Amazon Elastic Block Store (EBS) CSI driver

Overview

The Amazon Elastic Block Store Container Storage Interface (CSI) Driver provides a CSI interface used by Container Orchestrators to manage the lifecycle of Amazon EBS volumes.

CSI Specification Compatibility Matrix

Features

The following CSI gRPC calls are implemented:

• Controller Service: CreateVolume, DeleteVolume, ControllerPublishVolume, ControllerUnpublishVolume, ControllerGetCapabilities, ValidateVolumeCapabilities, CreateSnapshot, DeleteSnapshot, ListSnapshots
• Node Service: NodeStageVolume, NodeUnstageVolume, NodePublishVolume, NodeUnpublishVolume, NodeGetCapabilities, NodeGetInfo
• Identity Service: GetPluginInfo, GetPluginCapabilities, Probe

CreateVolume Parameters

There are several optional parameters that could be passed into CreateVolumeRequest.parameters map, these parameters can be configured in StorageClass, see example:

Notes:

• gp3 is currently not supported on outposts. Outpost customers need to use a different type for their volumes.
• Unless explicitly noted, all parameters are case insensitive (e.g. "kmsKeyId", "kmskeyid" and any other combination of upper/lowercase characters can be used).

Tagging

To help manage volumes in the aws account, CSI driver will automatically add tags to the volumes it manages.

Driver Options

There are couple driver options that can be passed as arguments when starting driver container.

EBS CSI Driver on Kubernetes

Following sections are Kubernetes specific. If you are Kubernetes user, use followings for driver features, installation steps and examples.

Kubernetes Version Compatibility Matrix

Note: for the entry with + sign, it means the driver's default released manifest doesn't work with corresponding Kubernetes version, but the driver container image is compatiable with the Kubernetes version if an older version's manifest is used.

Container Images:

Note: If your cluster isn't in the us-west-2 Region, please change 602401143452.dkr.ecr.us-west-2.amazonaws.com to the address that corresponds to your Region.

Features

• Static Provisioning - create a new or migrating existing EBS volumes, then create persistence volume (PV) from the EBS volume and consume the PV from container using persistence volume claim (PVC).
• Dynamic Provisioning - uses persistence volume claim (PVC) to request the Kuberenetes to create the EBS volume on behalf of user and consumes the volume from inside container. Storage class's allowedTopologies could be used to restrict which AZ the volume should be provisioned in. The topology key should be topology.ebs.csi.aws.com/zone.
• Mount Option - mount options could be specified in persistence volume (PV) to define how the volume should be mounted.
• NVMe - consume NVMe EBS volume from EC2 Nitro instance.
• Block Volume - consumes the EBS volume as a raw block device for latency sensitive application eg. MySql. The corresponding CSI feature (CSIBlockVolume) is GA since Kubernetes 1.18.
• Volume Snapshot - creating volume snapshots and restore volume from snapshot. The corresponding CSI feature (VolumeSnapshotDataSource) is beta since Kubernetes 1.17.
• Volume Resizing - expand the volume size. The corresponding CSI feature (ExpandCSIVolumes) is beta since Kubernetes 1.16.

Prerequisites

• If you are managing EBS volumes using static provisioning, get yourself familiar with EBS volume.
• Get yourself familiar with how to setup Kubernetes on AWS and have a working Kubernetes cluster:
  • Enable flag --allow-privileged=true for kubelet and kube-apiserver
  • Enable kube-apiserver feature gates --feature-gates=CSINodeInfo=true,CSIDriverRegistry=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true
  • Enable kubelet feature gates --feature-gates=CSINodeInfo=true,CSIDriverRegistry=true,CSIBlockVolume=true
• If you intend to use the csi-snapshotter functionality you will need to first install the CSI Snapshotter

Installation

Set up driver permission

The driver requires IAM permission to talk to Amazon EBS to manage the volume on user's behalf. The example policy here defines these permissions. There are several methods to grant the driver IAM permission:

• Using IAM instance profile - attach the policy to the instance profile IAM role and turn on access to instance metadata for the instance(s) on which the driver Deployment will run
• EKS only: Using IAM roles for ServiceAccounts - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via helm is determined by value controller.serviceAccount.name, ebs-csi-controller-sa by default
• Using secret object - create an IAM user, attach the policy to it, put that user's credentials in secret manifest, then deploy the secret

curl https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/deploy/kubernetes/secret.yaml > secret.yaml
# Edit the secret with user credentials
kubectl apply -f secret.yaml

Config node toleration settings

By default, driver tolerates taint CriticalAddonsOnly and has tolerationSeconds configured as 300, to deploy the driver on all nodes, please set helm Value.node.tolerateAllTaints to true before deployment

Deploy driver

Please see the compatibility matrix above before you deploy the driver

To deploy the CSI driver:

kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.4"

Verify driver is running:

kubectl get pods -n kube-system

Alternatively, you could also install the driver using helm:

Add the aws-ebs-csi-driver Helm repository:

helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
helm repo update

Then install a release of the driver using the chart

helm upgrade --install aws-ebs-csi-driver \
    --namespace kube-system \
    aws-ebs-csi-driver/aws-ebs-csi-driver

Upgrading from version 1.X to 2.X of the helm chart

Version 2.0.0 remove support for helm v2 and now requires helm v3 or above

The CSI Snapshotter controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.

The following deprecated values have been removed, and you should now use their counterparts under the controller and node maps which have been available since chart version 1.1.0

• affinity
• extraCreateMetadata
• extraVolumeTags
• k8sTagClusterId
• nodeSelector
• podAnnotations
• priorityClassName
• region
• replicaCount
• resources
• tolerations
• topologySpreadConstraints
• volumeAttachLimit

The values under serviceAccount.controller have been relocated to controller.serviceAccountThe values under serviceAccount.node have been relocated to node.serviceAccount

The following sidecars values have been reorganized from

sidecars:
  provisionerImage:
  attacherImage:
  snapshotterImage:
  livenessProbeImage:
  resizerImage:
  nodeDriverRegistrarImage:

to

sidecars:
  provisioner:
    image:
  attacher:
    image:
  snapshotter:
    image:
  livenessProbe:
    image:
  resizer:
    image:
  nodeDriverRegistrar:
    image:

With the above reorganization controller.containerResources, controller.env, node.containerResources, and node.env were also moved into the sidecars structure as follows

sidecars:
  provisioner:
    env: []
    resources: {}
  attacher:
    env: []
    resources: {}
  snapshotter:
    env: []
    resources: {}
  livenessProbe:
    resources: {}
  resizer:
    env: []
    resources: {}
  nodeDriverRegistrar:
    env: []
    resources: {}

Deploy driver with debug mode

To view driver debug logs, run the CSI driver with -v=5 command line option

To enable aws sdk debug logs, run the CSI driver with --aws-sdk-debug-log=true command line option.

Examples

Make sure you follow the Prerequisites before the examples:

• Dynamic Provisioning
• Block Volume
• Volume Snapshot
• Configure StorageClass
• Volume Resizing

Migrating from in-tree EBS plugin

Starting from Kubernetes 1.17, CSI migration is supported as beta feature (alpha since 1.14). If you have persistent volumes that are created with in-tree kubernetes.io/aws-ebs plugin, you can migrate to use EBS CSI driver. To turn on the migration, set CSIMigration and CSIMigrationAWS feature gates to true for kube-controller-manager. Then drain Nodes and set the same feature gates to true for kubelet.

To make sure dynamically provisioned EBS volumes have all tags that the in-tree volume plugin used:

• Run the external-provisioner sidecar with --extra-create-metadata=true cmdline option. The helm chart sets this option true by default.
• Run the CSI driver with --k8s-tag-cluster-id=<ID of the Kubernetes cluster> command line option.

To make sure that the CSI driver has permission to Attach, Detach, and Delete volumes that were dynamically provisioned and tagged by the in-tree plugin prior to migration being turned on, the IAM policy has to grant permission to operate on volumes with tag kubernetes.io/cluster/<ID of the Kubernetes cluster>": "owned" like in the example policy.

Warning:

• kubelet must be drained of all pods with mounted EBS volumes before changing its CSI migration feature flags. Failure to do this will cause deleted pods to get stuck in Terminating, requiring a forced delete which can cause filesystem corruption. See #679 for more details.

Development

Please go through CSI Spec and General CSI driver development guideline to get some basic understanding of CSI driver before you start.

Requirements

• Golang 1.15.+
• Ginkgo in your PATH for integration testing and end-to-end testing
• Docker 17.05+ for releasing

Dependency

Dependencies are managed through go module. To build the project, first turn on go mod using export GO111MODULE=on, then build the project using: make

Testing

• To execute all unit tests, run: make test
• To execute sanity test run: make test-sanity
• To execute integration tests, run: make test-integration
• To execute e2e tests, run: make test-e2e-single-az and make test-e2e-multi-az

Release Process

Please see Release Process.

Notes:

• Sanity tests make sure the driver complies with the CSI specification
• EC2 instance is required to run integration test, since it is exercising the actual flow of creating EBS volume, attaching it and read/write on the disk. See Integration Testing for more details.
• E2E tests exercises various driver functionalities in Kubernetes cluster. See E2E Testing for more details.

Helm and manifests

The helm chart for this project is in the charts/aws-ebs-csi-driver directory. The manifests for this project are in the deploy/kubernetes directory. All of the manifests except kustomize patches are generated by running helm template. This keeps the helm chart and the manifests in sync.

When updating the helm chart:

• Generate manifests: make generate-kustomize
• There are values files in deploy/kubernetes/values used for generating some of the manifests
• When adding a new resource template to the helm chart please update the generate-kustomize make target, the deploy/kubernetes/values files, and the appropriate kustomization.yaml file(s).

Milestone

Milestones page