AccessDenied when create ebs-csi-driver

2

Hi I'm having a problem when I install ebs-csi-driver for AWS EKS I used the account with administratoraccess to install via AWS console but had an error "namespaces "kube-system" is forbidden: User "eks:addon-manager" cannot patch resource "namespaces" in API group "" in the namespace "kube-system"" I don't know why the administrator permission can not install add-on. I also tried to create IAM role following Linkhttps://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html but received error : Error from server (NotFound): serviceaccounts "ebs-csi-controller-sa" not found

I just started with EKS so don't know how to resolve, Anyone can help?

Thank you

Cuong
asked a year ago2532 views
2 Answers
2

Hello,

Kindly note that the error below can happen because an important ClusterRoleBinding does not exist:

"eks:addon-manager" cannot patch resource "namespaces" in API group "" in the namespace "kube-system""

Execute the following command and check if you are able to see the 2 ClusterRoleBinding in your EKS Cluster :

kubectl get clusterrolebinding -o wide | grep addon

eks:addon-cluster-admin                                ClusterRole/cluster-admin                                          3d21h   eks:addon-manager                                                                  
eks:addon-manager                                      ClusterRole/eks:addon-manager                                      3d21h   eks:addon-manager 

If the eks:addon-cluster-admin is missing, you can use the following yaml to create it:

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks:addon-cluster-admin
subjects:
- kind: User
  name: eks:addon-manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---

Therefore, you can apply this yaml file to your EKS Cluster:

kubectl apply -f eks-addon-cluster-admin.yaml

The eks:addon-cluster-admin ClusterRoleBinding binds the cluster-admin ClusterRole to the eks:addon-manager Kubernetes identity. The role has the necessary permissions for the eks:addon-manager identity to create Kubernetes namespaces and install add-ons into namespaces. If the eks:addon-cluster-admin ClusterRoleBinding is removed, the Amazon EKS cluster continues to function, however Amazon EKS is no longer able to manage any add-ons.[1]

[1] - https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html

AWS
answered 10 months ago
  • Exact solution that fixed my cluster, thank you so much

  • yes, I miss eks:addon-cluster-admin. Thank you

0

How you create EKS cluster? Via Console?

profile picture
answered a year ago
  • no, from CLI, is it different?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions