diff --git a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml index a5b1102b4c..d819f54937 100644 --- a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml @@ -15,4 +15,7 @@ metadata: #annotations: # eks.amazonaws.com/role-arn: arn::iam:::role/ebs-csi-role {{- end }} +{{- if .Values.controller.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }} +{{- end }} {{- end -}} diff --git a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml index fb85abedfe..9f3c7c7e10 100644 --- a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml +++ b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml @@ -10,4 +10,7 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +{{- if .Values.node.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.node.serviceAccount.automountServiceAccountToken }} +{{- end }} {{- end -}} diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml index 51c13bc493..685fe03462 100644 --- a/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/aws-ebs-csi-driver/values.yaml @@ -227,6 +227,7 @@ controller: create: true name: ebs-csi-controller-sa annotations: {} + automountServiceAccountToken: true tolerations: - key: CriticalAddonsOnly operator: Exists @@ -300,6 +301,7 @@ node: create: true name: ebs-csi-node-sa annotations: {} + automountServiceAccountToken: true enableWindows: false # The "maximum number of attachable volumes" per node volumeAttachLimit: diff --git a/deploy/kubernetes/base/serviceaccount-csi-controller.yaml b/deploy/kubernetes/base/serviceaccount-csi-controller.yaml index d0c6ff1922..1768ff890f 100644 --- a/deploy/kubernetes/base/serviceaccount-csi-controller.yaml +++ b/deploy/kubernetes/base/serviceaccount-csi-controller.yaml @@ -9,3 +9,4 @@ metadata: #Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details. #annotations: # eks.amazonaws.com/role-arn: arn::iam:::role/ebs-csi-role +automountServiceAccountToken: true diff --git a/deploy/kubernetes/base/serviceaccount-csi-node.yaml b/deploy/kubernetes/base/serviceaccount-csi-node.yaml index bddaf9daa8..cd16a245f4 100644 --- a/deploy/kubernetes/base/serviceaccount-csi-node.yaml +++ b/deploy/kubernetes/base/serviceaccount-csi-node.yaml @@ -6,3 +6,4 @@ metadata: name: ebs-csi-node-sa labels: app.kubernetes.io/name: aws-ebs-csi-driver +automountServiceAccountToken: true diff --git a/docs/install.md b/docs/install.md index 87616d8381..75d0fcfb72 100644 --- a/docs/install.md +++ b/docs/install.md @@ -29,7 +29,8 @@ For more information, review ["Creating the Amazon EBS CSI driver IAM role for s There are several methods to grant the driver IAM permissions: * Using IAM [instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) - attach the policy to the instance profile IAM role and turn on access to [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for the instance(s) on which the driver Deployment will run -* EKS only: Using [IAM roles for ServiceAccounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value `controller.serviceAccount.name`, `ebs-csi-controller-sa` by default +* EKS only: Using [IAM roles for ServiceAccounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value `controller.serviceAccount.name`, `ebs-csi-controller-sa` by default. If you are using k8s 1.24 or higher, the ServiceAccountToken is not mounted because the `LegacyServiceAccountTokenNoAutoGeneration` feature gate is enabled. +Therefore, if you are using k8s 1.24 or higher, you need to set `true` to `controller.serviceAccount.autoMountServiceAccountToken`. * Using secret object - create an IAM user, attach the policy to it, then create a generic secret called `aws-secret` in the `kube-system` namespace with the user's credentials ```sh kubectl create secret generic aws-secret \