aws-load-balancer-controller VS aws-ebs-csi-driver

I thought at the beginning that such certificate would then expire, but I have seen cert-manager is within ALB code https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/config/certmanager/certificate.yaml so that makes me hesitate about it.

Detailed behavior changes can be found in the release notes for version 2.6.0 of the AWS Load Balancer Controller. https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases The key points include:

If you are using Kubernetes, you can enable security groups on your NLB by using AWS Load Balancer controller version 2.6.0 or later. Enabling NLB security groups using the controller enhances the nodes' security, as inbound rules can be simplified by referencing the NLB security groups. It also provides scaling improvements, as the controller keeps a constant number of security group rules per cluster.

I use the AWS Load Balancer Controller: https://github.com/kubernetes-sigs/aws-load-balancer-controller.

You can install the AWS Load Balancer Controller, and then create an "Ingress" when you install your Nginx Ingress controller, possible with some necessary annotations.

aws-load-balancer-controller

Yes. Google's ingress controller talks to the GCP API and spins up an HTTP LB for you. The AWS LB Controller handles provisioning ALB's for you. And ... I guess other clouds exist too but these are the ones I am familiar with.

NLB don't support weighted target groups and for some reason are extremely slow when adding instances o removing them from target groups, which makes deployments a bit meh (old instances and new instances can be receiving traffic at the same time for up to 2 mins)

The AWS EBS CSI Driver relies on IAM permissions to communicate with Amazon EBS for volume management on behalf of the user. The example policy can be used to define the required permissions. Additionally, AWS provides a managed policy at ARN arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

I looks like the driver's permissions to invoke the EBS APIs was revoked and/or changed. When you install the EBS CSI addon you can either inherit permissions from the worker node or you can choose an IRSA role (preferred). If you use IRSA, the service account that the EBS CSI driver uses should have an annotation that references the ARN of the IAM role you selected, e.g. eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-role. You can see an example of the IAM policy the driver needs here, https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/fb6d456558fb291b13f855454c1525c7acaf7046/docs/example-iam-policy.json.

I'm know it's possible to write terraform code that exhibits that issue, but that's not the case in my experience. I'm using helm to deploy aws's ebs csi driver in the above setup. As you mentioned, if the eks cluster was destroyed before the helm provider attempted to use its API to destroy the helm deployment, it would cause problems. And I don't run into that issue. It's not luck of timing, either - I also have a CI process that deploys all of this, tests, and deletes it all that has succeeded hundreds of times.

Any Kubernetes cluster requires persistent storage - whether organizations choose to begin with an on-premise Kubernetes cluster and migrate to the public cloud, or provision a Kubernetes cluster using a managed service in the cloud. Kubernetes supports multiple types of persistent storage – from object storage (such as Azure Blob storage or Google Cloud Storage), block storage (such as Amazon EBS, Azure Disk, or Google Persistent Disk), or file sharing storage (such as Amazon EFS, Azure Files or Google Cloud Filestore). The fact that each cloud provider has its implementation of persistent storage adds to the complexity of storage management, not to mention a scenario where an organization is provisioning Kubernetes clusters over several cloud providers. To succeed in managing Kubernetes clusters over a long period, knowing which storage type to use for each scenario, requires storage expertise.

Lots of info in this issue: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1163

aws-ebs-csi-driver

Hello, we are running an EKS cluster (1.20) with aws-ebs-csi-driver (1.4.0). After recreating our whole cluster we can observe that the EBS volumes from our PVCs still exist but the "mapping" to the PVCs is gone.

OP could probably just layer their own CSI driver on top of an existing one (a la aws-ebs-csi-driver), but there's still several problems: