aws-ebs-csi-driver
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for aws-ebs-csi-driver.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
image:
6
repository: cgr.dev/chainguard-private/aws-ebs-csi-driver-fips
7
# Overrides the image tag whose default is v{{ .Chart.AppVersion }}
8
tag: latest@sha256:997b14b909bccde2e6425a858cb2b3635fff40252a114472d4144ff7e486df14
9
pullPolicy: IfNotPresent
10
# -- Custom labels to add into metadata
11
customLabels: {}
12
# k8s-app: aws-ebs-csi-driver
13
14
# Instruct the AWS SDK to use AWS FIPS endpoints, and deploy container built with Boring Crypto (a FIPS-validated cryptographic library) instead of the Go default
15
#
16
# The EBS CSI Driver FIPS images have not undergone FIPS certification, and no official guarantee is made about the compliance of these images under the FIPS standard
17
# Users relying on these images for FIPS compliance should perform their own independent evaluation
18
fips: false
19
sidecars:
20
provisioner:
21
env: []
22
image:
23
pullPolicy: IfNotPresent
24
repository: cgr.dev/chainguard-private/kubernetes-csi-external-provisioner-fips
25
tag: latest@sha256:e5ca2ebb88e4a721f06073099ac47573091639c029abbd1010b14fbe411c39f3
26
logLevel: 2
27
# Additional parameters provided by csi-provisioner.
28
additionalArgs: []
29
# Grant additional permissions to csi-provisioner
30
additionalClusterRoleRules:
31
resources: {}
32
# Tune leader lease election for csi-provisioner.
33
# Leader election is on by default.
34
leaderElection:
35
enabled: true
36
# Optional values to tune lease behavior.
37
# The arguments provided must be in an acceptable time.ParseDuration format.
38
# Ref: https://pkg.go.dev/flag#Duration
39
# leaseDuration: "15s"
40
# renewDeadline: "10s"
41
# retryPeriod: "5s"
42
securityContext:
43
seccompProfile:
44
type: RuntimeDefault
45
readOnlyRootFilesystem: true
46
allowPrivilegeEscalation: false
47
attacher:
48
env: []
49
image:
50
pullPolicy: IfNotPresent
51
repository: cgr.dev/chainguard-private/kubernetes-csi-external-attacher-fips
52
tag: latest@sha256:6e2c0ae8b113bbb80106d0fbc637bc61e7414b6bc9d394ab49b5e5d2eaf91263
53
# Tune leader lease election for csi-attacher.
54
# Leader election is on by default.
55
leaderElection:
56
enabled: true
57
# Optional values to tune lease behavior.
58
# The arguments provided must be in an acceptable time.ParseDuration format.
59
# Ref: https://pkg.go.dev/flag#Duration
60
# leaseDuration: "15s"
61
# renewDeadline: "10s"
62
# retryPeriod: "5s"
63
logLevel: 2
64
# Additional parameters provided by csi-attacher.
65
additionalArgs: []
66
# Grant additional permissions to csi-attacher
67
additionalClusterRoleRules: []
68
resources: {}
69
securityContext:
70
seccompProfile:
71
type: RuntimeDefault
72
readOnlyRootFilesystem: true
73
allowPrivilegeEscalation: false
74
snapshotter:
75
# Enables the snapshotter sidecar even if the snapshot CRDs are not installed
76
forceEnable: false
77
env: []
78
image:
79
pullPolicy: IfNotPresent
80
repository: cgr.dev/chainguard-private/kubernetes-csi-external-snapshotter-fips
81
tag: latest@sha256:88b213231092e071f5710cc54896e546744700b773f9771e419bf31110a2f8b9
82
logLevel: 2
83
# Additional parameters provided by csi-snapshotter.
84
additionalArgs: []
85
# Grant additional permissions to csi-snapshotter
86
additionalClusterRoleRules: []
87
resources: {}
88
securityContext:
89
seccompProfile:
90
type: RuntimeDefault
91
readOnlyRootFilesystem: true
92
allowPrivilegeEscalation: false
93
metadataLabeler:
94
# ALPHA: Enable the metadata-labeler sidecar to label Kubernetes Nodes with
95
# information from the EC2 API (e.g. number of ENIs)
96
# Also requires using metadata-labeler as the node's metadata source
97
enabled: false
98
logLevel: 2
99
# Additional parameters provided by metadataLabeler.
100
additionalArgs: []
101
resources: {}
102
securityContext:
103
readOnlyRootFilesystem: true
104
allowPrivilegeEscalation: false
105
livenessProbe:
106
image:
107
pullPolicy: IfNotPresent
108
repository: cgr.dev/chainguard-private/kubernetes-csi-livenessprobe-fips
109
tag: latest@sha256:3ad97923fd698216d5a5e40e1b4d802336a0b2658ca179c4f8ff825bed3e616f
110
# Additional parameters provided by livenessprobe.
111
additionalArgs: []
112
resources: {}
113
securityContext:
114
readOnlyRootFilesystem: true
115
allowPrivilegeEscalation: false
116
resizer:
117
env: []
118
image:
119
pullPolicy: IfNotPresent
120
repository: cgr.dev/chainguard-private/kubernetes-csi-external-resizer-fips
121
tag: latest@sha256:a84f36a3169eea246d5f4f7b348036260e99b33cd2b9b3a3ae6452ffc92afee1
122
# Tune leader lease election for csi-resizer.
123
# Leader election is on by default.
124
leaderElection:
125
enabled: true
126
# Optional values to tune lease behavior.
127
# The arguments provided must be in an acceptable time.ParseDuration format.
128
# Ref: https://pkg.go.dev/flag#Duration
129
# leaseDuration: "15s"
130
# renewDeadline: "10s"
131
# retryPeriod: "5s"
132
logLevel: 2
133
# Additional parameters provided by csi-resizer.
134
additionalArgs: []
135
# Grant additional permissions to csi-resizer
136
additionalClusterRoleRules: []
137
resources: {}
138
securityContext:
139
seccompProfile:
140
type: RuntimeDefault
141
readOnlyRootFilesystem: true
142
allowPrivilegeEscalation: false
143
nodeDriverRegistrar:
144
env: []
145
image:
146
pullPolicy: IfNotPresent
147
repository: cgr.dev/chainguard-private/kubernetes-csi-node-driver-registrar-fips
148
tag: latest@sha256:01e778be6ebb5e90920d19fc03d59f7f65e79fbeb071325658e07ce2ff099436
149
logLevel: 2
150
# The port the health probe is bound to.
151
healthPort: 9809
152
# Additional parameters provided by node-driver-registrar.
153
additionalArgs: []
154
resources: {}
155
securityContext:
156
readOnlyRootFilesystem: true
157
allowPrivilegeEscalation: false
158
livenessProbe:
159
httpGet:
160
path: /healthz
161
port: healthz-ndr
162
initialDelaySeconds: 30
163
periodSeconds: 90
164
timeoutSeconds: 15
165
volumemodifier:
166
env: []
167
image:
168
pullPolicy: IfNotPresent
169
repository: cgr.dev/chainguard-private/aws-volume-modifier-for-k8s-fips
170
tag: latest@sha256:d5e1e98910b4d3f9515563ad4df2942af6eba6a3e63ddedb74d5e0208d553b16
171
leaderElection:
172
enabled: true
173
# Optional values to tune lease behavior.
174
# The arguments provided must be in an acceptable time.ParseDuration format.
175
# Ref: https://pkg.go.dev/flag#Duration
176
# leaseDuration: "15s"
177
# renewDeadline: "10s"
178
# retryPeriod: "5s"
179
logLevel: 2
180
# Additional parameters provided by volume-modifier-for-k8s.
181
additionalArgs: []
182
resources: {}
183
securityContext:
184
seccompProfile:
185
type: RuntimeDefault
186
readOnlyRootFilesystem: true
187
allowPrivilegeEscalation: false
188
proxy:
189
http_proxy:
190
no_proxy:
191
imagePullSecrets: []
192
nameOverride:
193
fullnameOverride:
194
awsAccessSecret:
195
name: aws-secret
196
keyId: key_id
197
accessKey: access_key
198
controller:
199
batching: true
200
volumeModificationFeature:
201
enabled: false
202
# Enable support for node-local volumes that use pre-attached EBS volumes
203
enableNodeLocalVolumes: false
204
# Additional parameters provided by aws-ebs-csi-driver controller.
205
additionalArgs: []
206
sdkDebugLog: false
207
loggingFormat: text
208
affinity:
209
nodeAffinity:
210
preferredDuringSchedulingIgnoredDuringExecution:
211
- weight: 1
212
preference:
213
matchExpressions:
214
- key: eks.amazonaws.com/compute-type
215
operator: NotIn
216
values:
217
- fargate
218
- auto
219
- hybrid
220
podAntiAffinity:
221
preferredDuringSchedulingIgnoredDuringExecution:
222
- podAffinityTerm:
223
labelSelector:
224
matchExpressions:
225
- key: app
226
operator: In
227
values:
228
- ebs-csi-controller
229
topologyKey: kubernetes.io/hostname
230
weight: 100
231
# The default filesystem type of the volume to provision when fstype is unspecified in the StorageClass.
232
# If the default is not set and fstype is unset in the StorageClass, then no fstype will be set
233
defaultFsType: ext4
234
env: []
235
# Use envFrom to reference ConfigMaps and Secrets across all containers in the deployment
236
envFrom: []
237
# If set, add pv/pvc metadata to plugin create and modify requests as parameters.
238
extraCreateMetadata: true
239
# Extra volume tags to attach to each dynamically provisioned volume.
240
# ---
241
# extraVolumeTags:
242
# key1: value1
243
# key2: value2
244
extraVolumeTags: {}
245
httpEndpoint:
246
# (deprecated) The TCP network address where the prometheus metrics endpoint
247
# will run (example: `:8080` which corresponds to port 8080 on local host).
248
# The default is empty string, which means metrics endpoint is disabled.
249
# ---
250
enableMetrics: false
251
# If metrics are enabled, add prometheus.io/scrape and prometheus.io/port
252
# annotations to the metrics services.
253
enablePrometheusAnnotations: true
254
serviceMonitor:
255
# Enables the ServiceMonitor resource even if the prometheus-operator CRDs are not installed
256
forceEnable: false
257
# Additional labels for ServiceMonitor object
258
labels: {}
259
interval: "15s"
260
# If set to true, AWS API call metrics will be exported to the following
261
# TCP endpoint: "0.0.0.0:3301"
262
# ---
263
# ID of the Kubernetes cluster used for tagging provisioned EBS volumes (optional).
264
k8sTagClusterId:
265
logLevel: 2
266
userAgentExtra: "helm"
267
nodeSelector: {}
268
deploymentAnnotations: {}
269
podAnnotations: {}
270
podLabels: {}
271
podDisruptionBudget:
272
# Warning: Disabling PodDisruptionBudget may lead to delays in stateful workloads starting due to controller
273
# pod restarts or evictions.
274
enabled: true
275
# unhealthyPodEvictionPolicy:
276
# Configure the maxUnavailable or minAvailable for the PDB
277
# If either parameter is non-null, no default is used for both
278
# maxUnavailable:
279
# minAvailable:
280
priorityClassName: system-cluster-critical
281
# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
282
# service.
283
# ---
284
# region: us-east-1
285
region:
286
replicaCount: 2
287
revisionHistoryLimit: 10
288
socketDirVolume:
289
emptyDir: {}
290
updateStrategy:
291
type: RollingUpdate
292
rollingUpdate:
293
maxUnavailable: 1
294
# type: RollingUpdate
295
# rollingUpdate:
296
# maxSurge: 0
297
# maxUnavailable: 1
298
resources:
299
requests:
300
cpu: 10m
301
memory: 40Mi
302
limits:
303
memory: 256Mi
304
serviceAccount:
305
# A service account will be created for you if set to true. Set to false if you want to use your own.
306
create: true
307
name: ebs-csi-controller-sa
308
annotations: {}
309
## Enable if EKS IAM for SA is used
310
# eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
311
automountServiceAccountToken: true
312
tolerations:
313
- key: CriticalAddonsOnly
314
operator: Exists
315
- effect: NoExecute
316
operator: Exists
317
tolerationSeconds: 300
318
# TSCs without the label selector stanza
319
#
320
# Example:
321
#
322
# topologySpreadConstraints:
323
# - maxSkew: 1
324
# topologyKey: topology.kubernetes.io/zone
325
# whenUnsatisfiable: ScheduleAnyway
326
# - maxSkew: 1
327
# topologyKey: kubernetes.io/hostname
328
# whenUnsatisfiable: ScheduleAnyway
329
topologySpreadConstraints: []
330
# securityContext on the controller pod
331
securityContext:
332
runAsNonRoot: true
333
runAsUser: 1000
334
runAsGroup: 1000
335
fsGroup: 1000
336
# Add additional volume mounts on the controller with controller.volumes and controller.volumeMounts
337
volumes: []
338
# Add additional volumes to be mounted onto the controller:
339
# - name: custom-dir
340
# hostPath:
341
# path: /path/to/dir
342
# type: Directory
343
volumeMounts: []
344
# And add mount paths for those additional volumes:
345
# - name: custom-dir
346
# mountPath: /mount/path
347
# ---
348
# securityContext on the controller container (see sidecars for securityContext on sidecar containers)
349
containerSecurityContext:
350
seccompProfile:
351
type: RuntimeDefault
352
readOnlyRootFilesystem: true
353
allowPrivilegeEscalation: false
354
initContainers: []
355
# containers to be run before the controller's container starts.
356
#
357
# Example:
358
#
359
# - name: wait
360
# image: public.ecr.aws/amazonlinux/amazonlinux
361
# command: [ 'sh', '-c', "sleep 20" ]
362
# Enable opentelemetry tracing for the plugin running on the daemonset
363
otelTracing: {}
364
# otelServiceName: ebs-csi-controller
365
# otelExporterEndpoint: "http://localhost:4317"
366
367
# dnsConfig for the controller pods
368
dnsConfig: {}
369
node:
370
# Enable SELinux-only optimizations on the EBS CSI Driver node pods
371
# Must only be set true if all linux nodes in the DaemonSet have SELinux enabled
372
selinux: false
373
env: []
374
envFrom: []
375
kubeletPath: /var/lib/kubelet
376
loggingFormat: text
377
logLevel: 2
378
enableMetrics: false
379
# If metrics are enabled, add prometheus.io/scrape and prometheus.io/port
380
# annotations to the metrics services.
381
enablePrometheusAnnotations: true
382
serviceMonitor:
383
# Enables the ServiceMonitor resource even if the prometheus-operator CRDs are not installed
384
forceEnable: false
385
# Additional labels for ServiceMonitor object
386
labels: {}
387
interval: "15s"
388
priorityClassName:
389
additionalArgs: []
390
affinity:
391
nodeAffinity:
392
requiredDuringSchedulingIgnoredDuringExecution:
393
nodeSelectorTerms:
394
- matchExpressions:
395
- key: eks.amazonaws.com/compute-type
396
operator: NotIn
397
values:
398
- fargate
399
- auto
400
- hybrid
401
nodeSelector: {}
402
daemonSetAnnotations: {}
403
podAnnotations: {}
404
podLabels: {}
405
terminationGracePeriodSeconds: 30
406
tolerateAllTaints: true
407
tolerations:
408
- operator: Exists
409
effect: NoExecute
410
tolerationSeconds: 300
411
resources:
412
requests:
413
cpu: 10m
414
memory: 40Mi
415
limits:
416
memory: 256Mi
417
revisionHistoryLimit: 10
418
probeDirVolume:
419
emptyDir: {}
420
serviceAccount:
421
create: true
422
name: ebs-csi-node-sa
423
annotations: {}
424
## Enable if EKS IAM for SA is used
425
# eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
426
automountServiceAccountToken: true
427
# Disable mutating permissions for the node service account.
428
# When enabled, some features of the EBS CSI Driver node pods will not function, such as taint removal.
429
# Primarily useful in particularly security-sensitive environments, or on multi-tenant clusters that isolate tenants by node.
430
disableMutation: false
431
# Enable the linux daemonset creation
432
enableLinux: true
433
enableWindows: true
434
# Comma separated list of metadata sources that override the default used by the EBS CSI Driver. Valid sources include 'imds', 'kubernetes', and (ALPHA) 'metadata-labeler'
435
metadataSources:
436
# Warning: This option will be removed in a future release. It is a temporary workaround for users unable to immediately migrate off of older kernel versions.
437
# Formats XFS volumes with bigtime=0,inobtcount=0,reflink=0, for mounting onto nodes with linux kernel version <= 5.4.
438
# Note that XFS volumes formatted with this option will only have timestamp records until 2038.
439
legacyXFS: false
440
# The number of attachment slots to reserve for system use (and not to be used for CSI volumes)
441
# When this parameter is not specified (or set to -1), the EBS CSI Driver will attempt to determine the number of reserved slots via heuristic
442
# Cannot be specified at the same time as `node.volumeAttachLimit`
443
reservedVolumeAttachments:
444
# The "maximum number of attachable volumes" per node
445
# Cannot be specified at the same time as `node.reservedVolumeAttachments`
446
volumeAttachLimit:
447
updateStrategy:
448
type: RollingUpdate
449
rollingUpdate:
450
maxUnavailable: "10%"
451
hostNetwork: false
452
# securityContext on the node pod
453
securityContext:
454
# The node pod must be run as root to bind to the registration/driver sockets
455
runAsNonRoot: false
456
runAsUser: 0
457
runAsGroup: 0
458
fsGroup: 0
459
# allows you to deploy aws-ebs-csi-node daemonset to separate namespace (make sure namespace exists before deploy)
460
namespaceOverride: ""
461
# Add additional volume mounts on the node pods with node.volumes and node.volumeMounts
462
volumes: []
463
# Add additional volumes to be mounted onto the node pods:
464
# - name: custom-dir
465
# hostPath:
466
# path: /path/to/dir
467
# type: Directory
468
volumeMounts: []
469
# And add mount paths for those additional volumes:
470
# - name: custom-dir
471
# mountPath: /mount/path
472
# ---
473
# securityContext on the node container (see sidecars for securityContext on sidecar containers)
474
# Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile.
475
containerSecurityContext:
476
readOnlyRootFilesystem: true
477
privileged: true
478
initContainers: []
479
# containers to be run before the csi-node's container starts.
480
#
481
# Example:
482
#
483
# - name: wait
484
# image: public.ecr.aws/amazonlinux/amazonlinux
485
# command: [ 'sh', '-c', "sleep 20" ]
486
# Enable opentelemetry tracing for the plugin running on the daemonset
487
otelTracing: {}
488
# otelServiceName: ebs-csi-node
489
# otelExporterEndpoint: "http://localhost:4317"
490
491
# dnsConfig for the node pods
492
dnsConfig: {}
493
additionalDaemonSets:
494
# Additional node DaemonSets, using the node config structure
495
# See docs/additional-daemonsets.md for more information
496
#
497
# example:
498
# nodeSelector:
499
# node.kubernetes.io/instance-type: c5.large
500
# volumeAttachLimit: 15
501
storageClasses: []
502
# Add StorageClass resources like:
503
# - name: ebs-sc
504
# # annotation metadata
505
# annotations:
506
# storageclass.kubernetes.io/is-default-class: "true"
507
# # label metadata
508
# labels:
509
# my-label-is: supercool
510
# # defaults to WaitForFirstConsumer
511
# volumeBindingMode: WaitForFirstConsumer
512
# # defaults to Delete
513
# reclaimPolicy: Retain
514
# parameters:
515
# encrypted: "true"
516
517
defaultStorageClass:
518
enabled: false
519
volumeSnapshotClasses: []
520
# Add VolumeSnapshotClass resources like:
521
# - name: ebs-vsc
522
# # annotation metadata
523
# annotations:
524
# snapshot.storage.kubernetes.io/is-default-class: "true"
525
# # label metadata
526
# labels:
527
# my-label-is: supercool
528
# # deletionPolicy must be specified
529
# deletionPolicy: Delete
530
# parameters:
531
532
# Use old CSIDriver without an fsGroupPolicy set
533
# Intended for use with older clusters that cannot easily replace the CSIDriver object
534
# This parameter should always be false for new installations
535
useOldCSIDriver: false
536
# nodeAllocatableUpdatePeriodSeconds updates the node's max attachable volume count by directing Kubelet to periodically call NodeGetInfo at the configured interval.
537
# Kubernetes enforces a minimum update interval of 10 seconds. A value of -1 uses a automatically determined value dependent on metadata sources.
538
# This parameter is supported in Kubernetes 1.33+ and requires the MutableCSINodeAllocatableCount feature gate to be enabled in kubelet and kube-apiserver.
539
nodeAllocatableUpdatePeriodSeconds: -1
540
# Deploy EBS CSI Driver without controller and associated resources
541
nodeComponentOnly: false
542
# Set maximum verbosity for logs of each container and other recommended debugging parameters such as enabling AWS SDK debug logging
543
debugLogs: false
544
helmTester:
545
enabled: true
546
# Supply a custom image to the ebs-csi-driver-test pod in helm-tester.yaml
547
image: "us-central1-docker.pkg.dev/k8s-staging-test-infra/images/kubekins-e2e:v20260414-5a49ebcf1f-master"
548
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.