aws-efs-csi-driver icon indicating copy to clipboard operation
aws-efs-csi-driver copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Mount using pod impersonation fails with "Volume context property not supported"

Open razvan-moj opened this issue 2 years ago • 1 comments

/kind bug

Driver installation works fine, using the latest 2.2.8 chart (https://github.com/ministryofjustice/cloud-platform-terraform-efs-csi/blob/impersonation/main.tf#L60), driver 1.4.1

FS, PV and PVC are created with no issues, using https://github.com/ministryofjustice/cloud-platform-terraform-efs-pv/tree/frist, called as just

module "efs" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-efs-pv?ref=frist"

  cluster_name           = var.cluster_name
  namespace              = var.namespace
  encrypted = true
}

test pod example:

apiVersion: v1
kind: Pod
metadata:
  name: raz-app-1
  namespace: raz-test-not-one
spec:
  containers:
  - name: raz-app-1
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(hostname ; date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: efs-storage
      mountPath: /data
  serviceAccountName: efs-raz-test-not-one
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  volumes:
  - name: efs-storage
    persistentVolumeClaim:
      claimName: raz-test-raz-test-not-one

pods get stuck in ContainerCreating, no useful logs on the controller, kubectl get events says

25s         Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property csi.storage.k8s.io/pod.uid not supported
23s         Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property podIAMAuthorization not supported
9s          Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property csi.storage.k8s.io/serviceAccount.tokens not supported

Environment

  • Kubernetes version (use kubectl version): EKS 1.21
  • Driver version: 1.4.1

Note everything works, creation, PV, mount, use in multiple pods, as long as we do not use IAM.

razvan-moj avatar Sep 28 '22 16:09 razvan-moj

Is #777 related to this?

tjdett avatar Oct 12 '22 05:10 tjdett

we have reverted this feature unfortunately due to a security concern from EKS side. We will add this feature through efs-utils side but we do not have a clear timeline at the moment

Ashley-wenyizha avatar Jan 05 '23 19:01 Ashley-wenyizha