apiVersion: v1 kind: ServiceAccount metadata: name: csi-controller-sa namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-attacher-role namespace: default rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-attacher-role namespace: default subjects: - kind: ServiceAccount name: csi-controller-sa namespace: kube-system roleRef: kind: ClusterRole name: external-attacher-role apiGroup: rbac.authorization.k8s.io --- kind: StatefulSet apiVersion: apps/v1beta1 metadata: name: efs-csi-controller namespace: kube-system spec: serviceName: efs-csi-controller replicas: 1 template: metadata: labels: app: efs-csi-controller spec: serviceAccount: csi-controller-sa priorityClassName: system-cluster-critical tolerations: - key: CriticalAddonsOnly operator: Exists containers: - name: efs-plugin image: amazon/aws-efs-csi-driver:latest imagePullPolicy: Always args : - --endpoint=$(CSI_ENDPOINT) - --logtostderr - --v=5 env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher image: quay.io/k8scsi/csi-attacher:v0.4.2 imagePullPolicy: Always args: - --csi-address=$(ADDRESS) - --v=5 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ volumes: - name: socket-dir emptyDir: {}