docs: Add EBS CSI Driver permissions to 2.9 (#1454)

* docs: Add EBS CSI Driver permissions to 2.9 * docs: Adjust wording and keep 2.9 and latest in sync
rancher · Sep 13, 2024 · 554e0d3 · 554e0d3
1 parent ed271e1
commit 554e0d3
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 2 deletions.
diff --git a/...usters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md b/...usters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md
@@ -321,7 +321,7 @@ These are permissions that are needed by Rancher to create a Virtual Private Clo
 
 ### EBS CSI Driver addon Permissions
 
-Permissions required for Rancher to install the Amazon EBS CSI Driver add-on.
+The following are the required permissions for installing the Amazon EBS CSI Driver add-on.
 
 ```json
 {

diff --git a/...usters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md b/...usters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md
@@ -95,11 +95,15 @@ This [tutorial](https://aws.amazon.com/blogs/opensource/managing-eks-clusters-ra
 
 These are the minimum set of permissions necessary to access the full functionality of Rancher's EKS driver. You'll need additional permissions for Rancher to provision the `Service Role` and `VPC` resources. If you create these resources **before** you create the cluster, they'll be available when you configure the cluster.
 
+:::note
+In EKS v1.23 and above, you must use the out-of-tree drivers for EBS-backed volumes. You need [specific permissions](#ebs-csi-driver-addon-permissions) to enable this add-on.
+:::
+
 Resource | Description
 ---------|------------
 Service Role | Provides permissions that allow Kubernetes to manage resources on your behalf. Rancher can create the service role with the following [Service Role Permissions](#service-role-permissions).
 VPC | Provides isolated network resources utilised by EKS and worker nodes. Rancher can create the VPC resources with the following [VPC Permissions](#vpc-permissions).
-
+EBS CSI Driver add-on | Provides permissions that allow Kubernetes to interact with EBS and configure the cluster to enable the add-on (required for EKS v1.23 and above). Rancher can install the add-on with the following [EBS CSI Driver addon Permissions](#ebs-csi-driver-addon-permissions).
 
 Resource targeting uses `*` as the ARN of many of the resources created cannot be known before creating the EKS cluster in Rancher.
 
@@ -314,6 +318,43 @@ These are permissions that are needed by Rancher to create a Virtual Private Clo
 }
 ```
 
+### EBS CSI Driver addon Permissions
+
+The following are the required permissions for installing the Amazon EBS CSI Driver add-on.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "eks:DescribeAddonConfiguration",
+                "eks:UpdateAddon",
+                "eks:ListAddons",
+                "iam:CreateRole",
+                "iam:AttachRolePolicy",
+                "eks:DescribeAddon",
+                "iam:CreateOpenIDConnectProvider",
+                "iam:PassRole",
+                "eks:DescribeIdentityProviderConfig",
+                "eks:DeleteAddon",
+                "iam:ListOpenIDConnectProviders",
+                "iam:ListAttachedRolePolicies",
+                "eks:CreateAddon",
+                "eks:DescribeCluster",
+                "eks:DescribeAddonVersions",
+                "sts:AssumeRoleWithWebIdentity",
+                "eks:AssociateIdentityProviderConfig",
+                "eks:ListIdentityProviderConfigs"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
 ## Syncing
 
 The EKS provisioner can synchronize the state of an EKS cluster between Rancher and the provider. For an in-depth technical explanation of how this works, see [Syncing.](../../../../reference-guides/cluster-configuration/rancher-server-configuration/sync-clusters.md)