AWS Elastic Block Store CSI Driver Operator

Overview

OKD is capable of provisioning persistent volumes (PVs) using the Container Storage Interface (CSI) driver for AWS Elastic Block Store (EBS).

Familiarity with persistent storage and configuring CSI volumes is recommended when working with a Container Storage Interface (CSI) Operator and driver.

To create CSI-provisioned PVs that mount to AWS EBS storage assets, OKD installs the AWS EBS CSI Driver Operator and the AWS EBS CSI driver by default in the openshift-cluster-csi-drivers namespace.

If you installed the AWS EBS CSI Operator and driver on an OKD 4.5 cluster, you must uninstall the 4.5 Operator and driver before you update to OKD 4.13.

About CSI

Storage vendors have traditionally provided storage drivers as part of Kubernetes. With the implementation of the Container Storage Interface (CSI), third-party providers can instead deliver storage plugins using a standard interface without ever having to change the core Kubernetes code.

CSI Operators give OKD users storage options, such as volume snapshots, that are not possible with in-tree volume plugins.

OKD defaults to using the CSI plugin to provision AWS EBS storage.

For information about dynamically provisioning AWS EBS persistent volumes in OKD, see Persistent storage using AWS Elastic Block Store.

User-managed encryption

The user-managed encryption feature allows you to provide keys during installation that encrypt OKD node root volumes, and enables all managed storage classes to use these keys to encrypt provisioned storage volumes. You must specify the custom key in the platform.<cloud_type>.defaultMachinePlatform field in the install-config YAML file.

This features supports the following storage types:

  • Amazon Web Services (AWS) Elastic Block storage (EBS)

  • Microsoft Azure Disk storage

  • Google Cloud Platform (GCP) persistent disk (PD) storage

If there is no encrypted key defined in the storage class, only set encrypted: “true” in the storage class. The AWS EBS CSI driver uses the AWS managed alias/aws/ebs, which is created by Amazon EBS automatically in each region by default to encrypt provisioned storage volumes. In addition, the managed storage classes all have the encrypted: “true” setting.

For information about installing with user-managed encryption for AWS EBS, see Installation configuration parameters.

Additional resources