-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS CSI driver #10467
AWS CSI driver #10467
Conversation
450370d
to
143a8e7
Compare
0adde02
to
9ae6852
Compare
/retest |
if c.KubeControllerManager == nil || c.KubeControllerManager.ExternalCloudVolumePlugin != "aws" { | ||
if c.CloudConfig == nil || c.CloudConfig.AWSEBSCSIDriver == nil || !fi.BoolValue(c.CloudConfig.AWSEBSCSIDriver.Enabled) { | ||
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "externalCloudControllerManager"), | ||
"AWS external CCM cannot be used without enabling spec.cloudConfig.AWSEBSCSIDriver or setting spec.kubeControllerManaager.externalCloudVolumePlugin set to `aws`")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if this is needs to be a requirement. Users may have clusters that don't run any persistent volumes, for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The challenge right now is that everyone else need to actively set one of these values to get a working cluster. I think that when we by default enable either using external CCM for AWS and/or external CSI driver we can relax the relax the requirement.
I suspect that the CSI driver will be more popular than the external CCM for the time being anyway. CSI driver does bring in additional features.
Not sure how much we really want to be configurable here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the helm chart's values file, I don't see any parameters that would be particularly important to expose as api fields for an initial implementation.
I think there are additional IAM permissions needed. The docs mention ec2:CreateSnapshot which neither the control plane nor node roles have, and the ebs-snapshot-controller StatefulSet isn't currently restricted to just the control plane nodes. Perhaps this is a good opportunity to use the UseServiceAccountIAM feature flag functionality.
- --endpoint=$(CSI_ENDPOINT) | ||
- --logtostderr | ||
- --k8s-tag-cluster-id={{ ClusterName }} | ||
- --extra-volume-tags=KubernetesCluster={{ ClusterName }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This flag is deprecated in favor of --extra-tags
:
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/f54138034204850e54c26f67dde3f8217339c09c/cmd/options/controller_options.go#L39-L40
Also we could consider populating this with the standard set of tags we include on resources, including ClusterSpec.CloudLabels
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch.
I like the IRSA concept, and I think strategically we should move in that direction, but is it mature enough to start depending on it now? |
Reading https://github.com/kubernetes-csi/external-snapshotter in more detail, it seems worthy having a dedicated addon for this. Including the snapshotter, CRDs + the webhook admission controller. |
Looking through https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md and the docs of the various plugins, I wonder if for kOps, it makes most sense to:
|
This is more or less done now. Since we need a cert for the admission controller, this now blocked by #10321 |
This is awesome, unfortunately I only found this PR after having set this up myself as well haha. Only comment, would we want to also modify the storage class for this? For this to be usable you need to modify the
I could see that being a follow up PR or a separate flag but just thought I'd mention it. Also an easy time to enable volume expansion by default. |
Updating the provisioner field is forbidden, so we need a new storageclass here. Or force-change the old one. Do you know if changing this really is needed when |
Looks like we should not create a new storage class. And we probably should set the |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I removed the snapshotter out of the PR now, so we shouldn't have any webhooks issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor comments but looks good overall. We'll want docs for this as well as a release note. Being sure to mention the migration steps involving the feature gates, or just linking to wherever that process is documented.
pkg/model/components/kubelet.go
Outdated
if _, found := clusterSpec.Kubelet.FeatureGates["ExperimentalCriticalPodAnnotation"]; !found { | ||
if b.IsKubernetesLT("1.16") { | ||
clusterSpec.Kubelet.FeatureGates["ExperimentalCriticalPodAnnotation"] = "true" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is duplicated from Line 210
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching!
/lgtm |
No description provided.