Fix AWS EBS CSI Driver.

[rafal-jan]

• Fix csi-snapshotter timeout option.
• Fix ebs-external-attacher-role ClusterRole.

What type of PR is this?

/kind bug

What this PR does / why we need it:
See #6770

Which issue(s) this PR fixes:

Fixes #6770

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Welcome @rafal-jan!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @rafal-jan. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[floryut]

@rafal-jan Thank you for the PR, could you please sign CLA ?

[rafal-jan]

@rafal-jan Thank you for the PR, could you please sign CLA ?

Done

[oomichi]

/cc @oomichi

[oomichi]

Where did this change come from?
I cannot find the reason on both this PR message and the corresponding issue.
In addition, the same name of ClusterRole of https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml is the same as the original one, and different from this PR.

[rafal-jan]

The reason for this change is in #6770 (comment). The version of csi-attacher was bumped from v1.2.1 to v2.2.0 in Kubespray 2.14.0 for CSI drivers that do not use additional variable for the csi-attacher image tag (that is why someone else had problems with Cinder CSI and fixed them in #6358). The new version of csi-attacher requires different permissions to function properly. Without this change the volumes could not be attached to pods and the csi-attacher container had lots of errors in logs related to permissions.

Also, the file linked by you is for v1.2.0 of csi-attacher (https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/aws-ebs-csi-driver/values.yaml#L18) and that is why it is the same as the original one.

[oomichi]

Thanks for your explanation, I got it.
How about putting comment like # This ClusterRole comes external-attacher-runner of kubernetes-csi/external-attacher or something?
It can solve questions like mine and avoid reverting this change.

[rafal-jan]

I guess that I would prefer adding some kind of test for it but my knowledge about kubespray's CI is very limited so let's go with the comment. How about:

# The permissions in this ClusterRole are tightly coupled with the version of csi-attacher used. More information about this can be found in kubernetes-csi/external-attacher.

?

[oomichi]

Thanks for your suggestion, that looks good for me :-)

[rafal-jan]

Done ;)

[floryut]

/approve
/ok-to-test

[oomichi]

Thanks for updating.

/lgtm

[LuckySB]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, LuckySB, rafal-jan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [LuckySB,floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment