Mount using pod impersonation fails with "Volume context property not supported"

[razvan-moj]

/kind bug

Driver installation works fine, using the latest 2.2.8 chart (https://github.com/ministryofjustice/cloud-platform-terraform-efs-csi/blob/impersonation/main.tf#L60), driver 1.4.1

FS, PV and PVC are created with no issues, using https://github.com/ministryofjustice/cloud-platform-terraform-efs-pv/tree/frist, called as just

module "efs" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-efs-pv?ref=frist"

  cluster_name           = var.cluster_name
  namespace              = var.namespace
  encrypted = true
}

test pod example:

apiVersion: v1
kind: Pod
metadata:
  name: raz-app-1
  namespace: raz-test-not-one
spec:
  containers:
  - name: raz-app-1
    image: busybox
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(hostname ; date -u) >> /data/out.txt; sleep 5; done"]
    volumeMounts:
    - name: efs-storage
      mountPath: /data
  serviceAccountName: efs-raz-test-not-one
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  volumes:
  - name: efs-storage
    persistentVolumeClaim:
      claimName: raz-test-raz-test-not-one

pods get stuck in ContainerCreating, no useful logs on the controller, kubectl get events says

25s         Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property csi.storage.k8s.io/pod.uid not supported
23s         Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property podIAMAuthorization not supported
9s          Warning   FailedMount   pod/raz-app-1   MountVolume.SetUp failed for volume "raz-test-raz-test-not-one-efs" : rpc error: code = InvalidArgument desc = Volume context property csi.storage.k8s.io/serviceAccount.tokens not supported

Environment

• Kubernetes version (use kubectl version): EKS 1.21
• Driver version: 1.4.1

Note everything works, creation, PV, mount, use in multiple pods, as long as we do not use IAM.

[tjdett]

Is #777 related to this?

[Ashley-wenyizha]

we have reverted this feature unfortunately due to a security concern from EKS side. We will add this feature through efs-utils side but we do not have a clear timeline at the moment

[andrecastro]

@Ashley-wenyizha Why this was reverted? What were the concerns?
In a shared cluster, this feature improves security by allowing better access control. With the secrets-store-csi-driver, I can create secrets in AWS Secrets Manager and restrict access to specific pods using resource policies. It would be great if we could do something similar with EFS, so we can limit access to only the pods we specify