EBS CSI Driver | Amazon EKS

EBS CSI Driver Installation Process

What is EBS CSI Driver?

The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver allows Amazon Elastic Kubernetes Service (Amazon EKS) clusters to manage the lifecycle of Amazon EBS volumes for persistent volumes.

EKS with EBS CSI

What is the difference between "ebs.csi.aws.com" and "kubernetes.io/aws-ebs" volume provisioners?

kubernetes.io/aws-ebs — "In-tree" volume plugin for AWS EBS
ebs.csi.aws.com — Container Storage Interface for AWS EBS

Before CSI was introduced, Kubernetes provided a powerful volume plugin system. These volume plugins were "in-tree" meaning their code was part of the core Kubernet es code and imported with the core Kubernetes binaries.

However, adding support for new volume plugins to Kubernetes was challenging. Vendors that wanted to add support for their storage systems to Kubernetes were forced to align with the Kubernetes release process. In addition, third-party storage code caused reliability and security issues in core Kubernetes binaries, and the code was often difficult for Kubernetes maintainers to test and maintain. Using the Container Storage Interface in Kubernetes resolves these major issues.

The existing in-tree EBS plugin is still supported but deprecated. It is recommended to use the CSI driver for creating or maintaining persistent volumes. Because CSI enables Kubernetes to work with any storage device for which an interface driver is available. These drivers also make Kubernetes more stable and reliable, since they reside outside of the core Kubernetes code.

Installation Process for CSI Driver —

Before starting the installation process, you can download all the necessary files from here — EBS CSI Driver

I will explain the EBS CSI Driver installation process step by step and finally, I will share a script, with that EBS CSI Driver can be installed easily.

Step 1: Create an OIDC provider

Create an IAM OIDC provider for the EKS cluster. To determine whether you already have one or need to create one, follow the following instruction —

​◼ ️Check whether OIDC_ID exists or not. If OIDC_ID exists there will be a response after executing the following commands —

> CLUSTER_NAME=kubehub-cluster-01

> OIDC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)

<   strong>> aws iam list-open-id-connect-providers | grep $OIDC_ID

​◼ ️If OIDC_ID does not exist, create a new one with the following commands —

> CLUSTER_NAME=kubehub-cluster-01

> eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve

Step 2: Configure IAM Policy

The CSI driver is deployed as a set of Kubernetes Pods. These Pods must have permission to perform EBS API operations, such as creating and deleting volumes and attaching volumes to the EC2 worker nodes.

# Download the policy file 
> curl https://raw.githubusercontent.com/shamimice03/AWS_EKS-EBS_CSI/main/AwsEBSCSIDriverPolicy.json > ebs_csi_policy.json

Create an IAM policy using the "ebs_csi_policy.json" file and save the Policy ARN for future use.

# Create an IAM Policy
> aws iam create-policy  \
--policy-name AwsEBSCSIDriverPolicy \
--policy-document file://ebs_csi_policy.json

# Extract the "POLICY_ARN"
> POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`AwsEBSCSIDriverPolicy`].Arn' --output text)

Step 3: Configure IAM Role and Service Account

We need to associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account.

Create an IAM Role using eksctl that contains the IAM Policy we just created, and associate it with a Kubernetes Service Account namedebs-csi-controller- sa that will be used by the CSI Driver and save the Role ARN as an environmental variable for future use.

# Set Environment Variables
> CLUSTER_NAME=kubehub-cluster-01
> ROLE_NAME=AmazonEKS_EBS_CSI_DriverRole
> SA_NAME=ebs-csi-controller-sa

# Configure IAM Role and Attach to a service account
> eksctl create iamserviceaccount \
    --name $SA_NAME \
    --cluster $CLUSTER_NAME \
    --attach-policy-arn=$POLICY_ARN \
    --role-name $ROLE_NAME \
    --namespace kube-system \
    --approve \
    --override-existing-serviceaccounts

# Save the "ROLE_ARN" as an environment variable
> ROLE_ARN=$(aws iam list-roles --query 'Roles[?RoleName==`AmazonEKS_EBS_CSI_DriverRole`].Arn'    --output text)

Step 4: Deploy the Amazon EBS CSI Driver

Currently, there are two ways to deploy EBS CSI Driver —

​◼️ Using Helm

serviceAccount.snapshot.name and serviceAccount.controller.name will be the name of the service account we just created in the previous step.

# Add the aws-ebs-csi-driver as a helm repo and Install EBS CSI
> helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver

> helm upgrade --uninstall aws-ebs-csi-driver \
   --version=1.2.4 \
   --namespace kube-system \
   --set serviceAccount.controller.create=false \
   --set serviceAccount.snapshot.create=false \
   --set enableVolumeScheduling=true \
   --set enableVolumeResizing=true \
   --set enableVolumeSnapshot=true \
   --set    serviceAccount.snapshot.name=$SA_NAME \
   --set serviceAccount.controller.name=$SA_NAME \
   aws-ebs-csi-driver/aws-ebs-csi-driver

​◼️ Using Amazon EKS add-on

We can also use eksctlto add the Amazon EBS CSI add-on to our EKS cluster.

> eksctl create addon \
 --name aws-ebs-csi-driver \
 --cluster $CLUSTER_NAME \
 --service-account-role-arn $ROLE_ARN \
 --force

Step 5: Create Storage Class using EBS CSI Provisioner

Finally, we can configure the storage class using EBS CSI as a provisioner, and also dynamically provision EBS volume using that storage class.

Create a storage class with the following manifest file —

> ku   bectl create -f https://raw.githubusercontent.com/shamimice03/AWS_EKS-EBS_CSI/main/Demo-storageClass.yaml

Consecutively, create a Persistent Volume Claim (PVC) and attach the PVC as a volume into a pod. Use the following manifest file —

kubectl create -f https://raw.githubusercontent.com/shamimice03/AWS_EKS-EBS_CSI/main/pvc-pod.yaml

Note: Since EBS Volumes are only locked to a specific AZ. So, EBS volume and the worker node where the pod will be running should be in the same AZ.

Script

Alternatively, we can use the following script for installing EBS CSI Driver on AWS EKS Cluster.

Prerequisites and Execution process
Before executing the above script, AWS-CLI, kubectl, and eksctl must be installed on the system.

# Download the script 
> curl https://raw.   githubusercontent.com/shamimice03/AWS_EKS-EBS_CSI/main/ebs-csi.sh > ebs-csi-install.sh

# Execute the script
# After execution, you need to provide your cluster Name
> bash ebs-csi-install.sh

Test & Verification

Now, Verify that the Storage-Class, PVC, and Pods we deployed earlier are functioning as per our expectation.

Congratulations 🎉 , you have successfully installed EBS-CSI Driver on your EKS cluster. I tried to explain as simply as possible, If you found this article helpful, please don't forget to hit the Clap and Follow buttons to help me write more articles like this.
Thank You  🖤

References —

• Amazon EBS CSI driver
• What's the difference between ebs.csi.aws.com vs kubernetes.io/aws-ebs for provisioner?

---

EBS CSI Driver | Amazon EKS was originally published in Towards AWS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author.