Wondering how to mount an encrypted Amazon EFS file system to a pod in EKS? We can help you with this!
As a part of our AWS Support Services, we often receive similar requests from our AWS customers.
Today, let’s see the steps followed by our Support Techs to help our customers to fix ECR issues with Amazon EKS.
Mount an encrypted Amazon EFS file system to a pod in EKS
By using one of the following methods we can encrypt data in Amazon EFS file system:
- Encrypting data at rest.
- By encrypting data in transit with TLS.
Encrypting data at rest
1. Firstly, we should deploy the Amazon EFS CSI driver for the EKS cluster.
2. Then by enabling encryption at rest for the EKS cluster we can create an Amazon EFS file system.
3. Now, clone the GitHub repository given below to our local system:
git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git
Copy Code
4. Then go to the multiple_pods example directory:
cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/
Copy Code
5. After that, recover our Amazon EFS file system ID:
aws efs describe-file-systems
Copy Code
Sample output:
{
"FileSystems": [
{
"SizeInBytes": {
"Timestamp": ,
"Value":
},
"ThroughputMode": "",
"CreationToken": “”,
"Encrypted": true,
"CreationTime": ,
"PerformanceMode": "",
"FileSystemId": "[FileSystemId]",
"NumberOfMountTargets": ,
"LifeCycleState": "available",
"KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
"OwnerId": ""
},
]
}
Copy Code
6. Then go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory.
7. Now we need to replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted.
For example,
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
Copy Code
8. Then deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:
kubectl apply -f specs/storageclass.yaml kubectl apply -f specs/pv.yaml kubectl apply -f specs/claim.yaml kubectl apply -f specs/pod1.yaml kubectl apply -f specs/pod2.yaml
Copy Code
9. Verify that our pod is running after the creation of objects:
kubectl get pods
Copy Code
10. Then we need to list the persistent volumes in the default namespace:
kubectl get pv
Copy Code
11. Also describe the persistent volume:
kubectl describe pv efs-pv
Copy Code
12. Finally, check and verify that the data is written onto the Amazon EFS file system:
kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt
Copy Code
Encrypting data in transit with TLS
For encrypting the data in transit with TLS:
1. Firstly, we should deploy the Amazon EFS Container Storage Interface (CSI) driver for the EKS cluster.
2. Then we need to create an Amazon EFS file system without encryption for our cluster.
3. Now clone the following GitHub repository to our local system:
git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git
Copy Code
4. Then go to the encryption_in_transit example directory:
cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/
Copy Code
5. After that, we should recover our Amazon EFS file system ID:
aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text
Copy Code
6. Then go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory.
7. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system.
For example:
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
volumeAttributes:
encryptInTransit: "true"
Copy Code
8. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:
kubectl apply -f specs/storageclass.yaml kubectl apply -f specs/pv.yaml kubectl apply -f specs/claim.yaml kubectl apply -f specs/pod.yaml
Copy Code
9. After the objects are created, verify that your pod is running:
kubectl get pods
Copy Code
10. Then list the persistent volumes in the default namespace:
kubectl get pv
Copy Code
11. Also describe the persistent volume:
kubectl describe pv efs-pv
Copy Code
12. Finally check and verify that the data is written onto the Amazon EFS file system:
kubectl exec -ti efs-app -- tail -f /data/out.txt
Copy Code
[Need help with more AWS queries? We’d be happy to assist]
Conclusion
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to mount an encrypted Amazon EFS file system to a pod in EKS.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments