Let’s continue with AWS CDK and Python. I’m not writing because I like CDK, but because there are quite a few examples on the Internet for AWS CDK with Python, so let them at least be here.
So, we have a cluster – AWS: CDK and Python – building an EKS cluster, and general impressions of CDK, we have a couple of controllers – AWS: CDK and Python – configure an IAM OIDC Provider, and install Kubernetes Controllers. As if everything is ready – I started installing a VictoriaMetrics chart, and everything was working except for the pod with VMSingle, which hung in the Pending status.
Contents
“VolumeBinding”: binding volumes: timed out waiting for the condition
Let’s check the Events of this Pod:
[simterm]
... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedScheduling 10m default-scheduler running PreBind plugin "VolumeBinding": binding volumes: timed out waiting for the condition
[/simterm]
Quick googling led me to a question on StackOverflow, where I recalled about EKS Add-ons, in particular, about the EBS CSI diver, which should create EBS when a PersistentVolumeClaim appears.
So today we’ll look at how to add add-ons to a cluster with the AWS CDK.
Actually, it’s is quite simple, the only thing I had to google was how to use the CfnAddon
, but this time the documentation was found quickly, and even with examples in Python, not TypeScript.
IAM Role for EBS CSI driver
We already have OIDC Provider, see AWS: EKS, OpenID Connect, and ServiceAccounts
For the driver, we also will use IRSA. So we need to describe a ServiceAccount, and attach an AWS Managed Policy with the iam.ManagedPolicy.from_aws_managed_policy_name()
:
... # Create an IAM Role to be assumed by ExternalDNS ebs_csi_addon_role = iam.Role( self, 'EbsCsiAddonRole', # for Role's Trust relationships assumed_by=iam.FederatedPrincipal( federated=oidc_provider_arn, conditions={ 'StringEquals': { f'{oidc_provider_url.replace("https://", "")}:sub': 'system:serviceaccount:kube-system:ebs-csi-controller-sa' } }, assume_role_action='sts:AssumeRoleWithWebIdentity' ) ) ebs_csi_addon_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEBSCSIDriverPolicy")) ...
In the from_aws_managed_policy_name
specify the name as “service-role/ManagedPolicyName“.
CfnAddon
for EBS CSI driver
Find a current version of the diver by specifying the version of the cluster – we have EKS version 1.26, because the CDK still does not support 1.27:
[simterm]
$ aws eks describe-addon-versions --addon-name aws-ebs-csi-driver --kubernetes-version 1.26 --query "addons[].addonVersions[].[addonVersion, compatibilities[].defaultVersion]" --output text v1.20.0-eksbuild.1 True ...
[/simterm]
And describe the connection of the add-on itself with the CfnAddon
– specify the cluster name, version, and ServiceAccount’s IAM Role ARN taken from the ebs_csi_addon_role
created above::
... # Add EBS CSI add-on ebs_csi_addon = eks.CfnAddon( self, "EbsCsiAddonSa", addon_name="aws-ebs-csi-driver", cluster_name=cluster_name, resolve_conflicts="OVERWRITE", addon_version="v1.20.0-eksbuild.1", service_account_role_arn=ebs_csi_addon_role.role_arn ) ...
Deploy, and check:
Check Pods:
[simterm]
$ kk -n kube-system get pod | grep csi ebs-csi-controller-896d87c6b-7rv9z 6/6 Running 0 9m59s ebs-csi-controller-896d87c6b-v7xg7 6/6 Running 0 9m59s ebs-csi-node-2zwnr 3/3 Running 0 9m59s ebs-csi-node-pt5zs 3/3 Running 0 9m59s
[/simterm]
And now we have a PVC for VictoriaMetrcis in the Bound status:
[simterm]
$ kk -n dev-monitoring-ns get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE vmsingle-victoria-metrics-k8s-stack Bound pvc-151a631b-f6de-4567-8baa-97adb4e04a87 20Gi RWO gp2 91m
[/simterm]
And the VMSingle Pod now in the Running status:
[simterm]
$ kk -n dev-monitoring-ns get po | grep vmsingle vmsingle-victoria-metrics-k8s-stack-f7794d779-n6sc7 1/1 Running 0 28m
[/simterm]
Done.