aws eks的ebs存储插件安装

 

1、创建 EKS OIDC 提供商(没做过的话)注意:手动替换变量

OIDC_PROVIDER=$(aws eks describe-cluster --name aws-middleware-production-eks --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

 

aws iam create-open-id-connect-provider \
  --url $OIDC_PROVIDER \
  --client-id-list sts.amazonaws.com \
  --thumbprint-list $(openssl s_client -showcerts -connect ${OIDC_PROVIDER}:443 </dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d'=' -f2 | sed 's/://g')

 

2、创建 IAM 角色 + 附加策略。注意:手动替换变量

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
        }
      }
    }
  ]
}

 

# 创建角色
aws iam create-role --role-name ebs-csi-controller-role --assume-role-policy-document file://trust.json

 

# 附加权限策略
aws iam attach-role-policy \
  --role-name ebs-csi-controller-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

 

3、给 CSI ServiceAccount 绑定 IAM 角色。注意:手动替换变量

kubectl annotate serviceaccount ebs-csi-controller-sa -n kube-system \
  eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/ebs-csi-controller-role

 

4、部署ebs。注意:手动替换eks集群名称

aws eks create-addon \
--cluster-name Middleware-Production \
--addon-name aws-ebs-csi-driver \
--resolve-conflicts OVERWRITE

 

5、打上 IRSA 注解, 再次重启。注意:手动替换账户ID

kubectl annotate sa ebs-csi-controller-sa -n kube-system \
eks.amazonaws.com/role-arn=arn:aws:iam::254606715187:role/ebs-csi-controller-role \
--overwrite

 

kubectl rollout restart deployment ebs-csi-controller -n kube-system

 

6、验证:注解是否存在,pod是否加载IRSA 环境变量

kubectl get sa ebs-csi-controller-sa -n kube-system -o yaml | grep annotations -A 3

#必须出现这行才算成功:
annotations:
  eks.amazonaws.com/role-arn: arn:aws:iam::254606715187:role/ebs-csi-controller-role

 

kubectl describe pod -n kube-system $(kubectl get pods -n kube-system | grep ebs-csi-controller | head -n1 | awk '{print $1}') | grep AWS_

#正确结果一定包含:
AWS_ROLE_ARN=arn:aws:iam::254606715187:role/ebs-csi-controller-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

 

7、查看pod状态

kc get pods -n kube-system | grep ebs

 

posted @ 2026-04-24 11:02  苦逼yw  阅读(4)  评论(0)    收藏  举报