Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add missing TagResource permission needed for EFS CSI #1581

Merged
merged 2 commits into from
May 4, 2023
Merged

fix: Add missing TagResource permission needed for EFS CSI #1581

merged 2 commits into from
May 4, 2023

Conversation

rrrkharse
Copy link
Contributor

What does this PR do?

Adds the efs:TagResource permissions the EFS CSI driver needs to add the required tags to the EFS file system in use.

This is consistent with the example policy provided by in the EFS CSI driver documentation, which can be found here.

Motivation

Our downstream repository consumes EKS Blueprints Add-ons and uses the EFS CSI driver add-on. We noticed that when using EFS volumes our notebook provisioning process gets stuck at volume creation due to Access Denied exceptions. We determined this missing permission to be the root cause.

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I have updated the docs for this feature
  • Yes, I ran pre-commit run -a with this PR

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

Testing:

EKS cluster with EFS add-on created successfully:

Apply complete! Resources: 35 added, 0 changed, 0 destroyed.

Outputs:

configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name tf-efs-vanilla"
eks_cluster_id = "tf-efs-vanilla"
eks_managed_nodegroup_arns = tolist([
  "arn:aws:eks:us-west-2:556017915589:nodegroup/tf-efs-vanilla/managed-ondemand-cpu-20230504193006564400000009/24c3f41f-205f-c913-76d2-408691c439ac",
])
eks_managed_nodegroup_ids = tolist([
  "tf-efs-vanilla:managed-ondemand-cpu-20230504193006564400000009",
])
eks_managed_nodegroup_role_name = tolist([
  "tf-efs-vanilla-managed-ondemand-cpu",
])
eks_managed_nodegroup_status = tolist([
  "ACTIVE",
])
eks_managed_nodegroups = tolist([
  {
    "mg_cpu" = {
      "managed_nodegroup_arn" = [
        "arn:aws:eks:us-west-2:556017915589:nodegroup/tf-efs-vanilla/managed-ondemand-cpu-20230504193006564400000009/24c3f41f-205f-c913-76d2-408691c439ac",
      ]
      "managed_nodegroup_iam_instance_profile_arn" = [
        "arn:aws:iam::556017915589:instance-profile/tf-efs-vanilla-managed-ondemand-cpu",
      ]
      "managed_nodegroup_iam_instance_profile_id" = [
        "tf-efs-vanilla-managed-ondemand-cpu",
      ]
      "managed_nodegroup_iam_role_arn" = [
        "arn:aws:iam::556017915589:role/tf-efs-vanilla-managed-ondemand-cpu",
      ]
      "managed_nodegroup_iam_role_name" = [
        "tf-efs-vanilla-managed-ondemand-cpu",
      ]
      "managed_nodegroup_id" = [
        "tf-efs-vanilla:managed-ondemand-cpu-20230504193006564400000009",
      ]
      "managed_nodegroup_launch_template_arn" = []
      "managed_nodegroup_launch_template_id" = []
      "managed_nodegroup_launch_template_latest_version" = []
      "managed_nodegroup_status" = [
        "ACTIVE",
      ]
    }
  },
])
vpc_cidr = "10.0.0.0/16"
vpc_private_subnet_cidr = tolist([
  "10.0.96.0/19",
  "10.0.128.0/19",
  "10.0.160.0/19",
])
vpc_public_subnet_cidr = tolist([
  "10.0.0.0/19",
  "10.0.32.0/19",
  "10.0.64.0/19",
])

Role and policy created and tagged with the required permissions:
Screen Shot 2023-05-04 at 1 06 41 PM

Full policy contents:

{
    "Statement": [
        {
            "Action": "ec2:DescribeAvailabilityZones",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "AllowDescribeAvailabilityZones"
        },
        {
            "Action": [
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeAccessPoints"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticfilesystem:us-west-2:556017915589:file-system/*",
                "arn:aws:elasticfilesystem:us-west-2:556017915589:access-point/*"
            ],
            "Sid": "AllowDescribeFileSystems"
        },
        {
            "Action": "elasticfilesystem:CreateAccessPoint",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:elasticfilesystem:us-west-2:556017915589:file-system/*",
            "Sid": "AllowCreateAccessPoint"
        },
        {
            "Action": "elasticfilesystem:DeleteAccessPoint",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:elasticfilesystem:us-west-2:556017915589:access-point/*",
            "Sid": "AllowDeleteAccessPoint"
        },
        {
            "Action": "elasticfilesystem:TagResource",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticfilesystem:us-west-2:556017915589:file-system/*",
                "arn:aws:elasticfilesystem:us-west-2:556017915589:access-point/*"
            ],
            "Sid": "AllowTagResource"
        },
        {
            "Action": [
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientMount"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:elasticfilesystem:us-west-2:556017915589:file-system/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

@rrrkharse rrrkharse requested a review from a team as a code owner May 4, 2023 20:07
@rrrkharse rrrkharse temporarily deployed to EKS Blueprints Test May 4, 2023 20:08 — with GitHub Actions Inactive
askulkarni2
askulkarni2 approved these changes May 4, 2023
View reviewed changes
Copy link
Contributor

@askulkarni2 askulkarni2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@askulkarni2 askulkarni2 changed the title Add missing TagResource permission needed for EFS CSI fix: Add missing TagResource permission needed for EFS CSI May 4, 2023
@askulkarni2 askulkarni2 temporarily deployed to EKS Blueprints Test May 4, 2023 20:44 — with GitHub Actions Inactive
@askulkarni2 askulkarni2 merged commit ee31f32 into aws-ia:main May 4, 2023
@rrrkharse rrrkharse mentioned this pull request May 8, 2023
Merged
rrrkharse added a commit to awslabs/kubeflow-manifests that referenced this pull request May 10, 2023
@rrrkharse
Update the EKS blueprints module version in use to release v4.31 (#731)
88862c0 
- Updated the EKS Blueprints module version in use to v4.31, which
contains the updated permissions fix for the EFS CSI driver to work
correctly with Kubeflow. Details
[here](aws-ia/terraform-aws-eks-blueprints#1581).
- Added the `--skip-driver-installation` flag to the EFS auto setup script as
a temporary workaround for the missing full Terraform EFS add-on support





By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
rrrkharse added a commit to rrrkharse/kubeflow-manifests that referenced this pull request May 11, 2023
@rrrkharse
Update the EKS blueprints module version in use to release v4.31 (aws…
e31c4c6 
…labs#731)

- Updated the EKS Blueprints module version in use to v4.31, which
contains the updated permissions fix for the EFS CSI driver to work
correctly with Kubeflow. Details
[here](aws-ia/terraform-aws-eks-blueprints#1581).
- Added the `--skip-driver-installation` flag to the EFS auto setup script as
a temporary workaround for the missing full Terraform EFS add-on support





By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
gminiba pushed a commit to gminiba/terraform-aws-eks-blueprints that referenced this pull request May 26, 2023
@rrrkharse @askulkarni2
fix: Add missing TagResource permission needed for EFS CSI (aws-ia#1581)
e3b214d 
Co-authored-by: Apoorva Kulkarni <kuapoorv@amazon.com>
jsitu777 pushed a commit to jsitu777/kubeflow-manifests that referenced this pull request Jun 27, 2023
@rrrkharse @jsitu777
Update the EKS blueprints module version in use to release v4.31 (aws…
10f9c55 
…labs#731)

- Updated the EKS Blueprints module version in use to v4.31, which
contains the updated permissions fix for the EFS CSI driver to work
correctly with Kubeflow. Details
[here](aws-ia/terraform-aws-eks-blueprints#1581).
- Added the `--skip-driver-installation` flag to the EFS auto setup script as
a temporary workaround for the missing full Terraform EFS add-on support





By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@askulkarni2 askulkarni2 askulkarni2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rrrkharse @askulkarni2