aws-efs-csi-driver
amazon-eks-pod-identity-webhook
aws-efs-csi-driver | amazon-eks-pod-identity-webhook | |
---|---|---|
11 | 8 | |
683 | 582 | |
0.4% | 0.7% | |
8.5 | 6.8 | |
4 days ago | 13 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
aws-efs-csi-driver
-
Implementing AWS EKS with EFS for dynamic volume provisioning using Terraform. Kubernetes Series - Episode 5
In the past I was have problems with GID allocator, something related to this problem.
-
AWS EFS CSI: Mount Target vs Access Point
However, the docs (https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/dynamic_provisioning/README.md) are telling me to create EFS Mount Targets in the EKS subnets. Thats fine.
-
EKS Fargate supports additional Ephemeral Storage
Fargate storage A Pod running on Fargate automatically mounts an Amazon EFS file system. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. For more information, see Amazon EFS CSI Driver on GitHub.
-
EFS CSI - Dynamic Provisioning and Disaster Recovery?
I guess something like this might go a long way to solve the problem https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/640 ? Though I see it isn't merged yet
-
Mounting EFS in EKS cluster: example deployment fails
I am currently trying to create an EFS for use within an EKS cluster. I've followed all the instructions, and everything seems to be working for the most part. However, when trying to apply the multiple_pods example deployment from here, the pods cannot succesfully mount the file system. The PV and PVC are both bound and look good, however the pods do not start and yield the following error message:
-
How can 2 deployments using aws-efs-csi-provider share data on the same mount?
In each namespace, create a PV/PVC using the same fixed volume path. See "Volume Path in EKS CSI Driver" To make this work however, you MUST pre-create this volume path in your EFS (I usually just have an EC2 instance with it mounted to work on). From the docs above "Note: this feature requires the sub directory to mount precreated on EFS before consuming the volume from"
- Confused about kubernetes storage
-
Confused abut EKS gp2 default storage class - can i use it or not?
resource "aws_iam_policy" "eks_efs_csi_driver_policy" { # https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json policy = file("./6.AWSEFSpolicy.json") name = "aws-efs-csi-policy" }
- How is a PersistentVolumeClaim consistent?
-
EKS IAM Deep Dive
efs - IAM Policy for AWS EFS CSI Driver.
amazon-eks-pod-identity-webhook
-
Grant Kubernetes Pods Access to AWS Services Using OpenID Connect
Its not specific to EKS, you can find the underlying webhook that injects the "identity" here: https://github.com/aws/amazon-eks-pod-identity-webhook
You have to jump through much of the same hoops you describe, having a public `.well-known` endpoint for example. I have achieved this in the past by putting the OIDC discovery information in an S3 bucket.
-
k3s on AWS,does it make sense?
You can install the pod identity webhook and AWS cloud provider, csi provider etc on a bare kube cluster and get pretty close to the EKS experience. Not something I’d do for prod, but interesting as a learning exercise.
-
IAM roles for pods in external k8s cluster
Yes you absolutely can. https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
-
Unable to read token file , permission denied
Is your pod running as an unprivileged user? Sounds like https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 to me.
-
Zero-configuration IRSA on kOps
On EKS, the pod identity webhook is commonly used as the mechanism for adding the necessary parts of the Pod spec. This webhook looks for ServiceAccounts with a specific set of annotations telling it what ARN it can assume and various other settings. When a Pod is created that uses one of these ServiceAccounts, the webhook mutates the Pod using information found in the ServiceAccount annotations.
-
Using IAM Roles for ServiceAccounts on kOps
If you prefer, you could create ServiceAccounts with these details and use the EKS identity webhook, but I don't see kOps supporting that webhook as a native addon.
-
[AWS-EFS][IAM] AWS EFS CSI instructions say to use a service account w/ IAM role association, but is it possible with KIAM instead?
The Amazon EKS Pod Identity Webhook on the cluster watches for pods that are associated with service accounts with this special annotation & injects Web Identity Token credentials into the pod as environment variables (technical details here).
-
Understanding AWS K8s architecture using EC2
I don’t know how KOPs manages IAM creds for pods these days, but you can use this (my recommendation) https://github.com/aws/amazon-eks-pod-identity-webhook, or something like KIAM or kube2iam
What are some alternatives?
ceph-csi - CSI driver for Ceph
kiam - Integrate AWS IAM with Kubernetes
vault-csi-provider - HashiCorp Vault Provider for Secret Store CSI Driver
external-dns - Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services
aws-ebs-csi-driver - CSI driver for Amazon EBS https://aws.amazon.com/ebs/
amazon-eks-ami - Packer configuration for building a custom EKS AMI
aws-sdk-go - AWS SDK for the Go programming language.
secrets-store-csi-driver-provider-gcp - Google Secret Manager provider for the Secret Store CSI Driver.
aws-load-balancer-controller - A Kubernetes controller for Elastic Load Balancers
amazon-cloudwatch-agent - CloudWatch Agent enables you to collect and export host-level metrics and logs on instances running Linux or Windows server.
aws-iam-authenticator - A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster