Creating a Service Account for the EBS CSI Driver on EKS

When using Kubernetes EKS v1.23 or higher with Amazon FSX or EFS, you need to configure a few management and security updates. The steps below will:

  • Create a service account named ebs-csi-controller-sa on your Kubernetes cluster (EKS), under the kube-system namespace.
  • Assign the service account with an IAM role that contains the relevant permissions.

Prerequisites

The following are required before performing the steps to set up your management and security updates:

  • The EKS cluster using version 1.23 or higher on AWS must be deployed.
  • From a Bash shell, you need to be connected to your AWS account.
  • You need to be connected to your EKS cluster. That is, you need to be able to run kubectl commands on it.
  • The eksctl binary file must be installed. You can install it as follows:
    Copy
    ## Installing eksctl
    if ! command -v eksctl &> /dev/null; then
        curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
        sudo mv /tmp/eksctl /usr/local/bin
        source <(eksctl completion bash) 2>/dev/null
    fi

Configuring the Management and Security Updates via the Sisense Script

The management and security updates can be installed via the Sisense script.

Copy 
# export CLUSTER=<your EKS cluster name>
# Example below:
export CLUSTER=my-eks-cluster

curl --create-dirs --output ./ebs-csi-driver/create_ebs_driver_sa.sh https://data.sisense.com/linux/scripts/ebs-csi-driver/create_ebs_driver_sa.sh
chmod 755 ./ebs-csi-driver/create_ebs_driver_sa.sh
./ebs-csi-driver/create_ebs_driver_sa.sh ${CLUSTER}

Configuring the Management and Security Updates Manually

To configure the management and security updates manually:

  1. Set up your variables, and download the policy document JSON file:
    Copy
    # Must be "kube-system" hard coded
    namespace=kube-system

    # Must be "ebs-csi-controller-sa" hard coded
    service_account=ebs-csi-controller-sa 

    eks_name=<your EKS cluster name>
    policy_name=<whichever IAM Policy name you wish to create>
    role_name=<whichever IAM Role name you wish to create>
    policy_file="${PWD}/eks_ebs_policy.json"

    account_id=$(aws sts get-caller-identity --query "Account" --output text)
    oidc_provider=$(aws eks describe-cluster --name ${eks_name} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

    curl --create-dirs --output ${policy_file} https://data.sisense.com/linux/scripts/ebs-csi-driver/eks_ebs_policy.json
  2. Create the IAM OIDC provider for your EKS cluster via the command:
    eksctl utils associate-iam-oidc-provider --cluster ${eks_name} --approve
  3. Create the service account in you Kubernetes cluster via the command:
    kubectl create serviceaccount ${service_account} -n ${namespace}
  4. Add the following labels and annotations for the service account:
    Copy
    kubectl -n ${namespace} label sa ${service_account} \
      app.kubernetes.io/managed-by=Helm \
      app.kubernetes.io/name=aws-ebs-csi-driver

    kubectl -n ${namespace} annotate sa ${service_account} \
      meta.helm.sh/release-name=aws-ebs-csi-driver \
      meta.helm.sh/release-namespace=kube-system
  5. Create the IAM policy in AWS, with the permissions from the policy JSON file via the command:
    aws iam create-policy --policy-name ${policy_name} --policy-document file://${policy_file}
  6. Create the trust relationship document by copying the text below and pasting it in your Bash shell:
    Copy
    cat >${PWD}/trust-relationship.json <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "${oidc_provider}:aud": "sts.amazonaws.com"
            }
          }
        }
      ]
    }
    EOF
  7. Create the IAM role in AWS, and assume it to the trusted OIDC provider above via the command:
    aws iam create-role --role-name ${role_name} --assume-role-policy-document file://${PWD}/trust-relationship.json --description "eks-ebs-driver for EKS cluster"
  8. Attach the IAM policy to the IAM role you just created via the command:
    aws iam attach-role-policy --role-name ${role_name} --policy-arn=arn:aws:iam::${account_id}:policy/${policy_name}
  9. Bind the IAM role with the relevant permissions to the service account created via the command:
    kubectl annotate serviceaccount -n ${namespace} ${service_account} eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/${role_name}

Verifying that the Service Account is Configured Correctly

To verify that the service account is configured correctly, run the command:
kubectl -n kube-system get serviceaccount ebs-csi-controller-sa -o yaml

If the service account is configured correctly, you should see output that is similar to the following:

Copy 
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/your-iam-role-name
    meta.helm.sh/release-name: aws-ebs-csi-driver
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2022-10-03T14:31:43Z"
  labels:
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: aws-ebs-csi-driver
  name: ebs-csi-controller-sa
  namespace: kube-system
  resourceVersion: "2998"
  uid: 2d13f618-e88f-40b8-8f14-742897467b5c
secrets:
- name: ebs-csi-controller-sa-token-nhxd5

If all is correct, continue with the Sisense installation or upgrade.