ENV
export CLUSTER_NAME="<CLUSTER_NAME>"
export AWS_REGION=ap-northeast-2
export CLUSTER_OIDC=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | cut -c 9-100)
export ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
Shell
복사
Create S3 Bucket
aws s3 mb s3://<BUCKET_NAME>
Shell
복사
Create Policy
cat << EOF > s3-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MountpointFullBucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::skills-s3-csi-driver"
]
},
{
"Sid": "MountpointFullObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::skills-s3-csi-driver/*"
]
}
]
}
EOF
Shell
복사
aws iam create-policy --policy-name AmazonS3CSIDriverPolicy --policy-document file://s3-policy.json
Shell
복사
Assume Role
cat << EOF > aws-s3-csi-driver-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/OIDC"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
Shell
복사
sed -i "s|ACCOUNT_ID|$ACCOUNT|g" aws-s3-csi-driver-trust-policy.json
sed -i "s|OIDC|$CLUSTER_OIDC|g" aws-s3-csi-driver-trust-policy.json
Shell
복사
Create Role
aws iam create-role --role-name AmazonEKS_S3_CSI_DriverRole --assume-role-policy-document file:///home/ec2-user/aws-s3-csi-driver-trust-policy.json
Shell
복사
Role Attach Policy
aws iam attach-role-policy --policy-arn arn:aws:iam::362708816803:policy/AmazonS3CSIDriverPolicy --role-name AmazonEKS_S3_CSI_DriverRole
Shell
복사
Create Addon
eksctl create addon --name aws-mountpoint-s3-csi-driver --cluster $CLUSTER_NAME --service-account-role-arn arn:aws:iam::$ACCOUNT:role/AmazonEKS_S3_CSI_DriverRole --force
Shell
복사
Delete Addon
eksctl delete addon --cluster $CLUSTER_NAME --name aws-mountpoint-s3-csi-driver --preserve
Shell
복사
Deploy
apiVersion: v1
kind: PersistentVolume
metadata:
name: s3-pv
spec:
capacity:
storage: 1200Gi # Ignored, required
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "" # Required for static provisioning
claimRef: # To ensure no other PVCs can claim this PV
namespace: default # Namespace is required even though it's in "default" namespace.
name: s3-pvc # Name of your PVC
mountOptions:
- allow-delete
- region ap-northeast-2
- prefix skills/
csi:
driver: s3.csi.aws.com # Required
volumeHandle: s3-csi-driver-volume
volumeAttributes:
bucketName: <BUCKET_NAME> # Bucket Name
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: s3-pvc
spec:
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "" # Required for static provisioning
resources:
requests:
storage: 1200Gi # Ignored, required
volumeName: s3-pv # Name of your PV
---
apiVersion: v1
kind: Pod
metadata:
name: s3-app
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args:
[
"-c",
"echo 'Hello from the container!' >> /data/$(date -u).txt; tail -f /dev/null",
]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: s3-pvc
YAML
복사
kubectl apply -f static_provisioning.yaml
Shell
복사
Test
kubectl get pod s3-app
Shell
복사
aws s3 ls <BUCKET_NAME>
Shell
복사