文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >在使用aws-eks terraform模块时,如何使用aws-ebs csi-驱动插件?

在使用aws-eks terraform模块时,如何使用aws-ebs csi-驱动插件?
EN

Stack Overflow用户
提问于 2022-12-01 21:58:57
回答 1查看 13关注 0票数 0

使用一个由地形创建的eks集群。我在使用aws-eks terraform模块。当将aws csi-驱动程序指定为集群添加-addon时,我得到

代码语言:javascript
复制
  cluster_addons = {
    coredns = {
      addon_version = "v1.8.7-eksbuild.3"
      resolve_conflicts = "OVERWRITE"
    }
    kube-proxy = {
      addon_version = "v1.24.7-eksbuild.2"
      resolve_conflicts = "OVERWRITE"
    }
    vpc-cni = {
      addon_version = "v1.12.0-eksbuild.1"
      resolve_conflicts = "OVERWRITE"
    }
    aws-ebs-csi-driver = {
      addon_version = "v1.13.0-eksbuild.2"
      resolve_conflicts="PRESERVE"
    }
  }
代码语言:javascript
复制
aws_eks_addon.this["aws-ebs-csi-driver"]: Modifying... [id=it-tooling-eks-8fmuw5:aws-ebs-csi-driver]
╷
│ Error: error updating EKS Add-On (it-tooling-eks-8fmuw5:aws-ebs-csi-driver): InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 1, UpdateAddonInput.ServiceAccountRoleArn.
amazon-web-services
terraform
EN

回答 1

Stack Overflow用户

发布于 2022-12-01 21:58:57

简短的回答是使用以下方法:

代码语言:javascript
复制
  cluster_addons = {
    aws-ebs-csi-driver = {
      service_account_role_arn = "arn:aws:iam::123456789012:role/amazon-eks-ebs-csi-driver-role-8fmuw5"
      addon_version = "v1.13.0-eksbuild.2"
      resolve_conflicts="PRESERVE"
    }
  }

您需要该角色和相关策略才能使事物正常工作。我包括terragrunt脚本(使用terraform模块的terragrunt=terraform包装器),希望这对某人有所帮助。

角色

代码语言:javascript
复制
terraform {
  source = "${format("%s%s", dirname(get_parent_terragrunt_dir()), "/..//modules/terraform-aws-iam/modules/iam-assumable-role-with-oidc")}"
}

include {
  path = find_in_parent_folders()
}

dependencies {
  paths = [
    "../../../../once-per-account/policies/ebs-csi-driver-policy",
    "../../../../once-per-account/policies/ebs-csi-kms-encryption-policy",
    "../../random-string-env",
    "../../eks"
  ]
}

dependency "ebs-csi-driver-policy" {
  config_path = "../../../../once-per-account/policies/ebs-csi-driver-policy"
}

dependency "ebs-csi-kms-encryption-policy" {
  config_path = "../../../../once-per-account/policies/ebs-csi-kms-encryption-policy"
}

dependency "random-string" {
  config_path = "../../random-string-env"
}

dependency "eks" {
  config_path = "../../eks"
}

inputs = {
  create_role       = true
  role_requires_mfa = false
  role_name         = "amazon-eks-ebs-csi-driver-role-${dependency.random-string.outputs.random_suffix}"

  tags = {
    Role = "amazon-eks-ebs-csi-driver-role-${dependency.random-string.outputs.random_suffix}"
  }

  provider_url                   = dependency.eks.outputs.cluster_oidc_issuer_url
  role_policy_arns               = [dependency.ebs-csi-driver-policy.outputs.arn,dependency.ebs-csi-kms-encryption-policy.outputs.arn]
  oidc_fully_qualified_audiences = [ "sts.amazonaws.com" ]
  oidc_fully_qualified_subjects  = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
}

政策

代码语言:javascript
复制
terraform {
  source = "${format("%s%s", dirname(get_parent_terragrunt_dir()), "/..//modules/terraform-aws-iam/modules/iam-policy")}"
}

include {
  path = find_in_parent_folders()
}

inputs = {
  name   = "AmazonEBSCSIDriverPolicyNew"
  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:ModifyVolume",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:snapshot/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": [
                        "CreateVolume",
                        "CreateSnapshot"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:snapshot/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/CSIVolumeName": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/kubernetes.io/cluster/*": "owned"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/CSIVolumeName": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
                }
            }
        }
    ]
}
EOF
}
票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/74648632

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档