...
To enable the CSI volume plugin to create and manage File Storage resources, appropriate IAM policies must be installed:
Add the Amazon EFS CSI Driver helm repositoryPolicy to create and/or manage file systems, mount targets, and export paths:
| Code Block | ||
|---|---|---|
| ||
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/ |
...
ALLOW any-user to manage file-family in compartment <compartment-name> where request.principal.type = 'cluster' |
Policy to use VNICs, private IPs, private DNS zones, and subnets:
| Code Block | ||
|---|---|---|
| ||
helm repo update |
...
ALLOW any-user to use virtual-network-family in compartment <compartment-name> where request.principal.type = 'cluster' |
Policy to enable the CSI volume plugin to access that master encryption key:
| Code Block | ||
|---|---|---|
| ||
helm install aws-efs-csi-driver --namespace uepe aws-efs-csi-driver/aws-efs-csi-driver --version <helm chart version> \
--set controller.serviceAccount.create=false \
--set controller.serviceAccount.name=efs-csi-controller-sa |
...
| |
Allow service FssOc1Prod to use keys in compartment <compartment-name> where target.key.id = '<key_OCID>' |
| Code Block | ||
|---|---|---|
| ||
Allow any-user to use key-delegates in compartment <compartment-name> where ALL {request.principal.type = 'cluster', target.key.id = '<key_OCID>'} |
Where <compartment-name> and <key_OCID> can be retrieved from the console
| Info |
|---|
Helm install command assumes service account for Amazon EFS CSI Driver already exists. Service Account name set to metadata.name under iam.serviceAccounts portion in the Namespace set to metadata.namespace under iam.serviceAccounts portion in the |
...