Creating a Service Account for the EBS CSI Driver on EKS

When using Kubernetes EKS v1.23 or higher with Amazon FSX or EFS, you need to configure a few management and security updates. The steps below will:

  • Create a service account named ebs-csi-controller-sa on your Kubernetes cluster (EKS), under the kube-system namespace.
  • Assign the service account with an IAM role that contains the relevant permissions.

Note:
This is not required if you deployed EKS cluster v1.23 or higher using the Sisense script in Deployment Script for Sisense on Amazon EKS.
If you used the script to deploy an older version of EKS and then upgraded to v1.23 or higher, you need to perform the instructions on this page.


Prerequisites

The following are required before performing the steps to set up your management and security updates:

  • The EKS cluster using version 1.23 or higher on AWS must be deployed.
  • From a Bash shell, you need to be connected to your AWS account.
  • You need to be connected to your EKS cluster. That is, you need to be able to run kubectl commands on it.
  • The eksctl binary file must be installed. You can install it as follows:
    Copy
    ## Installing eksctl
    if ! command -v eksctl &> /dev/null; then
        curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
        sudo mv /tmp/eksctl /usr/local/bin
        source <(eksctl completion bash) 2>/dev/null
    fi

Configuring the Management and Security Updates via the Sisense Script

The management and security updates can be installed via the Sisense script.

Copy
# export CLUSTER=<your EKS cluster name>
# Example below:
export CLUSTER=my-eks-cluster

curl --create-dirs --output ./ebs-csi-driver/create_ebs_driver_sa.sh https://data.sisense.com/linux/scripts/ebs-csi-driver/create_ebs_driver_sa.sh
chmod 755 ./ebs-csi-driver/create_ebs_driver_sa.sh
./ebs-csi-driver/create_ebs_driver_sa.sh ${CLUSTER}

Configuring the Management and Security Updates Manually

To configure the management and security updates manually:

  1. Set up your variables, and download the policy document JSON file:
    Copy
    # Must be "kube-system" hard coded
    namespace=kube-system

    # Must be "ebs-csi-controller-sa" hard coded
    service_account=ebs-csi-controller-sa 

    eks_name=<your EKS cluster name>
    policy_name=<whichever IAM Policy name you wish to create>
    role_name=<whichever IAM Role name you wish to create>
    policy_file="${PWD}/eks_ebs_policy.json"

    account_id=$(aws sts get-caller-identity --query "Account" --output text)
    oidc_provider=$(aws eks describe-cluster --name ${eks_name} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

    curl --create-dirs --output ${policy_file} https://data.sisense.com/linux/scripts/ebs-csi-driver/eks_ebs_policy.json
  2. Create the IAM OIDC provider for your EKS cluster via the command:
    eksctl utils associate-iam-oidc-provider --cluster ${eks_name} --approve
  3. Create the service account in you Kubernetes cluster via the command:
    kubectl create serviceaccount ${service_account} -n ${namespace}
  4. Add the following labels and annotations for the service account:
    Copy
    kubectl -n ${namespace} label sa ${service_account} \
      app.kubernetes.io/managed-by=Helm \
      app.kubernetes.io/name=aws-ebs-csi-driver

    kubectl -n ${namespace} annotate sa ${service_account} \
      meta.helm.sh/release-name=aws-ebs-csi-driver \
      meta.helm.sh/release-namespace=kube-system
  5. Create the IAM policy in AWS, with the permissions from the policy JSON file via the command:
    aws iam create-policy --policy-name ${policy_name} --policy-document file://${policy_file}
  6. Create the trust relationship document by copying the text below and pasting it in your Bash shell:
    Copy
    cat >${PWD}/trust-relationship.json <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "${oidc_provider}:aud": "sts.amazonaws.com"
            }
          }
        }
      ]
    }
    EOF
  7. Create the IAM role in AWS, and assume it to the trusted OIDC provider above via the command:
    aws iam create-role --role-name ${role_name} --assume-role-policy-document file://${PWD}/trust-relationship.json --description "eks-ebs-driver for EKS cluster"
  8. Attach the IAM policy to the IAM role you just created via the command:
    aws iam attach-role-policy --role-name ${role_name} --policy-arn=arn:aws:iam::${account_id}:policy/${policy_name}
  9. Bind the IAM role with the relevant permissions to the service account created via the command:
    kubectl annotate serviceaccount -n ${namespace} ${service_account} eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/${role_name}

Verifying that the Service Account is Configured Correctly

To verify that the service account is configured correctly, run the command:
kubectl -n kube-system get serviceaccount ebs-csi-controller-sa -o yaml

If the service account is configured correctly, you should see output that is similar to the following:

Copy
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/your-iam-role-name
    meta.helm.sh/release-name: aws-ebs-csi-driver
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2022-10-03T14:31:43Z"
  labels:
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: aws-ebs-csi-driver
  name: ebs-csi-controller-sa
  namespace: kube-system
  resourceVersion: "2998"
  uid: 2d13f618-e88f-40b8-8f14-742897467b5c
secrets:
- name: ebs-csi-controller-sa-token-nhxd5

If all is correct, continue with the Sisense installation or upgrade.