search

kubernetes-sigs / aws-ebs-csi-driver

CSI driver for Amazon EBS https://aws.amazon.com/ebs/
Apache License 2.0
940 stars 774 forks source link

Unable to pass parameters through VolumeSnapshotClass to CSI #2045

Closed williamayerst closed 1 month ago

williamayerst commented 1 month ago

/kind bug

What happened?

Parameters in a VolumeSnapshotClass to enable encryption/etc. are not passed properly to the ebs-csi-controller .

The AWS EBS-CSI driver supports parameters for encryption, as seen in a workingencrypted Storageclass definition below:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: fast-encrypted
provisioner: ebs.csi.aws.com
parameters:
  type: gp3
  encrypted: "true"
  kmsKeyID: xyz

This is working fine and is in line with that detailed on the aws-ebs-csi-driver docs on GitHub here: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md

Creating snapshots of these volumes works fine with a barebones VolumeSnapshotClass:

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
  name: snapshot-class
driver: ebs.csi.aws.com
deletionPolicy: Delete

However, I need to ensure that VolumeSnapshots created also have encryption, so referring to the K8S docs here (https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes/) I am advised that Parameters there should pass through to the underlying storage driver in the same way a StorageClass does, so I created a second VolumeSnapshot Class as follows:

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
  name: snapshot-class-encrypted
driver: ebs.csi.aws.com
deletionPolicy: Delete
parameters:
  type: gp3
  encrypted: "true"
  kmsKeyID: "xyz"

However, when. creating a snapshot and using this VolumeSnapshotClass, it fails with the following logs on the ebs-csi-controller pods:

E0522 13:55:19.593272       1 driver.go:124] "GRPC error" err="rpc error: code = InvalidArgument desc = Invalid parameter key kmsKeyID for CreateSnapshot"
E0522 13:55:20.186776       1 driver.go:124] "GRPC error" err="rpc error: code = InvalidArgument desc = Invalid parameter key encrypted for CreateSnapshot"
E0522 13:55:20.818155       1 driver.go:124] "GRPC error" err="rpc error: code = InvalidArgument desc = Invalid parameter key type for CreateSnapshot"

What you expected to happen?

I expected the snapshot to be created with the relevant parameters pass through from the VolumeSnapshotClass to the CSI Driver

How to reproduce it (as minimally and precisely as possible)?

As above

Anything else we need to know?:

It seems like the parameters in the VolumeSnapShotClass are getting passed directly to the CSI Driver as parameter keys, but the CSI Driver appears to only take SnapshotOptions ? I'm out of my depth here!

Environment

williamayerst commented 1 month ago

Seems that the volumesnapshot inherits the encryption state of the volume, and the parameters are used (potentially) for other things. I still think it would be helpful for these other parameters to either be detailed in the readme or an explicit mention that there are no usable parameters.

torredil commented 1 month ago

@williamayerst

Seems that the volumesnapshot inherits the encryption state of the volume

That is correct, snapshots of encrypted volumes are automatically encrypted.

and the parameters are used (potentially) for other things

You can use VolumeSnapshotClass.parameters to tag your snapshots, if that sounds like it could be useful you can read more about it here: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/tagging.md#snapshot-tagging