-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.14
-
None
-
False
-
Description of problem:
The IAM policy in section 1a does not allow sufficient permissions in order for an EFS StorageClass to work as expected.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Provision a ROSA Hosted Control Plane cluster 2. Follow the steps in the documentation 3. Create a PVC with `storageClassName: efs-sc` and attempt to use in a pod
Actual results:
Pod has unbound PVC claims
Controller logs: kubectl -n openshift-cluster-csi-drivers logs deployment.apps/aws-efs-csi-driver-controller -f
Found 2 pods, using pod/aws-efs-csi-driver-controller-585cff9b6-zhnkd Defaulted container "csi-driver" out of: csi-driver, csi-provisioner, provisioner-kube-rbac-proxy, csi-liveness-probe I0326 18:00:30.429859 1 config_dir.go:63] Mounted directories do not exist, creating directory at '/etc/amazon/efs' I0326 18:00:30.432122 1 metadata.go:63] getting MetadataService... I0326 18:00:30.434439 1 metadata.go:68] retrieving metadata from EC2 metadata service I0326 18:00:30.442277 1 driver.go:113] Registering Node Server I0326 18:00:30.442306 1 driver.go:115] Registering Controller Server I0326 18:00:30.442321 1 driver.go:118] Starting efs-utils watchdog I0326 18:00:30.442448 1 efs_watch_dog.go:216] Copying /etc/amazon/efs/efs-utils.conf since it doesn't exist I0326 18:00:30.442558 1 efs_watch_dog.go:216] Copying /etc/amazon/efs/efs-utils.crt since it doesn't exist I0326 18:00:30.442791 1 driver.go:124] Starting reaper I0326 18:00:30.442805 1 driver.go:127] Listening for connections on address: &net.UnixAddr{Name:"/var/lib/csi/sockets/pluginproxy/csi.sock", Net:"unix"} E0326 18:02:52.978069 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied E0326 18:02:54.071032 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied E0326 18:02:56.159221 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied E0326 18:03:00.250698 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied E0326 18:03:08.342469 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied E0326 18:03:24.424042 1 driver.go:103] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied
Expected results:
StorageClass should be usable
Additional info:
Updating the Allow permissions in the iam-policy.json fixes the issue "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:CreateTags", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DeleteTags", "elasticfilesystem:TagResource", "elasticfilesystem:UntagResource"