我已在 AWS 控制台中创建了 EKS 集群
集群在两个私有子网中创建,并且 NAT 网关附加到这些私有子网的路由表中
并创建实例类型为c5.xlarge的节点组并进入活动状态
现在我使用自定义 OIDC 提供商角色 AWS_VPC_CNI 和 AWS_EBS_CSI 创建了附加组件
AWS_VPC_CNI 附加组件已进入活动状态,但 AWS_EBS_CSI 已降级,并出现以下错误“该附加组件运行状况不佳,因为它没有所需数量的副本”
在 AWS_VPC_CNI 的 OIDC 提供商插件角色中,附加以下 aws 托管策略 AmazonEKS_CNI_Policy 并附加角色的信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AccountNumber>:oidc-provider/<OIDC ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC ID>:aud": "sts.amazonaws.com",
"<OIDC ID>:sub": "system:serviceaccount:kube-system:aws-node"
}
与 AWS_EBS_CSI 角色类似,附加了以下 aws 托管策略 AmazonEBSCSIDriverPolicy,并附加了一个自定义策略,如下
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
}
}
]
}
并附上AWS_EBS_CSI角色的信任关系如下,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::279649766383:oidc-provider/oidc.eks.ap-south-2.amazonaws.com/id/84F15F13C79758077B521DE9FA0AE8FB"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-2.amazonaws.com/id/84F15F13C79758077B521DE9FA0AE8FB:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa",
"oidc.eks.ap-south-2.amazonaws.com/id/84F15F13C79758077B521DE9FA0AE8FB:aud": "sts.amazonaws.com"
}
}
}
]
}
我已尝试将插件更新到最新版本并完成了所有可能的方法,但我的 AWS_EBS_CSI 驱动程序插件仍然在降级
请帮我解决以上问题
IAM 角色及其信任关系可能是正确的。 您能否分享 pod 描述和服务帐户“ebs-csi-controller-sa”描述。
其他情况下,请确保附加 OIDC 身份提供商。