aws ebs 报无权限错误

aws eks 创建ebs的pvc时报以下错误:

Warning ProvisioningFailed 9m28s ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-d0e1df78-28ce-464b-b7ea-da017a656393": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
status code: 403, request id: 6e315969-831c-46d5-87fa-c2c635af7a4b
Normal Provisioning 2m37s (x11 over 11m) ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 External provisioner is provisioning volume for claim "cattle-monitoring-system/prometheus-rancher-monitoring-prometheus-db-prometheus-rancher-monitoring-prometheus-0"
Warning ProvisioningFailed 2m37s (x2 over 7m37s) ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-d0e1df78-28ce-464b-b7ea-da017a656393": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
status code: 403, request id: 919f64b1-528c-4720-b6b5-3a711875335f
Normal ExternalProvisioning 99s (x43 over 11m) persistentvolume-controller waiting for a volume to be created, either by external provisioner "ebs.csi.aws.com" or manually created by system administrator

https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/748

https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1033

 

角色权限问题:

ebs插件的iam角色要有以下权限:

https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html

AmazonEBSCSIDriverPolicy AWS 托管
 
 
eks-pre2

eks-pre2里的权限策略:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DetachVolume",
"ec2:ModifyVolume"
],
"Resource": "*"
}
]
}

最后,重启插件:

kubectl -n kube-system rollout restart deploy/ebs-csi-controller

posted on 2024-01-31 14:12  net2817  阅读(27)  评论(0编辑  收藏  举报

导航