Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controller does not support Pod Identity #1870

Closed
jicowan opened this issue Dec 14, 2023 · 3 comments
Closed

Controller does not support Pod Identity #1870

jicowan opened this issue Dec 14, 2023 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@jicowan
Copy link

jicowan commented Dec 14, 2023

/kind bug

What happened?
Configured Controller to use Pod Identities rather than IRSAv1

What you expected to happen?
Expect the controller to get credentials from the Pod Identity Agent (DaemonSet)

How to reproduce it (as minimally and precisely as possible)?
Create an IAM role with a Pod Identity trust policy. Assign the AmazonEBSCSIDriver policy to the role. Create an Access Entry for the controller's ServiceAccount that maps to the role.

Anything else we need to know?:
The controller throws an error when trying to get credentials. 169.254.170.23 is the IP address of the credential endpoint for Pod Identities.

E1214 16:38:22.116057       1 driver.go:125] "GRPC error" err=<
	rpc error: code = Internal desc = Could not create volume "pvc-fe9ed2a2-72c3-4c5c-b4a8-fa5c822981b6": could not create volume in EC2: NoCredentialProviders: no valid providers in chain
	caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
	SharedCredsLoad: failed to load profile, .
	CredentialsEndpointError: invalid endpoint host, "169.254.170.23", only loopback hosts are allowed.

Environment

  • Kubernetes version (use kubectl version): EKS 1.27
  • Driver version: v1.25.0-eksbuild.1
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 14, 2023
@ConnorJC3
Copy link
Contributor

Hi @jicowan, this is because the current version of the driver (v1.25.0) was released prior to the release of EKS Pod Identities.

The next version of the driver (v1.26.0) is currently undergoing release (started today), and will use an updated AWS SDK with EKS pod identity support. I'll update this issue when the release is completed and it is available.

@torredil
Copy link
Member

torredil commented Jan 2, 2024

EBS CSI Driver v1.26.0 has been released and uses an updated AWS SDK with EKS pod identity support.

/close

@k8s-ci-robot
Copy link
Contributor

@torredil: Closing this issue.

In response to this:

EBS CSI Driver v1.26.0 has been released and uses an updated AWS SDK with EKS pod identity support.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hsmade hsmade mentioned this issue Feb 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ConnorJC3 @jicowan @k8s-ci-robot @torredil