New authorization check for CSI service roles when creating an ACK managed cluster
Nov 25, 2024
Container Service for KubernetesAffected Time
Change details
During the creation of an ACK managed cluster, authorization checks for the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole service roles that the CSI plugin depends on are added.
When you install or update the following components in an existing cluster, the following authorization is also added:
- During the installation and update of the csi-plugin component, an authorization check for the AliyunCSManagedCsiPluginRole service role is added.
- During the installation and update of the csi-provisioner component, an authorization check for the AliyunCSManagedCsiProvisionerRole service role is added.
Scope of impacts
Impact of changes on the creation of ACK managed clusters:
- Only ACK managed clusters that are created after November 1, 2024 and run Kubernetes 1.26 or later are affected. Existing clusters are not affected.
Impact of changes on installation and update of the csi-plugin and csi-provisioner components in existing clusters:
- Only ACK managed clusters whose Kubernetes versions are 1.26 and later are affected.
If you do not grant the required permissions to the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole service-linked roles before November 1, 2024, you will fail to create ACK managed clusters or fail to install or update the csi-plugin or csi-provisioner component due to insufficient permissions after November 1, 2024.
For more information, see [Product Changes] Add authorization check for CSI-related service roles during ACK managed cluster creation.