How to configure Amazon EBS CSI driver for working PersistentVolumes in EKS

From EKS 1.23 onwards a Container Storage Interface (CSI) driver is needed to get your PersisentVolumeClaims served by a PersistentVolume as you are used to from earlier EKS versions. Please check https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.

This guide provides instructions on binding PersistentVolumes to your HiveMQ installation to enable the use of PersistentVolumeClaims (PVCs).

 

Requirements

  1. Aws CLI is installed and configured as suggested in EKS setup guide Setting up EKS Cluster in Amazon Web Services(AWS)

  2. Access to your EKS cluster

  3. EKS CLI (eksctl)

 Instructions

Essentially, we need to enable the AWS EBS CSI driver as an EKS addon. But beforehand we need to enable the IAM OIDC provider and create the IAM role for the EBS CSI driver. The easiest way to do both is to use eksctl (other ways like using plain aws cli or the AWS GUI are described in the docs).

  1. Enable IAM OIDC provider:
    A prerequisite for the EBS CSI driver to work is to have an existing AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. This IAM OIDC provider can be enabled with the following command:

    eksctl utils associate-iam-oidc-provider --region=eu-west-1 --cluster=HiveMQCluster --approve

  1. Create Amazon EBS CSI driver IAM role:

    Now that you have eksctl in place, create the IAM role: Please refer to the following command

    eksctl create iamserviceaccount \ --region eu-west-1 \ --name ebs-csi-controller-sa \ --namespace kube-system \ --cluster HiveMQCluster \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve \ --role-only \ --role-name AmazonEKS_EBS_CSI_DriverRole

    As you can see AWS maintains a managed policy for us we can simply use (AWS maintains a managed policy, available at ARN arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy). Only if you use encrypted EBS drives, then you need to additionally add configuration to the policy. Check here for further information https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#installation-1

  2. Add the Amazon EBS CSI add-on:

    Now we can finally add the EBS CSI add-on. Therefore we also need the AWS Account ID which we can obtain by running aws sts get-caller-identity --query Account --output text
    The eksctl create addon command looks like this:

    eksctl create addon --name aws-ebs-csi-driver --cluster HiveMQCluster --service-account-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AmazonEKS_EBS_CSI_DriverRole --force
  3. Now your PersistentVolumeClaim should get the status Bound while an EBS volume is created for you if you already have PVCs in a pending state

Please make sure to use correct cluster name and region of your cluster deployed to avoid any issue with the setup

 Related articles