Fri*_*ema 6 amazon-web-services terraform
使用 terraform 创建的 eks 集群。我正在使用 aws-eks-terraform 模块。当指定 aws-ebs-csi-driver 作为集群插件时,我得到
\n cluster_addons = {\n coredns = {\n addon_version = "v1.8.7-eksbuild.3"\n resolve_conflicts = "OVERWRITE"\n }\n kube-proxy = {\n addon_version = "v1.24.7-eksbuild.2"\n resolve_conflicts = "OVERWRITE"\n }\n vpc-cni = {\n addon_version = "v1.12.0-eksbuild.1"\n resolve_conflicts = "OVERWRITE"\n }\n aws-ebs-csi-driver = {\n addon_version = "v1.13.0-eksbuild.2"\n resolve_conflicts="PRESERVE"\n }\n }\naws_eks_addon.this["aws-ebs-csi-driver"]: Modifying... [id=it-tooling-eks-8fmuw5:aws-ebs-csi-driver]\n\xe2\x95\xb7\n\xe2\x94\x82 Error: error updating EKS Add-On (it-tooling-eks-8fmuw5:aws-ebs-csi-driver): InvalidParameter: 1 validation error(s) found.\n\xe2\x94\x82 - minimum field size of 1, UpdateAddonInput.ServiceAccountRoleArn.\n小智 6
弗里德里希的回答是正确的。这是我的,但没有 terragrunt:
locals {
ebs_csi_service_account_namespace = "kube-system"
ebs_csi_service_account_name = "ebs-csi-controller-sa"
}
module "ebs_csi_controller_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.11.1"
create_role = true
role_name = "${var.cluster_name}-ebs-csi-controller"
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.ebs_csi_controller.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.ebs_csi_service_account_namespace}:${local.ebs_csi_service_account_name}"]
}
resource "aws_iam_policy" "ebs_csi_controller" {
name_prefix = "ebs-csi-controller"
description = "EKS ebs-csi-controller policy for cluster ${var.cluster_name}"
policy = file("${path.module}/policies/ebs_csi_controller_iam_policy.json")
}
对于 EKS 模块:
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "19.0.4"
cluster_name = var.cluster_name
cluster_version = "1.24"
vpc_id = var.vpc_id
subnet_ids = var.private_subnets
control_plane_subnet_ids = var.intra_subnets
cluster_endpoint_public_access = false
cluster_endpoint_private_access = true
enable_irsa = true
cluster_addons = {
kube-proxy = {
addon_version = "v1.24.7-eksbuild.2"
resolve_conflicts="PRESERVE"
}
vpc-cni = {
addon_version = "v1.11.4-eksbuild.1"
resolve_conflicts="PRESERVE"
}
coredns = {
addon_version = "v1.8.7-eksbuild.3"
configuration_values = jsonencode({
computeType = "Fargate"
})
resolve_conflicts="PRESERVE"
}
aws-ebs-csi-driver = {
service_account_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cluster_name}-ebs-csi-controller"
}
}
}
要使 EBS CSI 驱动程序正常工作,您需要两个部分:
对于驱动程序安装,有一个舵图和一个附加组件。该附加组件的设置要容易得多。
terraform -aws-modules组织提供了可用的 terraform 模块,使其非常易于设置。
该iam-role-for-service-accounts-eks模块将以非常干净的方式完全按照您的需要配置 IAM 角色。
设置角色后,您只需将 ARN 传递给附加组件即可。
module "ebs_csi_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "${var.cluster_name}-ebs-csi"
attach_ebs_csi_policy = true
oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
}
}
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "v19.10.0"
cluster_name = var.cluster_name
...
cluster_addons = {
aws-ebs-csi-driver = {
service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
most_recent = true
}
}
}
简短的回答是使用这个:
cluster_addons = {
aws-ebs-csi-driver = {
service_account_role_arn = "arn:aws:iam::123456789012:role/amazon-eks-ebs-csi-driver-role-8fmuw5"
addon_version = "v1.13.0-eksbuild.2"
resolve_conflicts="PRESERVE"
}
}
您需要角色和相关策略才能正常工作。我包括 terragrunt 脚本(terragrunt=使用 terraform 模块的 terraform 包装器),希望这对某人有帮助。
角色
terraform {
source = "${format("%s%s", dirname(get_parent_terragrunt_dir()), "/..//modules/terraform-aws-iam/modules/iam-assumable-role-with-oidc")}"
}
include {
path = find_in_parent_folders()
}
dependencies {
paths = [
"../../../../once-per-account/policies/ebs-csi-driver-policy",
"../../../../once-per-account/policies/ebs-csi-kms-encryption-policy",
"../../random-string-env",
"../../eks"
]
}
dependency "ebs-csi-driver-policy" {
config_path = "../../../../once-per-account/policies/ebs-csi-driver-policy"
}
dependency "ebs-csi-kms-encryption-policy" {
config_path = "../../../../once-per-account/policies/ebs-csi-kms-encryption-policy"
}
dependency "random-string" {
config_path = "../../random-string-env"
}
dependency "eks" {
config_path = "../../eks"
}
inputs = {
create_role = true
role_requires_mfa = false
role_name = "amazon-eks-ebs-csi-driver-role-${dependency.random-string.outputs.random_suffix}"
tags = {
Role = "amazon-eks-ebs-csi-driver-role-${dependency.random-string.outputs.random_suffix}"
}
provider_url = dependency.eks.outputs.cluster_oidc_issuer_url
role_policy_arns = [dependency.ebs-csi-driver-policy.outputs.arn,dependency.ebs-csi-kms-encryption-policy.outputs.arn]
oidc_fully_qualified_audiences = [ "sts.amazonaws.com" ]
oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
}
政策
terraform {
source = "${format("%s%s", dirname(get_parent_terragrunt_dir()), "/..//modules/terraform-aws-iam/modules/iam-policy")}"
}
include {
path = find_in_parent_folders()
}
inputs = {
name = "AmazonEBSCSIDriverPolicyNew"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/kubernetes.io/cluster/*": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
}
]
}
EOF
}
| 归档时间: |
|
| 查看次数: |
10036 次 |
| 最近记录: |