DOP-C02 · Question #332
DOP-C02 Question #332: Real Exam Question with Answer & Explanation
The correct answer is B: Create an Amazon EBS Container Storage Interface (CSI) driver IAM role that has the required. The Amazon EBS CSI (Container Storage Interface) driver is responsible for provisioning and managing EBS volumes for Kubernetes clusters. The error message UnauthorizedOperation indicates that the cluster is lacking the necessary IAM permissions to create EBS volumes. The EBS CSI
Question
A DevOps engineer provisioned an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with managed node groups. The DevOps engineer associated an OpenID Connect (OIDC) issuer with the cluster. The DevOps engineer is configuring Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp3) volumes for the cluster. The DevOps engineer attempts to initiate a PersistentVolumeClaim (PVC) request but is unable to provision a volume. To troubleshoot the issue, the DevOps engineer runs the kubectl describe pyc command. The DevOps engineer receives a failed to provision volume with StorageClass error and a could not create volume in EC2:UnauthorizedOperation error. Which solution will resolve these errors?
Options
- ACreate a Kubernetes cluster role that allows the persistent volumes to perform get, list, watch,
- BCreate an Amazon EBS Container Storage Interface (CSI) driver IAM role that has the required
- CAdd the ebs.csi.aws.com/volumeType:gp3 annotation to the PersistentVolumeClaim object in the
- DCreate a Kubernetes storage class object. Set the provisioner value to ebs.csi.aws.com. Set the
Explanation
The Amazon EBS CSI (Container Storage Interface) driver is responsible for provisioning and managing EBS volumes for Kubernetes clusters. The error message UnauthorizedOperation indicates that the cluster is lacking the necessary IAM permissions to create EBS volumes. The EBS CSI driver needs an IAM role with the required permissions to interact with Amazon EC2 and create EBS volumes. This IAM role must include policies such as ec2:CreateVolume, ec2:AttachVolume, and other necessary actions to manage EBS volumes. The role also requires a proper trust relationship with the OIDC issuer associated with the EKS cluster, allowing the Kubernetes service account to assume the IAM role for the EBS CSI driver. By creating the required IAM role and attaching it to the EBS CSI driver add-on, you ensure that the Kubernetes cluster has the necessary permissions to provision EBS volumes and resolve the UnauthorizedOperation error. By ensuring the EBS CSI driver has the necessary IAM permissions through a properly configured IAM role, the cluster will be able to provision EBS volumes, resolving the UnauthorizedOperation error.
Topics
Community Discussion
No community discussion yet for this question.