LogoLogo
4.0.X
4.0.X
  • About Trilio for Kubernetes
    • Welcome to Trilio For Kubernetes
    • Version 4.0.X Release Highlights
    • Compatibility Matrix
    • Marketplace Support
    • Features
    • Use Cases
  • Getting Started
    • Getting Started with Trilio on Red Hat OpenShift (OCP)
    • Getting Started with Trilio for Upstream Kubernetes (K8S)
    • Getting Started with Trilio for AWS Elastic Kubernetes Service (EKS)
    • Getting Started with Trilio on Google Kubernetes Engine (GKE)
    • Getting Started with Trilio on VMware Tanzu Kubernetes Grid (TKG)
    • More Trilio Supported Kubernetes Distributions
      • General Installation Prerequisites
      • Rancher Deployments
      • Azure Cloud AKS
      • Digital Ocean Cloud
      • Mirantis Kubernetes Engine
      • IBM Cloud
    • Licensing
    • Using Trilio
      • Overview
      • Post-Install Configuration
      • Management Console
        • About the UI
        • Navigating the UI
          • UI Login
          • Cluster Management (Home)
          • Backup & Recovery
            • Namespaces
              • Namespaces - Actions
              • Namespaces - Bulk Actions
            • Applications
              • Applications - Actions
              • Applications - Bulk Actions
            • Backup Plans
              • Create Backup Plans
              • Backup Plans - Actions
            • Targets
              • Create New Target
              • Targets - Actions
          • Trilio Monitoring
          • Resource Management
          • Guided Tours
        • UI How-to Guides
          • Multi-Cluster Management
          • Creating Backups
            • Cleanup Failed Backups
          • Restoring Backups
            • Cross-Cluster Restores
          • Monitoring Details
          • Disaster Recovery Plan
          • Continuous Restore
      • Command-Line Interface
        • YAML Examples
        • Trilio Helm Operator Values
    • Upgrade
    • Air-Gapped Installations
    • Uninstall
  • Reference Guides
    • T4K Pod/Job Capabilities
      • Resource Quotas
    • Trilio Operator API Specifications
    • Custom Resource Definition - Application
  • Advanced Configuration
    • AWS S3 Target Permissions
    • Management Console
      • KubeConfig Authenticaton
      • Authentication Methods Via Dex
      • UI Authentication
      • RBAC Authentication
      • Configuring the UI
    • Resource Request Requirements
      • Fine Tuning Resource Requests and Limits
    • Observability
      • Observability of Trilio with Prometheus and Grafana
      • Exported Prometheus Metrics
      • T4K Integration with Observability Stack
    • Modifying Default T4K Configuration
  • T4K Concepts
    • Supported Application Types
    • Support for Helm Releases
    • Support for OpenShift Operators
    • T4K Components
    • Backup and Restore Details
      • Immutable Backups
      • Application Centric Backups
    • Backup Retention Process
      • Retention Use Case
    • Continuous Restore
      • Architecture and Concepts
  • Performance
    • S3 as Backup Target
      • T4K S3 Fuse Plugin performance
    • Measuring Backup Performance
  • Ecosystem
    • T4K Integration with Slack using BotKube
    • Monitoring T4K Logs using ELK Stack
    • Rancher Navigation Links for Trilio Management Console
    • Optimize T4K Backups with StormForge
    • T4K GitHub Runner
    • AWS RDS snapshots using T4K hooks
    • Deploying Trilio For Kubernetes with Openshift ACM Policies
  • Krew Plugins
    • T4K QuickStart Plugin
    • Trilio for Kubernetes Preflight Checks Plugin
    • T4K Log Collector Plugin
    • T4K Cleanup Plugin
    • OCP ETCD Plugin
    • RKE ETCD Plugin
  • Support
    • Troubleshooting Guide
    • Known Issues and Workarounds
    • Contacting Support
  • Appendix
    • Ignored Resources
    • OpenSource Software Disclosure
    • CSI Drivers
      • Installing VolumeSnapshot CRDs
      • Install AWS EBS CSI Driver
    • T4K Product Quickview
    • OpenShift OperatorHub Custom CatalogSource
      • Custom CatalogSource in a restricted environment
    • Configure OVH Object Storage as a Target
    • Connect T4K UI hosted with HTTPS to another cluster hosted with HTTP or vice versa
    • Fetch DigitalOcean Kubernetes Cluster kubeconfig for T4K UI Authentication
    • Force Update T4K Operator in Rancher Marketplace
    • Backup and Restore Virtual Machines running on OpenShift
    • T4K For Volumes with Generic Storage
Powered by GitBook
On this page
  • Getting Started with AWS CLI and EKS Cluster deployment:
  • Add CSI driver:
  • To create an IAM OIDC identity provider for your cluster with the AWS Management Console
  • Create role with policy:
  • Validate the EBS driver installation
  1. Appendix
  2. CSI Drivers

Install AWS EBS CSI Driver

This page explains steps by step instruction to install the AWS EBS CSI driver on AWS EKS cluster.

PreviousInstalling VolumeSnapshot CRDsNextT4K Product Quickview

A CSI driver with snapshotting capability is a requirement for T4K to function properly. It has been discovered that in the Fall of 2022, the snapshot controller has been removed from the AWS EBS CSI driver install process. In addition, CSI is not installed by default with the creation of an EKS cluster so a customer will have to add this CSI support manually after the creation of an EKS cluster.

The instructions are validated for AWS EKS v 1.21, 1.22, and 1.23.

Getting Started with AWS CLI and EKS Cluster deployment:

  1. Once you have an existing EKS cluster user with eks-admin privileges then fetch the kubeconfig file of the cluster

    aws eks update-kubeconfig --region us-east-1 --name sa-eks-cluster-1

Add CSI driver:

  1. Install the AWS EBS CSI Driver through . You can follow the below step-by-step instruction with commands:

  2. Get OIDC endpoint:

    aws eks describe-cluster \
      --name sa-eks-cluster-1 \
      --query "cluster.identity.oidc.issuer" \
      --output text
  3. The output will show the OIDC endpoint:

    sa-eks-cluster-1
    https://oidc.eks.us-east-1.amazonaws.com/id/A357D6680CACC3FE811997EAE0BEDDCD

To create an IAM OIDC identity provider for your cluster with the AWS Management Console

  1. In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.

  2. In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.

  3. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one.

  4. To create a provider, choose Add provider.

  5. For Provider type, select OpenID Connect.

  6. For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.

Create role with policy:

  1. Get OIDC provider for cluster:

    user@demo-server:~# aws eks describe-cluster \
      --name sa-eks-cluster-1 \
      --query "cluster.identity.oidc.issuer" \
      --output text
  2. The output will show the OIDC endpoint with region name:

    sa-eks-cluster-1
    https://oidc.eks.us-east-1.amazonaws.com/id/A357D6680CACC3FE811997EAE0BEDDCD
  3. Create role JSON file to be applied with AWS CLI

  4. Change the AWS account number, OIDC provider URL and region code as per the EKS cluster deployment.

    % cat aws-ebs-csi-driver-trust-policy-eks1.json 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::195495575045:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/A357D6680CACC3FE811997EAE0BEDDCD"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-east-1.amazonaws.com/id/A357D6680CACC3FE811997EAE0BEDDCD:aud": "sts.amazonaws.com",
              "oidc.eks.us-east-1.amazonaws.com/id/A357D6680CACC3FE811997EAE0BEDDCD:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
            }
          }
        }
      ]
    }
  5. Create Role by applying role ISON file with AWS CLI:

    aws iam create-role \
      --role-name AmazonEKS_EBS_CSI_DriverRole-eks1 \
      --assume-role-policy-document file://"aws-ebs-csi-driver-trust-policy-eks1.json"
  6. Attach above created role to Amazon EBS CSI policy

    % aws iam attach-role-policy \
      --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
      --role-name AmazonEKS_EBS_CSI_DriverRole-eks1
  7. Adding the Amazon EBS CSI add-on:

    % aws eks create-addon \
      --cluster-name sa-eks-cluster-1 \
      --addon-name aws-ebs-csi-driver \
      --service-account-role-arn arn:aws:iam::195495575045:role/AmazonEKS_EBS_CSI_DriverRole-eks1
  8. Add ebs-sc storage class, example pod and PVC using a CSI volume:

    % kubectl get sc
    NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  63d
    % git clone https://github.com/kubernetes-sigs/aws-ebs-csi-driver.git
    Cloning into 'aws-ebs-csi-driver'...
    remote: Enumerating objects: 23572, done.
    remote: Counting objects: 100% (90/90), done.
    remote: Compressing objects: 100% (62/62), done.
    remote: Total 23572 (delta 25), reused 70 (delta 19), pack-reused 23482
    Receiving objects: 100% (23572/23572), 24.90 MiB | 36.01 MiB/s, done.
    Resolving deltas: 100% (12207/12207), done.
    % cd aws-ebs-csi-driver/examples/kubernetes/dynamic-provisioning/
    % ls
    README.md	manifests
    % kubectl apply -f manifests/
    persistentvolumeclaim/ebs-claim created
    pod/app created
    storageclass.storage.k8s.io/ebs-sc created
    % kubectl get csidrivers     
    NAME              ATTACHREQUIRED   PODINFOONMOUNT   STORAGECAPACITY   TOKENREQUESTS   REQUIRESREPUBLISH   MODES        AGE
    ebs.csi.aws.com   true             false            false             <unset>         false               Persistent   5m14s
    efs.csi.aws.com   false            false            false             <unset>         false               Persistent   17m
    % kubectl get sc        
    NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    ebs-sc          ebs.csi.aws.com         Delete          WaitForFirstConsumer   false                  17s
    gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  17m
    % kubectl get pvc
    NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
    ebs-claim   Bound    pvc-ed4dbc13-10f6-4176-96e1-3e0d2146f345   4Gi        RWO            ebs-sc         22s
    % kubectl get pod
    NAME   READY   STATUS    RESTARTS   AGE
    app    1/1     Running   0          26s
  9. Change default StorageClass to ebs-sc:

    % kubectl get csidrivers     
    NAME              ATTACHREQUIRED   PODINFOONMOUNT   STORAGECAPACITY   TOKENREQUESTS   REQUIRESREPUBLISH   MODES        AGE
    ebs.csi.aws.com   true             false            false             <unset>         false               Persistent   5m14s
    efs.csi.aws.com   false            false            false             <unset>         false               Persistent   17m
    % kubectl get sc        
    NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    ebs-sc          ebs.csi.aws.com         Delete          WaitForFirstConsumer   false                  17s
    gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  17m
    
    kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
    kubectl patch storageclass ebs-sc -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
    
    % kubectl get sc
    NAME               PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    ebs-sc (default)   ebs.csi.aws.com         Delete          WaitForFirstConsumer   false                  4m33s
    gp2                kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  22m
  10. Add VolumeSnapshot CRDs and Snapshot Controller:

    # Change to the latest supported snapshotter version
    # https://kubernetes-csi.github.io/docs/external-snapshotter.html
    $ SNAPSHOTTER_VERSION=v5.0.1
    
    # Apply VolumeSnapshot CRDs
    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOTTER_VERSION}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml
    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOTTER_VERSION}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml
    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOTTER_VERSION}/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml
    
    # Create snapshot controller
    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOTTER_VERSION}/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml
    $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOTTER_VERSION}/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml
  11. With all above steps, EBS CSI driver with VolumeSnapshot capability is installed.

Validate the EBS driver installation

Install and run the T4K preflight plugin:

% kubectl tvk-preflight run --storage-class ebs-sc
INFO[0000] Created log file with name - preflight-2022-11-4T16-44-27.log 
INFO[0000] Setting log level as info                    
INFO[0001] ====PREFLIGHT RUN OPTIONS====                
INFO[0001] LOG-LEVEL="INFO"                             
INFO[0001] KUBECONFIG-PATH=""                           
INFO[0001] NAMESPACE="default"                          
INFO[0001] INCLUSTER="false"                            
INFO[0001] STORAGE-CLASS="ebs-sc"     
...
INFO[0134] ✔ restored pod from volume snapshot of unmounted pv has expected data 
INFO[0134] ✔ Preflight check for volume snapshot and restore is successful 
INFO[0134] All preflight checks succeeded!              
INFO[0138] All preflight resources cleaned 

Open the Amazon EKS console at .

Open the IAM console at

For Audience, enter and choose Add provider.

If T4K Preflight plugin is not already installed, follow the instructions

Getting started with AWS EKS
Install AWS EBS CSI Driver
Amazon EKS Add-on
https://console.aws.amazon.com/eks/home#/clusters
https://console.aws.amazon.com/iam/
sts.amazonaws.com
here