pixie-io
`px deploy` should propose EKS users to create an EBS CSI driver for the user
Is your feature request related to a problem? Please describe. After 1.23 EKS removed the default Amazon EBS driver. That means Pixie installations have to manually add EBS CSI drivers to their system in order to use PersistentVolume backed Pixie. The current work-around is to install etcd-backed metadata in place of PersistentVolume backed metadata, but etcd is not as reliable of a metadata system.
Ideally px deploy can handle this process and allow EKS users to automatically provision all that they need to setup the EBS CSI driver.
Describe the solution you'd like
px deploy detects that the cluster is eks, checks to see if the ebs csi driver is there, and if not asks the user if they want to install it. Should communicate clearly that this is a more reliable way to manage their cluster and should also link to the relevant docs.
Describe alternatives you've considered One alternative is to make a separate command that just does the EBS CSI deployment. Maybe that would cover existing installations.
I have a simple prototype binary from chatGPT that is probably 80% correct but needs testing and integration into the code:
package main
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/eks"
)
func main() {
sess := session.Must(session.NewSession())
// Create the IAM role for the EBS CSI Driver
iamSvc := iam.New(sess)
roleName := "AmazonEKS_EBS_CSI_DriverRole"
assumeRolePolicyDocument := `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}`
createRoleInput := &iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(assumeRolePolicyDocument),
RoleName: aws.String(roleName),
}
createRoleOutput, err := iamSvc.CreateRole(createRoleInput)
if err != nil {
// handle error
}
roleArn := createRoleOutput.Role.Arn
// Attach the necessary policies to the role
policyArns := []string{
"arn:aws:iam::aws:policy/AmazonEBSCSIDriverPolicy",
"arn:aws:iam::aws:policy/AmazonEBSVolumeAccess",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
}
for _, policyArn := range policyArns {
attachRolePolicyInput := &iam.AttachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
}
_, err := iamSvc.AttachRolePolicy(attachRolePolicyInput)
if err != nil {
// handle error
}
}
// Create the EKS addon
eksSvc := eks.New(sess)
input := &eks.CreateAddonInput{
AddonName: aws.String("aws-ebs-csi-driver"),
ClusterName: aws.String("my-cluster"),
ServiceAccountRoleArn: aws.String(*roleArn),
Force: aws.Bool(true),
}
result, err := eksSvc.CreateAddon(input)
if err != nil {
// handle error
}
// use the result
}
@philkuz this is interesting, I am using EKS 1.23 and can see that there is a default Storage class gp2 however PV won't work because there is no CSI driver installed.
For EBS CSI driver installation, a more popular installation option is to use IRSA and add the annotation to the service account as described here, perhaps this could be also one of the options.
@philkuz I can take this up. I have done this installation using both IRSA and normal way.
Hey @shardulsrivastava ! Just checking in to see how things are going and if you need help with anything!
