CRE-2025-0026

AWS EBS CSI Driver fails to detach volume when VolumeAttachment has empty nodeNameLow

Impact: 6/10

Mitigation: 1/10

CRE-2025-0026View on GitHub

ebscsiAWSStoragePublic

Description

In clusters using the AWS EBS CSI driver, the controller may fail to detach a volume if the associated VolumeAttachment resource has an empty `spec.nodeName`. This results in a log error and skipped detachment, which may block PVC reuse or node cleanup.

Cause

The controller attempts to locate the node based on `VolumeAttachment.spec.nodeName`. If this field is empty, the controller's logic skips processing, leading to a failure in detachment flow. This commonly happens when a VolumeAttachment is deleted before node assignment completes.

Mitigation

• Upgrade to aws-ebs-csi-driver v1.26.1 or later.
• Avoid deleting PVCs or terminating pods immediately after volume provisioning.
• Monitor for detachment failures via controller logs.

References

• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1447#issuecomment-1664682557
• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1576
• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.26.1