Bobcares

Mount an encrypted Amazon EFS file system to a pod in EKS

by | Sep 6, 2021

Wondering how to mount an encrypted Amazon EFS file system to a pod in EKS? We can help you with this!

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers to fix ECR issues with Amazon EKS.

 

Mount an encrypted Amazon EFS file system to a pod in EKS

 
By using one of the following methods we can encrypt data in Amazon EFS file system:

  • Encrypting data at rest.
  • By encrypting data in transit with TLS.

 

Encrypting data at rest

 
1. Firstly, we should deploy the Amazon EFS CSI driver for the EKS cluster.

2. Then by enabling encryption at rest for the  EKS cluster we can create an Amazon EFS file system.

3. Now, clone the GitHub repository given below to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Then go to the multiple_pods example directory:

cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/

5. After that, recover our Amazon EFS file system ID:

aws efs describe-file-systems

Sample output:

{
"FileSystems": [
{
"SizeInBytes": {
"Timestamp": ,
"Value":
},
"ThroughputMode": "",
"CreationToken": “”,
"Encrypted": true,
"CreationTime": ,
"PerformanceMode": "",
"FileSystemId": "[FileSystemId]",
"NumberOfMountTargets": ,
"LifeCycleState": "available",
"KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
"OwnerId": ""
},
]
}

6. Then go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory.

7. Now we need to replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted.

For example,

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]

8. Then deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod1.yaml
kubectl apply -f specs/pod2.yaml

9. Verify that our pod is running after the creation of objects:

kubectl get pods

10. Then we need to list the persistent volumes in the default namespace:

kubectl get pv

11. Also describe the persistent volume:

kubectl describe pv efs-pv

12. Finally, check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt

 

Encrypting data in transit with TLS

 
For encrypting the data in transit with TLS:

1. Firstly, we should deploy the Amazon EFS Container Storage Interface (CSI) driver for the EKS cluster.

2. Then we need to create an Amazon EFS file system without encryption for our cluster.

3. Now clone the following GitHub repository to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Then go to the encryption_in_transit example directory:

cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/

5. After that, we should recover our Amazon EFS file system ID:

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

6. Then go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory.

7. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system.

For example:

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
volumeAttributes:
encryptInTransit: "true"

8. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod.yaml

9. After the objects are created, verify that your pod is running:

kubectl get pods

10. Then list the persistent volumes in the default namespace:

kubectl get pv

11. Also describe the persistent volume:

kubectl describe pv efs-pv

12. Finally check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti efs-app -- tail -f /data/out.txt

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to mount an encrypted Amazon EFS file system to a pod in EKS.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.