-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot get efs-csi-node to Assume Role #746
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Ping, this is still an issue with 1.5.4. |
/reopen |
@sinkr: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Seeing the same on v1.5.6 |
Same on v1.5.7 |
as a workaround i think you can specify the iam mount_option flag on the storageClass or the PV. That seemed to resolve it for me. I set a file system policy and it stated failing bc it was coming in as anonymous. |
Hello, I have added the iam option. Creating the pvc and mounting the volume in my pod is successful. But a closer look at aws organisation trail reveals the problems. The access is anonymous. Here is an example: My StorageClass seems to be set up correctly:
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/kind bug
What happened?
Hello, thanks for your help in advance!
Chart 2.2.7 (I have also tried chart 2.1.5 to no avail):
efs-csi-controller, according to CloudWatch, correctly assumes the EFS role using the prescribed policy in the documentation here and create an access point, however, efs-csi-node with the same annotation will not assume the rule.
When I exec into an efs-csi-node pod, install awscli and perform
aws sts get-caller-identity
, the assumed role is correct.The annotation is set correctly on the DaemonSet's annotation, and the AWS_ROLE_ARN environment variable are correctly set, however, while I see efs-csi-controller correctly assuming the role for activities such as
CreateAccessPoint
, anything coming from efs-csi-node comes across as ANONYMOUS_PRINCIPAL.What you expected to happen?
I expect efs-csi-node to assume the EFS-specific role using the prescribed policy in the documentation just like efs-csi-controller correctly does, per the annotation in the SA + what is shown on the pod under AWS_ROLE_ARN.
How to reproduce it (as minimally and precisely as possible)?
elasticfilesystem
activity in the last minute (see that efs-csi-controller correctly assumes the EFS role and that efs-csi-node comes across as ANONYMOUS_PRINCIPAL.Anything else we need to know?:
efs-csi-controller correctly assumes the role, but
efs-csi-node does not attempt to assume the role, issues no error, even at
logLevel 9
, instead attempting to mount EFS via ANONYMOUS_PRINCIPAL.Environment
Kubernetes version (use
kubectl version
):EKS 1.22
Driver version:
1.4.0
The text was updated successfully, but these errors were encountered: