goto-opensource / aws-efs-csi-pv-provisioner Goto Github PK

Hi @devkid

I'm looking at implementing this very useful project and wanted to ask about getting it all working with IAM / IRSA. I saw you'd had a PR merged into efs-utils so thought it might be best to just ask:

Do I need to give the EFS CSI Driver a serviceAccount and IRSA annotation or should it be the PV Provisioner that has the IRSA role annotation - or both?

Any tips on getting it all working with IAM that I, or others who will inevitably find this issue should know about?

Thanks!

Hi, I'm using the code pretty much as is in an 1.16 EKS cluster and EFS.

The only thing I changed is disabling tls and iam mount options.

Any help would be appreciated

Thank you

Here are the logs

`I0721 14:38:14.854546 1 leaderelection.go:241] attempting to acquire leader lease storage-test/aws.k8s.logmein.com-efs-csi-pv-provisioner...

I0721 14:38:32.267434 1 leaderelection.go:251] successfully acquired lease storage-test/aws.k8s.logmein.com-efs-csi-pv-provisioner

I0721 14:38:32.267657 1 controller.go:770] Starting provisioner controller aws.k8s.logmein.com/efs-csi-pv-provisioner_aws-efs-csi-pv-provisioner-7c5b5dd979-59gvj_89a6aa47-62ab-4725-8ace-480415362ff2!

I0721 14:38:32.267888 1 event.go:255] Event(v1.ObjectReference{Kind:"Endpoints", Namespace:"storage-test", Name:"aws.k8s.logmein.com-efs-csi-pv-provisioner", UID:"cf118546-d13c-4cc5-806f-163b487b4403", APIVersion:"v1", ResourceVersion:"26033", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' aws-efs-csi-pv-provisioner-7c5b5dd979-59gvj_89a6aa47-62ab-4725-8ace-480415362ff2 became leader

E0721 14:38:32.270161 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope

E0721 14:38:32.270416 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope

E0721 14:38:32.270509 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "persistentvolumes" in API group "" at the cluster scope

E0721 14:38:32.270589 1 event.go:237] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"aws.k8s.logmein.com-efs-csi-pv-provisioner.1623cb6169d969d2", GenerateName:"", Namespace:"storage-test", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"Endpoints", Namespace:"storage-test", Name:"aws.k8s.logmein.com-efs-csi-pv-provisioner", UID:"cf118546-d13c-4cc5-806f-163b487b4403", APIVersion:"v1", ResourceVersion:"26033", FieldPath:""}, Reason:"LeaderElection", Message:"aws-efs-csi-pv-provisioner-7c5b5dd979-59gvj_89a6aa47-62ab-4725-8ace-480415362ff2 became leader", Source:v1.EventSource{Component:"aws.k8s.logmein.com/efs-csi-pv-provisioner_aws-efs-csi-pv-provisioner-7c5b5dd979-59gvj_89a6aa47-62ab-4725-8ace-480415362ff2", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbfbddd5a0ff059d2, ext:17429388198, loc:(*time.Location)(0x20fa140)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbfbddd5a0ff059d2, ext:17429388198, loc:(*time.Location)(0x20fa140)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot create resource "events" in API group "" in the namespace "storage-test"' (will not retry!)

E0721 14:38:33.271912 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope

E0721 14:38:33.272880 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope

E0721 14:38:33.276183 1 reflector.go:123] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:96: Failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:storage-test:aws-efs-csi-pv-provisioner" cannot list resource "persistentvolumes" in API group "" at the cluster scope`

Hi, would it be possible to add a license? Is it going to be Apache-2.0 License like the original project?
Thanks

Hi 👋 .

I've been playing around with this project on multiple clusters pointing at the same EFS target.

It would be great if we could configure consistent UUIDs or override PV names (perhaps with an annotation on the PVC?

This would allow workloads on multiple clusters to share the same data with the bonus dynamic PV creation.

Maybe a UUIDv4 based on the <namespace>/<pvcName> or something would be a good choice 🤔

I can try and get a PR together if it's of interest?

Thanks!