EKS cluster. That is, you need to be able to run kubectl commands on it.
- The eksctl binary file must be installed. You can install it as follows:Copy
## Installing eksctl
if ! command -v eksctl &> /dev/null; then
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
source <(eksctl completion bash) 2>/dev/null
fi
Configuring the Management and Security Updates via the Sisense Script
The management and security updates can be installed via the Sisense script.
# export CLUSTER=<your EKS cluster name>
# Example below:
export CLUSTER=my-eks-cluster
curl --create-dirs --output ./ebs-csi-driver/create_ebs_driver_sa.sh https://data.sisense.com/linux/scripts/ebs-csi-driver/create_ebs_driver_sa.sh
chmod 755 ./ebs-csi-driver/create_ebs_driver_sa.sh
./ebs-csi-driver/create_ebs_driver_sa.sh ${CLUSTER}
Configuring the Management and Security Updates Manually
To configure the management and security updates manually:
- Set up your variables, and download the policy document JSON file:Copy
# Must be "kube-system" hard coded
namespace=kube-system
# Must be "ebs-csi-controller-sa" hard coded
service_account=ebs-csi-controller-sa
eks_name=<your EKS cluster name>
policy_name=<whichever IAM Policy name you wish to create>
role_name=<whichever IAM Role name you wish to create>
policy_file="${PWD}/eks_ebs_policy.json"
account_id=$(aws sts get-caller-identity --query "Account" --output text)
oidc_provider=$(aws eks describe-cluster --name ${eks_name} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
curl --create-dirs --output ${policy_file} https://data.sisense.com/linux/scripts/ebs-csi-driver/eks_ebs_policy.json - Create the IAM OIDC provider for your EKS cluster via the command:
eksctl utils associate-iam-oidc-provider --cluster ${eks_name} --approve
- Create the service account in you Kubernetes cluster via the command:
kubectl create serviceaccount ${service_account} -n ${namespace}
- Add the following labels and annotations for the service account:Copy
kubectl -n ${namespace} label sa ${service_account} \
app.kubernetes.io/managed-by=Helm \
app.kubernetes.io/name=aws-ebs-csi-driver
kubectl -n ${namespace} annotate sa ${service_account} \
meta.helm.sh/release-name=aws-ebs-csi-driver \
meta.helm.sh/release-namespace=kube-system - Create the IAM policy in AWS, with the permissions from the policy JSON file via the command:
aws iam create-policy --policy-name ${policy_name} --policy-document file://${policy_file}
- Create the trust relationship document by copying the text below and pasting it in your Bash shell:Copy
cat >${PWD}/trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${oidc_provider}:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF - Create the IAM role in AWS, and assume it to the trusted OIDC provider above via the command:
aws iam create-role --role-name ${role_name} --assume-role-policy-document file://${PWD}/trust-relationship.json --description "eks-ebs-driver for EKS cluster"
- Attach the IAM policy to the IAM role you just created via the command:
aws iam attach-role-policy --role-name ${role_name} --policy-arn=arn:aws:iam::${account_id}:policy/${policy_name}
- Bind the IAM role with the relevant permissions to the service account created via the command:
kubectl annotate serviceaccount -n ${namespace} ${service_account} eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/${role_name}
Verifying that the Service Account is Configured Correctly
To verify that the service account is configured correctly, run the command:kubectl -n kube-system get serviceaccount ebs-csi-controller-sa -o yaml
If the service account is configured correctly, you should see output that is similar to the following:
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/your-iam-role-name
meta.helm.sh/release-name: aws-ebs-csi-driver
meta.helm.sh/release-namespace: kube-system
creationTimestamp: "2022-10-03T14:31:43Z"
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: aws-ebs-csi-driver
name: ebs-csi-controller-sa
namespace: kube-system
resourceVersion: "2998"
uid: 2d13f618-e88f-40b8-8f14-742897467b5c
secrets:
- name: ebs-csi-controller-sa-token-nhxd5
If all is correct, continue with the Sisense installation or upgrade.