Mountpoint CSI Driver v2 contains some breaking changes compared to v1 depending on the use-case,
we kindly ask you to go over this list before upgrading to v2.
Prior to v2, Mountpoint processes were spawned on the host using systemd,
with v2, Mountpoint processes will be spawned on dedicated and unprivileged Mountpoint Pods.
This architectural shift is the main reason for some breaking changes with v2.
Instance Metadata Service (IMDS) might not be accessible if the IMDS hop limit is not configured properly
-
How do I know if I'm affected?
- You can check IMDS hop limit of your launch template for your nodes, it needs to be
2or greater for Pods to be able to access to IMDS. You can also use the following script to create a temporary Pod to test if it can access to IMDS:-
$ kubectl run imds-test --restart=Never --rm -it --image=amazonlinux:2 -- bash -c ' IMDSv1="NOT accessible" IMDSv2="NOT accessible" # Check IMDSv1 if curl -s --connect-timeout 3 -f http://169.254.169.254/latest/meta-data/ &>/dev/null; then IMDSv1="accessible" fi # Check IMDSv2 TOKEN=$(curl -s -X PUT -f -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" http://169.254.169.254/latest/api/token 2>/dev/null) if [ ! -z "$TOKEN" ] && curl -s -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/ &>/dev/null; then IMDSv2="accessible" fi echo "IMDSv1: $IMDSv1" echo "IMDSv2: $IMDSv2"' IMDSv1: NOT accessible IMDSv2: accessible pod "imds-test" deleted
- As long as IMDSv1 or IMDSv2 is available you're not affected.
-
- You can check IMDS hop limit of your launch template for your nodes, it needs to be
-
What's affected?
- Driver-Level Credentials with Node IAM Profiles might not work
- Automatic AWS region and network bandwidth detection might not work
-
How can I fix it?
- You can enable IMDS by following Configure the Instance Metadata Service options if you wish
- You can provide AWS region (
--region) and network bandwidth (--maximum-throughput-gbps) parameters viamountOptionsfield in your PersistentVolume definition explicitly
-
What's affected?
- Although it was discouraged by Mountpoint, it was possible to share local cache between multiple Mountpoint processes by pointing them to same cache folder due to fact they were all running on the host filesystem. Starting with v2, using the same cache folder in multiple volumes will result in unique cache folder in each container.
- This might cause disk usage to grow much faster compared to v1 as now each Mountpoint process will maintain its own cache
-
How can I fix it?
- The CSI Driver v2 adds support for Mountpoint Pod Sharing, which allows multiple workloads to share a single Mountpoint instance when appropriate. This will prevent duplicate cache folder for the same volume if Pod sharing is possible for the workloads.
- You can configure maximum cache size for each volume to prevent cache grow:
-
apiVersion: v1 kind: PersistentVolume metadata: name: s3-pv spec: # ... csi: driver: s3.csi.aws.com volumeAttributes: # ... cache: emptyDir cacheEmptyDirSizeLimit: 1Gi
-
- Also see the new caching configuration the CSI Driver v2 provides.
-
The CSI Driver Node DaemonSet Pods will tolerate all taints by default. You can opt into the old behaviour by setting
node.tolerateAllTaints=falseif that's desired. -
The CSI Driver's
CSIDriverobject will havepodInfoOnMount: trueby default. The opt-in flagnode.podInfoOnMountCompat.enablewith v1 is no longer available, and there is no way to disable this behaviour with v2.- This behaviour is needed for Pod-level credentials.
- This field became mutable starting with Kubernetes v1.30, but if you're in an older version and if you haven't enabled this feature yet with v1, you might need to delete
CSIDriverobject before upgrading.- You can delete the
CSIDriverobject by running:kubectl delete csidriver s3.csi.aws.com. - This won't affect any existing workloads, but it would prevent new workloads from starting, we recommend doing this as part of the upgrade command to ensure a new
CSIDriverobject created immediately after the deletion.
- You can delete the
Mountpoint CSI Driver now supports VOLUME_MOUNT_GROUP and will respect fsGroup configured in securityContext
See Delegating volume permission and ownership change to CSI driver for more details.
-
What's affected?
- Accessing Mountpoint logs via
journalctlor log file by using--log-directoryis no longer supported
- Accessing Mountpoint logs via
-
How can I fix it?
- You can now access to Mountpoint logs just using
kubectl logs -n mount-s3 .... For example,kubectl logs -n mount-s3 -ls3.csi.aws.com/volume-name=s3-pvwould print the logs fors3-pvvolume. See Logging of Mountpoint for Amazon S3 CSI Driver for more details. - Using
--log-directoryto write logs to a file is not recommended, and instead users should just rely onkubectl logsor Kubernetes' mechanism to redirect logs to somewhere else.
- You can now access to Mountpoint logs just using
-
What's affected?
- If you were relied on Mountpoint process to run as root (
0), it won't be the case anymore
- If you were relied on Mountpoint process to run as root (
-
How can I fix it?
- Mountpoint CSI Driver will correctly set permissions for cache folder, respect
fsGroupand configuremountOptionsautomatically. You shouldn't have to do anything unless you're relying on Mountpoint process to run as root, which shouldn't be needed if you previously had to set up that way. Feel free to create an issue if you still need to rely on Mountpoint process'uid.
- Mountpoint CSI Driver will correctly set permissions for cache folder, respect
Note
Please note that the CSI Driver v2 has some constraints with node autoscalers like Karpenter and Cluster Autoscaler. For more details please see this GitHub issue.
After making necessary changes for the breaking changes described in the changes section, you can follow regular Installing Mountpoint for Amazon S3 CSI Driver guidance to install the CSI Driver v2 with a method of your choosing.
We recommend configuring nodeSelector for the controller component starting with v2.
-
Do I need to uninstall Mountpoint CSI Driver v1?
- No, just upgrading Mountpoint CSI Driver to v2 should be enough. The new workloads created after the upgrade will use the new mechanism.
-
Do I need to terminate the workloads using Mountpoint CSI Driver v1?
- No, Mountpoint CSI Driver v2 will keep providing and managing Mountpoint processes spawned by v1.
- You would need to terminate the workloads spawned with Mountpoint CSI Driver v2 before downgrading to v1.
- You can see the running Mountpoint Pods with:
kubectl -n mount-s3 get pods
- You can see the associated workloads with:
-
# This script uses `jq` and `kubectl` echo -e "ATTACHMENT VOLUME NAME MOUNTPOINT POD WORKLOAD POD" echo -e "----------------------------- ---------------------------- ------------------ ------------------------------" pods=$(kubectl get pods --all-namespaces -o json) kubectl get s3pa -o json | jq -r '.items[] | .metadata.name as $s3paName | .spec.persistentVolumeName as $volumeName | .spec.mountpointS3PodAttachments | to_entries[] | $s3paName as $attachment | $volumeName as $volume | .key as $mppod | .value[] | [$attachment, $volume, $mppod, .workloadPodUID] | @tsv' | while IFS=$'\t' read -r s3pa_name volume_name mppod_name workload_uid; do workload_info=$(echo -E "$pods" | jq -r ".items[] | select(.metadata.uid==\"$workload_uid\") | .metadata.namespace + \"/\" + .metadata.name") printf "%-30s %-30s %-20s %s\n" "$s3pa_name" "$volume_name" "$mppod_name" "$workload_info" done
-
- You can see the running Mountpoint Pods with: