AWS CSI driver

[olemarkus]

No description provided.

[olemarkus]

/retest

[rifelpet]

I'm wondering if this is needs to be a requirement. Users may have clusters that don't run any persistent volumes, for example.

[olemarkus]

The challenge right now is that everyone else need to actively set one of these values to get a working cluster. I think that when we by default enable either using external CCM for AWS and/or external CSI driver we can relax the relax the requirement.

I suspect that the CSI driver will be more popular than the external CCM for the time being anyway. CSI driver does bring in additional features.

[olemarkus]

Not sure how much we really want to be configurable here.
In particular, there is a large amount of images involved and it could get messy allowing each of them to be configured.

[rifelpet]

Looking at the helm chart's values file, I don't see any parameters that would be particularly important to expose as api fields for an initial implementation.

I think there are additional IAM permissions needed. The docs mention ec2:CreateSnapshot which neither the control plane nor node roles have, and the ebs-snapshot-controller StatefulSet isn't currently restricted to just the control plane nodes. Perhaps this is a good opportunity to use the UseServiceAccountIAM feature flag functionality.

[rifelpet]

This flag is deprecated in favor of --extra-tags:
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/f54138034204850e54c26f67dde3f8217339c09c/cmd/options/controller_options.go#L39-L40

Also we could consider populating this with the standard set of tags we include on resources, including ClusterSpec.CloudLabels

[olemarkus]

Good catch.

[olemarkus]

I think there are additional IAM permissions needed. The docs mention ec2:CreateSnapshot which neither the control plane nor node roles have, and the ebs-snapshot-controller StatefulSet isn't currently restricted to just the control plane nodes. Perhaps this is a good opportunity to use the UseServiceAccountIAM feature flag functionality.

I like the IRSA concept, and I think strategically we should move in that direction, but is it mature enough to start depending on it now?

[olemarkus]

Reading https://github.com/kubernetes-csi/external-snapshotter in more detail, it seems worthy having a dedicated addon for this. Including the snapshotter, CRDs + the webhook admission controller.

[olemarkus]

Looking through https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md and the docs of the various plugins, I wonder if for kOps, it makes most sense to:

• deploy the vendor CSI driver itself as a standalone addon. The controller running as a daemonset on masters
• The snapshot controller as a standalone addon. It should also be a daemonset rather than a statefulset (the use of statefulset was somewhat inconsistent. The reason is to avoid running two of them at the same time. But the controller supports leader election, so for us a daemonset makes more sense. ). There should only be one installation of this controller per cluster. This addon should also contain the webhook and CRDs.

[olemarkus]

This is more or less done now.

Since we need a cert for the admission controller, this now blocked by #10321

[mikesplain]

This is awesome, unfortunately I only found this PR after having set this up myself as well haha.

Only comment, would we want to also modify the storage class for this? For this to be usable you need to modify the provisioner: ebs.csi.aws.com in

kops/upup/models/cloudup/resources/addons/storage-aws.addons.k8s.io/v1.15.0.yaml

Line 7 in 22a9a13

provisioner: kubernetes.io/aws-ebs

I could see that being a follow up PR or a separate flag but just thought I'd mention it. Also an easy time to enable volume expansion by default.

[olemarkus]

Updating the provisioner field is forbidden, so we need a new storageclass here. Or force-change the old one.

Do you know if changing this really is needed when CSIMigrationAWS feature gate is set?

[olemarkus]

CSIMigrationAWS: Enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Supports falling back to in-tree EBS plugin if a node does not have EBS CSI plugin installed and configured. Requires CSIMigration feature flag enabled.
CSIMigrationAWSComplete: Stops registering the EBS in-tree plugin in kubelet and volume controllers and enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Requires CSIMigration and CSIMigrationAWS feature flags enabled and EBS CSI plugin installed and configured on all nodes in the cluster.

Looks like we should not create a new storage class. And we probably should set the CSIMigrationAWSComplete flag to ensure our setup works as expected.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [olemarkus]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[olemarkus]

I removed the snapshotter out of the PR now, so we shouldn't have any webhooks issues.
Also set the feature flag that will block the in-cluster EBS plugin so we 100% know the out-of-tree plugin is used.

[rifelpet]

A few minor comments but looks good overall. We'll want docs for this as well as a release note. Being sure to mention the migration steps involving the feature gates, or just linking to wherever that process is documented.

[rifelpet]

I think this is duplicated from Line 210

[olemarkus]

Thanks for catching!

[rifelpet]

/lgtm