Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Design][K8S] EBS Tagger Sidecar #351

Closed
leakingtapan opened this issue Aug 21, 2019 · 11 comments
Closed

[Design][K8S] EBS Tagger Sidecar #351

leakingtapan opened this issue Aug 21, 2019 · 11 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@leakingtapan
Copy link
Contributor

leakingtapan commented Aug 21, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
This is Kubernetes specific feature. Following are requirements:

  • User needs to provide arbitrary tag for created EBS volume through PVC annotation.
  • Driver needs to tag created EBS volume with a list of built-in Kubernetes tags as follow:
Key Value
Name kubernetes-dynamic-pvc-e814cb42-57c3-11e9-8335-0ef9bfaa78f6
kubernetes.io/cluster/1-12-driver owned
kubernetes.io/created-for/pv/name pvc-e814cb42-57c3-11e9-8335-0ef9bfaa78f6
kubernetes.io/created-for/pvc/name ebs-claim
kubernetes.io/created-for/pvc/namespace default

This design provides an alternative solution for #180. And it provides an alternative way to apply static tags.

Describe the solution you'd like in detail
We will create a side car container, ebs-tagger, running along side EBS CSI controller service. It will be a k8s operator that watches for PV creation. When is a new PV is created and iff it is a EBS CSI pv, the operator will:

  • apply built-in k8s
  • read PVC annotation ebs.csi.aws.com/extra-tags and apply tags

Describe alternatives you've considered
Extending storage class as described in #180

Additional context
Related similar sub problem: #333
@leakingtapan leakingtapan mentioned this issue Aug 21, 2019
Closed
@leakingtapan
Copy link
Contributor Author

/cc @wongma7

@leakingtapan leakingtapan mentioned this issue Aug 21, 2019
Closed
@frittentheke
Copy link
Contributor

frittentheke commented Aug 26, 2019
edited
Loading

@leakingtapan thank you for looking into this issue!

This tagger sidecar approach unfortunately has a major drawback: There is no enforced tagging right when the volume is created.

If you look at my comment regarding best-practices on doing IAM policies #180 (comment) or also #180 (comment)

it's a strict requirement to have the volume tagged upon their initial creation and not "dynamically" later. In "my" case I want to restrict / filter the EBS driver to only be able to touch and handle its own volumes - the tag works like a tenant in this case.
The other comments in this thread are either about being restricted in the first place to have to use certain tags to even being allowed to create volumes or to create billing based on those tags.

Having forced thags for EVERY volume the EBS driver creates / handles is just what I would want to configure to isolate EBS volumes in that AWS account that belong to others.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 24, 2019
@frittentheke
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 24, 2019
@leakingtapan leakingtapan mentioned this issue Jan 8, 2020
Closed
@sstarcher
Copy link

I just tossed this controller together. It does not work specifically for the csi, but for the built-in kubernetes ebs provider. It fetches the labels from the pv and pvc and applies them to the AWS EBS volume.

https://github.com/sstarcher/kube-ebs-tagger

@leakingtapan leakingtapan mentioned this issue Feb 20, 2020
Closed
@leakingtapan
Copy link
Contributor Author

leakingtapan commented Feb 20, 2020
edited
Loading

@frittentheke

This tagger sidecar approach unfortunately has a major drawback: There is no enforced tagging right when the volume is created.

Thx for your input. The major drawback of current CSI spec is that there is no way for the driver to know what are the tag values it's suppose to use during volume creation (except for storageclass parameter, which has other problems on ease of use). So we either stuck on this feature or build a sidecar as post volume creation tag. These are the only two options I can think of now for dynamic tag values.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 20, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 19, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fentas
Copy link

fentas commented Sep 12, 2020

Is there a way to tag ebs volumes?

@rdpsin rdpsin mentioned this issue Mar 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fentas @sstarcher @leakingtapan @frittentheke @k8s-ci-robot @fejta-bot