From 022aa97dd39c0a0340c38b83bf7512ccb99bd525 Mon Sep 17 00:00:00 2001 From: Jesper Almstrom Date: Thu, 24 Oct 2024 00:00:18 +0200 Subject: [PATCH 1/4] Add S3 CSI driver IAM policy as addon This commit adds a new file `iam-policy.ts` that contains the IAM policy statements for the S3 CSI driver. It also adds a new file `index.ts` that implements the S3 CSI driver addon. The addon creates a service account, attaches the IAM policy to the service account's role, and deploys the addon to the cluster. The commit also includes some helper functions and default options for the addon. --- lib/addons/s3-csi-driver/iam-policy.ts | 24 ++++++++ lib/addons/s3-csi-driver/index.ts | 84 ++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 lib/addons/s3-csi-driver/iam-policy.ts create mode 100644 lib/addons/s3-csi-driver/index.ts diff --git a/lib/addons/s3-csi-driver/iam-policy.ts b/lib/addons/s3-csi-driver/iam-policy.ts new file mode 100644 index 000000000..380d3705f --- /dev/null +++ b/lib/addons/s3-csi-driver/iam-policy.ts @@ -0,0 +1,24 @@ +import * as iam from 'aws-cdk-lib/aws-iam'; + +export function getS3DriverPolicyStatements(s3BucketArn: string): iam.PolicyStatement[] { + // new IAM policy to grand access to S3 bucket + // https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions + return [ + new iam.PolicyStatement({ + sid: 'S3MountpointFullBucketAccess', + actions: [ + "s3:ListBucket" + ], + resources: [s3BucketArn] + }), + new iam.PolicyStatement({ + sid: 'S3MountpointFullObjectAccess', + actions: [ + "s3:GetObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:DeleteObject" + ], + resources: [`${s3BucketArn}/*`] + })]; +} \ No newline at end of file diff --git a/lib/addons/s3-csi-driver/index.ts b/lib/addons/s3-csi-driver/index.ts new file mode 100644 index 000000000..16cb787a9 --- /dev/null +++ b/lib/addons/s3-csi-driver/index.ts @@ -0,0 +1,84 @@ +import { Construct } from "constructs"; +import { ClusterInfo } from "../../spi"; +import { HelmAddOn, HelmAddOnUserProps } from "../helm-addon"; +import * as iam from 'aws-cdk-lib/aws-iam'; +import { createNamespace, setPath, supportsALL } from "../../utils"; +import { getS3DriverPolicyStatements } from "./iam-policy"; + +const S3_CSI_DRIVER_SA = 's3-csi-driver-sa'; +const S3_CSI_DRIVER = 's3-csi-driver'; +const S3_CSI_DRIVER_RELEASE = 's3-csi-driver-release'; +const S3_DRIVER_POLICY = 's3-csi-driver-policy'; + +/** + * Configuration options for the add-on. + */ +export interface S3CSIDriverAddOnProps extends HelmAddOnUserProps { + /** + * ARN of the S3 bucket to be used by the driver + */ + s3BucketArn: string; + /** + * Create Namespace with the provided one (will not if namespace is kube-system) + */ + createNamespace?: boolean +} + +/** + * Defaults options for the add-on + */ +const defaultProps: HelmAddOnUserProps & S3CSIDriverAddOnProps = { + chart: S3_CSI_DRIVER, + name: S3_CSI_DRIVER, + namespace: 'kube-system', + release: S3_CSI_DRIVER_RELEASE, + version: 'v1.9.0', + repository: 'https://github.com/awslabs/mountpoint-s3-csi-driver', + s3BucketArn: '' +}; + +@supportsALL +export class S3CSIDriverAddOn extends HelmAddOn { + + readonly options: S3CSIDriverAddOnProps; + + constructor(props: S3CSIDriverAddOnProps) { + super({ ...defaultProps as any, ...props }); + this.options = this.props as S3CSIDriverAddOnProps; + } + + deploy(clusterInfo: ClusterInfo): Promise { + // Create service account and policy + const cluster = clusterInfo.cluster; + const serviceAccount = cluster.addServiceAccount(S3_CSI_DRIVER_SA, { + name: S3_CSI_DRIVER_SA, + namespace: this.options.namespace, + }); + + const s3BucketPolicy = new iam.Policy(cluster, S3_DRIVER_POLICY, { + statements: + getS3DriverPolicyStatements(this.options.s3BucketArn) + }); + serviceAccount.role.attachInlinePolicy(s3BucketPolicy); + + // Create namespace + if (this.options.createNamespace) { + const ns = createNamespace(this.options.namespace!, cluster, true); + serviceAccount.node.addDependency(ns); + } + + // setup value for helm chart + const chartValues = populateValues(this.options); + + const s3CsiDriverChart = this.addHelmChart(clusterInfo, chartValues, true, true); + s3CsiDriverChart.node.addDependency(serviceAccount); + return Promise.resolve(s3CsiDriverChart); + } +} + +function populateValues(helmOptions: S3CSIDriverAddOnProps): any { + const values = helmOptions.values ?? {}; + setPath(values, 'node.serviceAccount.create', false); + setPath(values, 'node.tolerateAllTaints', true); + return values; +} \ No newline at end of file From 2b90ab1bcfe06512c155813bfc7fbaa1285efb99 Mon Sep 17 00:00:00 2001 From: Jesper Almstrom Date: Sun, 27 Oct 2024 00:02:31 +0200 Subject: [PATCH 2/4] Add S3 CSI driver addon documentation and IAM policy Refactor bucket arn to use name instead. --- docs/addons/s3-csi-driver.md | 71 ++++++++++++++++++++++++++ lib/addons/s3-csi-driver/iam-policy.ts | 3 +- lib/addons/s3-csi-driver/index.ts | 7 +-- mkdocs.yml | 1 + 4 files changed, 78 insertions(+), 4 deletions(-) create mode 100644 docs/addons/s3-csi-driver.md diff --git a/docs/addons/s3-csi-driver.md b/docs/addons/s3-csi-driver.md new file mode 100644 index 000000000..3d91a9f74 --- /dev/null +++ b/docs/addons/s3-csi-driver.md @@ -0,0 +1,71 @@ +# S3 CSI Driver Addon + +The S3 CSI Driver Addon integrates Amazon S3 with your Kubernetes cluster, allowing you to use S3 buckets as persistent storage for your applications. + +## Prerequisites + +- The S3 bucket must be created in AWS separately as the driver uses the S3 bucket for storage, but it does not create it. +- The S3 bucket must have a bucket policy that allows the EKS cluster to access the bucket. + +## Usage + +```typescript +import { S3CsiDriverAddon } from '@aws-quickstart/eks-blueprints'; + +const addOns = [ + new S3CsiDriverAddon({ + s3BucketName: 'my-s3-bucket', + }), + // other addons +]; + +const blueprint = EksBlueprint.builder() + .addOns(...addOns) + .build(app, 'my-stack'); +``` + +## Configuration + +You can customize the S3 CSI Driver Addon by passing configuration options: + +```typescript +new S3CsiDriverAddon({ + s3BucketName: 'my-s3-bucket', +}); +``` + +## Use in EKS Cluster + +Once installed, you can create PersistentVolume and PersistentVolumeClaim resources that use the S3 CSI Driver: + +```yaml +apiVersion: v1 +kind: PersistentVolume +metadata: + name: s3-pv +spec: + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + csi: + driver: s3.csi.aws.com + volumeHandle: my-s3-bucket +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: s3-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + volumeName: s3-pv +``` + +## References + +- [Amazon S3 CSI Driver Documentation](https://github.com/kubernetes-sigs/aws-s3-csi-driver) +- [Amazon EKS S3 CSI Driver Documentation](https://docs.aws.amazon.com/eks/latest/userguide/s3-csi.html) diff --git a/lib/addons/s3-csi-driver/iam-policy.ts b/lib/addons/s3-csi-driver/iam-policy.ts index 380d3705f..0fe292aff 100644 --- a/lib/addons/s3-csi-driver/iam-policy.ts +++ b/lib/addons/s3-csi-driver/iam-policy.ts @@ -1,8 +1,9 @@ import * as iam from 'aws-cdk-lib/aws-iam'; -export function getS3DriverPolicyStatements(s3BucketArn: string): iam.PolicyStatement[] { +export function getS3DriverPolicyStatements(s3BucketName: string): iam.PolicyStatement[] { // new IAM policy to grand access to S3 bucket // https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions + const s3BucketArn = `arn:aws:s3:::${s3BucketName}`; return [ new iam.PolicyStatement({ sid: 'S3MountpointFullBucketAccess', diff --git a/lib/addons/s3-csi-driver/index.ts b/lib/addons/s3-csi-driver/index.ts index 16cb787a9..5e7da94e6 100644 --- a/lib/addons/s3-csi-driver/index.ts +++ b/lib/addons/s3-csi-driver/index.ts @@ -17,7 +17,7 @@ export interface S3CSIDriverAddOnProps extends HelmAddOnUserProps { /** * ARN of the S3 bucket to be used by the driver */ - s3BucketArn: string; + s3BucketName: string; /** * Create Namespace with the provided one (will not if namespace is kube-system) */ @@ -34,7 +34,8 @@ const defaultProps: HelmAddOnUserProps & S3CSIDriverAddOnProps = { release: S3_CSI_DRIVER_RELEASE, version: 'v1.9.0', repository: 'https://github.com/awslabs/mountpoint-s3-csi-driver', - s3BucketArn: '' + createNamespace: false, + s3BucketName: '' }; @supportsALL @@ -57,7 +58,7 @@ export class S3CSIDriverAddOn extends HelmAddOn { const s3BucketPolicy = new iam.Policy(cluster, S3_DRIVER_POLICY, { statements: - getS3DriverPolicyStatements(this.options.s3BucketArn) + getS3DriverPolicyStatements(this.options.s3BucketName) }); serviceAccount.role.attachInlinePolicy(s3BucketPolicy); diff --git a/mkdocs.yml b/mkdocs.yml index 6e35fba34..8d6acb6ed 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -83,6 +83,7 @@ nav: - Pixie: 'addons/pixie.md' - Prometheus Node Exporter: 'addons/prometheus-node-exporter.md' - Rafay: 'addons/rafay.md' + - S3 CSI Driver: 'addons/s3-csi-driver.md' - Secrets Store: 'addons/secrets-store.md' - Snyk: 'https://github.com/snyk-partners/snyk-monitor-eks-blueprints-addon' - SSM Agent: 'addons/ssm-agent.md' From 70bfd77823687f5d59060ff1b9cfbfde4be9e51e Mon Sep 17 00:00:00 2001 From: Jesper Almstrom Date: Mon, 28 Oct 2024 11:44:42 +0100 Subject: [PATCH 3/4] Add S3 CSI driver to addons export --- lib/addons/index.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/addons/index.ts b/lib/addons/index.ts index 33f597637..452fbc2c7 100644 --- a/lib/addons/index.ts +++ b/lib/addons/index.ts @@ -57,6 +57,7 @@ export * from './neuron'; export * from './nginx'; export * from './opa-gatekeeper'; export * from './prometheus-node-exporter'; +export * from './s3-csi-driver'; export * from './secrets-store'; export * from './secrets-store/csi-driver-provider-aws-secrets'; export * from './secrets-store/secret-provider'; From 45466554165f4731d9a87f251b9dfc093042e652 Mon Sep 17 00:00:00 2001 From: Jesper Almstrom Date: Tue, 29 Oct 2024 10:38:42 +0100 Subject: [PATCH 4/4] Update S3 CSI driver documentation link --- docs/addons/s3-csi-driver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/addons/s3-csi-driver.md b/docs/addons/s3-csi-driver.md index 3d91a9f74..da4bdfe77 100644 --- a/docs/addons/s3-csi-driver.md +++ b/docs/addons/s3-csi-driver.md @@ -67,5 +67,5 @@ spec: ## References -- [Amazon S3 CSI Driver Documentation](https://github.com/kubernetes-sigs/aws-s3-csi-driver) +- [Amazon S3 CSI Driver Source](https://github.com/awslabs/mountpoint-s3-csi-driver) - [Amazon EKS S3 CSI Driver Documentation](https://docs.aws.amazon.com/eks/latest/userguide/s3-csi.html)