AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 280
A DevOps engineer provisioned an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with managed node groups. The DevOps engineer associated an OpenID Connect (OIDC) issuer with the cluster.
The DevOps engineer is configuring Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp3) volumes for the cluster. The DevOps engineer attempts to initiate a PersistentVolumeClaim (PVC) request but is unable to provision a volume. To troubleshoot the issue, the DevOps engineer runs the kubectl describe pyc command. The DevOps engineer receives a failed to provision volume with StorageClass error and a could not create volume in EC2:UnauthorizedOperation error.
Which solution will resolve these errors?
Answer options
- A. Create a Kubernetes cluster role that allows the persistent volumes to perform get, list, watch, create, and delete operations. Configure the cluster role to allow get, list, and watch operations for storage in the cluster.
- B. Create an Amazon EBS Container Storage Interface (CSI) driver IAM role that has the required permissions and trust relationships. Attach the IAM role to the Amazon EBS CSI driver add-on in the cluster.
- C. Add the ebs.csi.aws.com/volumeType:gp3 annotation to the PersistentVolumeClaim object in the cluster.
- D. Create a Kubernetes storage class object. Set the provisioner value to ebs.csi.aws.com. Set the volumeBindingMode value to WaitForFirstConsumer in the luster.
Correct answer: B
Explanation
The `UnauthorizedOperation` error indicates that the Amazon EBS CSI driver does not have the required AWS IAM permissions to call the Amazon EC2 API to create EBS volumes. Creating an IAM role with the necessary permissions and trust relationships, and linking it to the Amazon EBS CSI driver add-on via IRSA (IAM Roles for Service Accounts), grants the driver the authorization it needs to provision the volumes. The other options, such as adjusting Kubernetes-level RBAC roles or modifying StorageClass configuration, do not address the missing AWS-level API permissions.