diff --git a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md index e0974b7203c4..b6f6c63fa592 100644 --- a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md +++ b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md @@ -321,7 +321,7 @@ These are permissions that are needed by Rancher to create a Virtual Private Clo ### EBS CSI Driver addon Permissions -Permissions required for Rancher to install the Amazon EBS CSI Driver add-on. +The following are the required permissions for installing the Amazon EBS CSI Driver add-on. ```json { diff --git a/versioned_docs/version-2.9/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md b/versioned_docs/version-2.9/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md index e6ecf6090ecb..9893c42dd8f3 100644 --- a/versioned_docs/version-2.9/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md +++ b/versioned_docs/version-2.9/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/eks.md @@ -95,11 +95,15 @@ This [tutorial](https://aws.amazon.com/blogs/opensource/managing-eks-clusters-ra These are the minimum set of permissions necessary to access the full functionality of Rancher's EKS driver. You'll need additional permissions for Rancher to provision the `Service Role` and `VPC` resources. If you create these resources **before** you create the cluster, they'll be available when you configure the cluster. +:::note +In EKS v1.23 and above, you must use the out-of-tree drivers for EBS-backed volumes. You need [specific permissions](#ebs-csi-driver-addon-permissions) to enable this add-on. +::: + Resource | Description ---------|------------ Service Role | Provides permissions that allow Kubernetes to manage resources on your behalf. Rancher can create the service role with the following [Service Role Permissions](#service-role-permissions). VPC | Provides isolated network resources utilised by EKS and worker nodes. Rancher can create the VPC resources with the following [VPC Permissions](#vpc-permissions). - +EBS CSI Driver add-on | Provides permissions that allow Kubernetes to interact with EBS and configure the cluster to enable the add-on (required for EKS v1.23 and above). Rancher can install the add-on with the following [EBS CSI Driver addon Permissions](#ebs-csi-driver-addon-permissions). Resource targeting uses `*` as the ARN of many of the resources created cannot be known before creating the EKS cluster in Rancher. @@ -314,6 +318,43 @@ These are permissions that are needed by Rancher to create a Virtual Private Clo } ``` +### EBS CSI Driver addon Permissions + +The following are the required permissions for installing the Amazon EBS CSI Driver add-on. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "eks:DescribeAddonConfiguration", + "eks:UpdateAddon", + "eks:ListAddons", + "iam:CreateRole", + "iam:AttachRolePolicy", + "eks:DescribeAddon", + "iam:CreateOpenIDConnectProvider", + "iam:PassRole", + "eks:DescribeIdentityProviderConfig", + "eks:DeleteAddon", + "iam:ListOpenIDConnectProviders", + "iam:ListAttachedRolePolicies", + "eks:CreateAddon", + "eks:DescribeCluster", + "eks:DescribeAddonVersions", + "sts:AssumeRoleWithWebIdentity", + "eks:AssociateIdentityProviderConfig", + "eks:ListIdentityProviderConfigs" + ], + "Resource": "*" + } + ] +} +``` + ## Syncing The EKS provisioner can synchronize the state of an EKS cluster between Rancher and the provider. For an in-depth technical explanation of how this works, see [Syncing.](../../../../reference-guides/cluster-configuration/rancher-server-configuration/sync-clusters.md)