-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update README.md with explanation of EKS Pod Identity configuration with EFS CSI Controller #1422
base: master
Are you sure you want to change the base?
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: leondkr The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @leondkr! |
Hi @leondkr. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Hi @leondkr, thanks for the PR. Can you squash the commits so that I can trigger the tests? |
Hi @mskanth972, I squashed into a single one. Please check if any further action required. Thanks! |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Update Controller Pod Identity config description
Is this a bug fix or adding new feature?
Feature
What is this PR about? / Why do we need it?
Adds more details of integration between EKS Pod Identities feature and k8s service account of EFS CSI controller when the controller wants to communicate with EFS services using sufficient permissions.
What testing is done?
Here is the controller logs when we do not use
arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy
before and after:I0801 07:02:02.139270 1 controller.go:335] Using /pvc-a2755de8-c8fb-4ecd-b866-d86a43186784 as the access point directory. E0801 07:02:02.175852 1 driver.go:107] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied I0801 07:03:50.748840 1 controller.go:328] Using PV name for access point directory. I0801 07:03:50.748911 1 controller.go:335] Using /pvc-c380cab3-3f23-466b-acc6-4b39fa52fd9b as the access point directory.
Here is the events log of my PVC: