Bobcares
Client Area
Emergency Support
Amazon Web Services (AWS) | Latest

Mount an encrypted Amazon EFS file system to a pod in EKS

by | Sep 6, 2021

Wondering how to mount an encrypted Amazon EFS file system to a pod in EKS? We can help you with this!

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers to fix ECR issues with Amazon EKS.

 

Mount an encrypted Amazon EFS file system to a pod in EKS

 
By using one of the following methods we can encrypt data in Amazon EFS file system:

  • Encrypting data at rest.
  • By encrypting data in transit with TLS.

 

Encrypting data at rest

 
1. Firstly, we should deploy the Amazon EFS CSI driver for the EKS cluster.

2. Then by enabling encryption at rest for the  EKS cluster we can create an Amazon EFS file system.

3. Now, clone the GitHub repository given below to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Then go to the multiple_pods example directory:

cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/

5. After that, recover our Amazon EFS file system ID:

aws efs describe-file-systems

Sample output:

{
"FileSystems": [
{
"SizeInBytes": {
"Timestamp": ,
"Value":
},
"ThroughputMode": "",
"CreationToken": “”,
"Encrypted": true,
"CreationTime": ,
"PerformanceMode": "",
"FileSystemId": "[FileSystemId]",
"NumberOfMountTargets": ,
"LifeCycleState": "available",
"KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
"OwnerId": ""
},
]
}

6. Then go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory.

7. Now we need to replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted.

For example,

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]

8. Then deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod1.yaml
kubectl apply -f specs/pod2.yaml

9. Verify that our pod is running after the creation of objects:

kubectl get pods

10. Then we need to list the persistent volumes in the default namespace:

kubectl get pv

11. Also describe the persistent volume:

kubectl describe pv efs-pv

12. Finally, check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt

 

Encrypting data in transit with TLS

 
For encrypting the data in transit with TLS:

1. Firstly, we should deploy the Amazon EFS Container Storage Interface (CSI) driver for the EKS cluster.

2. Then we need to create an Amazon EFS file system without encryption for our cluster.

3. Now clone the following GitHub repository to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Then go to the encryption_in_transit example directory:

cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/

5. After that, we should recover our Amazon EFS file system ID:

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

6. Then go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory.

7. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system.

For example:

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
volumeAttributes:
encryptInTransit: "true"

8. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod.yaml

9. After the objects are created, verify that your pod is running:

kubectl get pods

10. Then list the persistent volumes in the default namespace:

kubectl get pv

11. Also describe the persistent volume:

kubectl describe pv efs-pv

12. Finally check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti efs-app -- tail -f /data/out.txt

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to mount an encrypted Amazon EFS file system to a pod in EKS.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. How to find out the Source of EC2 instance launch: Amazon EC2
  2. How to troubleshoot DNS failures with Amazon EKS
  3. EC2: Configure SAR to monitor performance metrics – How to do
  4. EC2 status check failed – How to fix

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. How to find out the Source of EC2 instance launch: Amazon EC2
  2. How to troubleshoot DNS failures with Amazon EKS
  3. EC2: Configure SAR to monitor performance metrics – How to do
  4. EC2 status check failed – How to fix

Never again lose customers to poor
server speed! Let us help you.

GET STARTED