Mount an encrypted Amazon EFS file system to a pod in EKS

Wondering how to mount an encrypted Amazon EFS file system to a pod in EKS? We can help you with this!

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers to fix ECR issues with Amazon EKS.

 

Mount an encrypted Amazon EFS file system to a pod in EKS

 
By using one of the following methods we can encrypt data in Amazon EFS file system:

• Encrypting data at rest.
• By encrypting data in transit with TLS.

Encrypting data at rest

 
1. Firstly, we should deploy the Amazon EFS CSI driver for the EKS cluster.

2. Then by enabling encryption at rest for the  EKS cluster we can create an Amazon EFS file system.

3. Now, clone the GitHub repository given below to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.gitCopy Code

4. Then go to the multiple_pods example directory:

cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/Copy Code

5. After that, recover our Amazon EFS file system ID:

aws efs describe-file-systemsCopy Code

Sample output:

{
"FileSystems": [
{
"SizeInBytes": {
"Timestamp": ,
"Value":
},
"ThroughputMode": "",
"CreationToken": “”,
"Encrypted": true,
"CreationTime": ,
"PerformanceMode": "",
"FileSystemId": "[FileSystemId]",
"NumberOfMountTargets": ,
"LifeCycleState": "available",
"KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
"OwnerId": ""
},
]
}Copy Code

6. Then go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory.

7. Now we need to replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted.

For example,

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]Copy Code

8. Then deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod1.yaml
kubectl apply -f specs/pod2.yamlCopy Code

9. Verify that our pod is running after the creation of objects:

kubectl get podsCopy Code

10. Then we need to list the persistent volumes in the default namespace:

kubectl get pvCopy Code

11. Also describe the persistent volume:

kubectl describe pv efs-pvCopy Code

12. Finally, check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txtCopy Code

Encrypting data in transit with TLS

 
For encrypting the data in transit with TLS:

1. Firstly, we should deploy the Amazon EFS Container Storage Interface (CSI) driver for the EKS cluster.

2. Then we need to create an Amazon EFS file system without encryption for our cluster.

3. Now clone the following GitHub repository to our local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.gitCopy Code

4. Then go to the encryption_in_transit example directory:

cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/Copy Code

5. After that, we should recover our Amazon EFS file system ID:

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output textCopy Code

6. Then go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory.

7. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system.

For example:

apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
volumeAttributes:
encryptInTransit: "true"Copy Code

8. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod.yamlCopy Code

9. After the objects are created, verify that your pod is running:

kubectl get podsCopy Code

10. Then list the persistent volumes in the default namespace:

kubectl get pvCopy Code

11. Also describe the persistent volume:

kubectl describe pv efs-pvCopy Code

12. Finally check and verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti efs-app -- tail -f /data/out.txtCopy Code

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to mount an encrypted Amazon EFS file system to a pod in EKS.