Cherry pick for v2.0.5

charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml

@@ -21,7 +21,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete"]
+    verbs: ["get", "list", "watch", "create", "patch", "delete"]
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch", "update"]

charts/aws-efs-csi-driver/values.yaml

@@ -18,7 +18,7 @@ sidecars:
   livenessProbe:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-      tag: v2.12.0-eks-1-29-7
+      tag: v2.13.0-eks-1-30-8
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:
@@ -27,7 +27,7 @@ sidecars:
   nodeDriverRegistrar:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-      tag: v2.10.0-eks-1-29-7
+      tag: v2.11.0-eks-1-30-8
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:
@@ -36,7 +36,7 @@ sidecars:
   csiProvisioner:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-      tag: v4.0.0-eks-1-29-7
+      tag: v5.0.1-eks-1-30-8
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:

deploy/kubernetes/base/controller-deployment.yaml

@@ -67,7 +67,7 @@ spec:
             periodSeconds: 10
             failureThreshold: 5
         - name: csi-provisioner
-          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v4.0.0-eks-1-29-7
+          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.0.1-eks-1-30-8
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=$(ADDRESS)
@@ -85,7 +85,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.12.0-eks-1-29-7
+          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=/csi/csi.sock

deploy/kubernetes/base/controller-serviceaccount.yaml

@@ -17,7 +17,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete"]
+    verbs: ["get", "list", "watch", "create", "patch", "delete"]
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch", "update"]

deploy/kubernetes/base/node-daemonset.yaml

@@ -89,7 +89,7 @@ spec:
             periodSeconds: 2
             failureThreshold: 5
         - name: csi-driver-registrar
-          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.10.0-eks-1-29-7
+          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.11.0-eks-1-30-8
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=$(ADDRESS)
@@ -113,7 +113,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.12.0-eks-1-29-7
+          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=/csi/csi.sock

deploy/kubernetes/overlays/stable/ecr/kustomization.yaml

@@ -8,10 +8,10 @@ images:
     newTag: v2.0.4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/livenessprobe
-    newTag: v2.12.0-eks-1-29-7
+    newTag: v2.13.0-eks-1-30-8
   - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-node-driver-registrar
-    newTag: v2.10.0-eks-1-29-7
+    newTag: v2.11.0-eks-1-30-8
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-provisioner
-    newTag: v4.0.0-eks-1-29-7
+    newTag: v5.0.1-eks-1-30-8

deploy/kubernetes/overlays/stable/kustomization.yaml

@@ -6,8 +6,8 @@ images:
   - name: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
     newTag: v2.0.4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-    newTag: v2.12.0-eks-1-29-7
+    newTag: v2.13.0-eks-1-30-8
   - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-    newTag: v2.10.0-eks-1-29-7
+    newTag: v2.11.0-eks-1-30-8
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-    newTag: v4.0.0-eks-1-29-7
+    newTag: v5.0.1-eks-1-30-8

docs/README.md

@@ -184,7 +184,8 @@ A Pod running on AWS Fargate automatically mounts an Amazon EFS file system, wit
 
 #### Set up driver permission
 The driver requires IAM permission to talk to Amazon EFS to manage the volume on user's behalf. There are several methods to grant driver IAM permission:
-* Using IAM role for service account (recommended if you're using Amazon EKS) – Create an [IAM Role for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) with the required permissions in [iam-policy-example.json](./iam-policy-example.json). Uncomment annotations and put the IAM role ARN in the [service-account manifest](../deploy/kubernetes/base/controller-serviceaccount.yaml). For example steps, see [Create an IAM policy and role for Amazon EKS](./iam-policy-create.md).
+* Using the EKS Pod Identity Add-on - [Install the EKS Pod Identity add-on to your EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html). This doesn't need the efs-csi-driver to be installed through EKS add-on, it can be used no matter the method of installation of the efs-csi-driver. If this installation method is used, the ```AmazonEFSCSIDriverPolicy``` policy has to be added to the cluster's node group's IAM role. 
+* Using IAM role for service account – Create an [IAM Role for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) with the required permissions in [iam-policy-example.json](./iam-policy-example.json). Uncomment annotations and put the IAM role ARN in the [service-account manifest](../deploy/kubernetes/base/controller-serviceaccount.yaml). For example steps, see [Create an IAM policy and role for Amazon EKS](./iam-policy-create.md).
 * Using IAM [instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) – Grant all the worker nodes with [required permissions](./iam-policy-example.json) by attaching the policy to the instance profile of the worker.
 
 ------

examples/kubernetes/static_provisioning/README.md

@@ -33,6 +33,26 @@ Create PV and persistent volume claim (PVC):
 >> kubectl apply -f examples/kubernetes/static_provisioning/specs/storageclass.yaml
 >> kubectl apply -f examples/kubernetes/static_provisioning/specs/pv.yaml
 >> kubectl apply -f examples/kubernetes/static_provisioning/specs/claim.yaml
+```
+
+List the persistent volumes in the default namespace. Look for a persistent volume with the default/efs-claim claim.
+
+```sh
+kubectl get pv -w
+```
+
+The example output is as follows.
+
+```
+$ kubectl get pv -w
+NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM               STORAGECLASS   REASON   AGE
+efs-pv   5Gi        RWO            Retain           Bound    default/efs-claim                           3m31s
+```
+
+Don't proceed to the next step until the `STATUS` is `Bound`.
+
+Deploy the `app` sample applications
+```
 >> kubectl apply -f examples/kubernetes/static_provisioning/specs/pod.yaml
 ```
 

go.mod

@@ -1,7 +1,7 @@
 module github.com/kubernetes-sigs/aws-efs-csi-driver
 
 require (
-	github.com/aws/aws-sdk-go v1.44.116
+	github.com/aws/aws-sdk-go v1.50.3
 	github.com/container-storage-interface/spec v1.7.0
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.1
@@ -11,13 +11,13 @@ require (
 	github.com/onsi/gomega v1.27.1
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 	google.golang.org/grpc v1.59.0
-	k8s.io/api v0.26.10
-	k8s.io/apimachinery v0.26.10
-	k8s.io/client-go v0.26.10
+	k8s.io/api v0.26.11
+	k8s.io/apimachinery v0.26.11
+	k8s.io/client-go v0.26.11
 	k8s.io/klog/v2 v2.80.1
-	k8s.io/kubernetes v1.26.10
-	k8s.io/mount-utils v0.26.10
-	k8s.io/pod-security-admission v0.26.10
+	k8s.io/kubernetes v1.26.11
+	k8s.io/mount-utils v0.26.11
+	k8s.io/pod-security-admission v0.26.11
 )
 
 require (
@@ -79,7 +79,7 @@ require (
 	golang.org/x/sys v0.20.0 // indirect
 	golang.org/x/term v0.20.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
-	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231030173426-d783a09b4405 // indirect
@@ -88,14 +88,14 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.10 // indirect
-	k8s.io/apiserver v0.26.10 // indirect
-	k8s.io/cloud-provider v0.26.10 // indirect
-	k8s.io/component-base v0.26.10 // indirect
-	k8s.io/component-helpers v0.26.10 // indirect
-	k8s.io/csi-translation-lib v0.26.10 // indirect
+	k8s.io/apiextensions-apiserver v0.26.11 // indirect
+	k8s.io/apiserver v0.26.11 // indirect
+	k8s.io/cloud-provider v0.26.11 // indirect
+	k8s.io/component-base v0.26.11 // indirect
+	k8s.io/component-helpers v0.26.11 // indirect
+	k8s.io/csi-translation-lib v0.26.11 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/kubectl v0.26.10 // indirect
+	k8s.io/kubectl v0.26.11 // indirect
 	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
@@ -104,35 +104,35 @@ require (
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.26.10
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.26.10
-	k8s.io/apimachinery => k8s.io/apimachinery v0.26.10
-	k8s.io/apiserver => k8s.io/apiserver v0.26.10
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.26.10
-	k8s.io/client-go => k8s.io/client-go v0.26.10
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.26.10
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.26.10
-	k8s.io/code-generator => k8s.io/code-generator v0.26.10
-	k8s.io/component-base => k8s.io/component-base v0.26.10
-	k8s.io/component-helpers => k8s.io/component-helpers v0.26.10
-	k8s.io/controller-manager => k8s.io/controller-manager v0.26.10
-	k8s.io/cri-api => k8s.io/cri-api v0.26.10
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.10
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.26.10
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.10
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.10
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.10
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.26.10
-	k8s.io/kubectl => k8s.io/kubectl v0.26.10
-	k8s.io/kubelet => k8s.io/kubelet v0.26.10
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.26.10
-	k8s.io/metrics => k8s.io/metrics v0.26.10
-	k8s.io/mount-utils => k8s.io/mount-utils v0.26.10
-	k8s.io/node-api => k8s.io/node-api v0.26.10
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.26.10
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.26.10
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.26.10
-	k8s.io/sample-controller => k8s.io/sample-controller v0.26.10
+	k8s.io/api => k8s.io/api v0.26.11
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.26.11
+	k8s.io/apimachinery => k8s.io/apimachinery v0.26.11
+	k8s.io/apiserver => k8s.io/apiserver v0.26.11
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.26.11
+	k8s.io/client-go => k8s.io/client-go v0.26.11
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.26.11
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.26.11
+	k8s.io/code-generator => k8s.io/code-generator v0.26.11
+	k8s.io/component-base => k8s.io/component-base v0.26.11
+	k8s.io/component-helpers => k8s.io/component-helpers v0.26.11
+	k8s.io/controller-manager => k8s.io/controller-manager v0.26.11
+	k8s.io/cri-api => k8s.io/cri-api v0.26.11
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.11
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.26.11
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.11
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.11
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.11
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.26.11
+	k8s.io/kubectl => k8s.io/kubectl v0.26.11
+	k8s.io/kubelet => k8s.io/kubelet v0.26.11
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.26.11
+	k8s.io/metrics => k8s.io/metrics v0.26.11
+	k8s.io/mount-utils => k8s.io/mount-utils v0.26.11
+	k8s.io/node-api => k8s.io/node-api v0.26.11
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.26.11
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.26.11
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.26.11
+	k8s.io/sample-controller => k8s.io/sample-controller v0.26.11
 	vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787
 )