-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Testing in Progress] Create and provide EFS CSI driver policy to blueprints addons #726
Conversation
Thank you @rrrkharse for jumping on this! # setup_iam_authorization()
# setup_efs_driver() Then maybe we could introduce a flag to the auto script ( if not is_terraform_deployment:
setup_iam_authorization()
setup_efs_driver() Also, is it normal that no service account is created when using terraform? How is the policy being used exactly when we use terraform and comment those two lines? |
Shouldnt we fix the upstream instead? should be quick To confirm, its failing because of the |
re:auto script, We can introduce generic flag like |
@surajkota By curiosity, how is the policy being used if there is no service account created? (setup_iam_authorization is commented) |
Service account and IAM Role is created for the controller, are you asking where the code for that is in terraform? |
@surajkota Ok so the EFS policy created by the terraform deployment is being used by the controler SA? Just looking to understand what replaces the IAM setup of the autoscript when using terraform. |
Its implemented in upstream in eks-blueprints. EFS driver module uses helm add on module, which uses IRSA module IRSA configuration for EFS CSI driver is defined here - https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/aws-efs-csi-driver/main.tf#L24-L50 |
auto script might also be depending on eksctl related tags for getting cluster related info like subnets etc. that might need to be changed to using describe_cluster instead or some other generic way. This issue remains with all auto scripts hence we recommended using manual steps for now |
@surajkota I see, are you sure that's an issue for the EFS script? I don't see any usage of a tag to query any information. I see describe_cluster being used. |
I just meant to give a headsup for potential issues. looks like that's in rds-s3 script(works only with specific cdk or eksctl tags on subnet), efs script was updated in https://github.com/awslabs/kubeflow-manifests/pull/185/files efs script does check for eksctl being installed on the system, I think we should remove those tools verification since its part of prerequisites and is duplicate code across multiple scripts. Ideally we would have terraform module for this in future which would make it easy to change file system attributes post creation and address clean up via terraform with no additional code |
@surajkota great, yes I was aware for rds-s3 thank you. I agree with you, ideally in the future EFS should be part of the terraform deployment so that it's easy to cleanup. I created an issue to keep track of this feature request ( #713 ) |
Which issue is resolved by this Pull Request:
Resolves #717
Description of your changes:
The default IAM policy created for the EFS CSI driver service account is does not contain all the required permissions mentioned here.
The Terraform install was updated to create a policy using the above URL and pass that policy as an input to the Blueprints Addons module, in which the EFS CSI driver module would use the policy as an input when creating the IAM role for the EFS CSI driver service account.
Testing:
Tested both manual deployment and modified auto setup script cases.
Auto setup script diff:
Verified notebook and volumes were created:
PVC yaml:
Storage class configuration:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.