How do I mount an encrypted Amazon EFS file system to a pod in Amazon EKS?

4 minute read

I want to mount an encrypted Amazon Elastic File System (Amazon EFS) file system to a pod in Amazon Elastic Kubernetes Service (Amazon EKS).

Short description

You can encrypt your data either in transit with TLS or at rest.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Encrypt data in transit with TLS

To encrypt your data in transit with TLS, complete the following steps:

Deploy the Amazon EFS Container Storage Interface (CSI) driver for your Amazon EKS cluster.
Create an Amazon EFS file system without encryption for your cluster.
Note: When you create the file system, create a mount target for Amazon EFS in all Availability Zones where your EKS nodes are located.

Clone the GitHub repository to your local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

Go to the encryption_in_transit example directory:

cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/

Retrieve your Amazon EFS file system ID:

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

Go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system that you're mounting. For example:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: [FileSystemId]
    volumeAttributes:
      encryptInTransit: "true"

Note: The volumeAttributes: encryptInTransit mount option activates encryption in transit.

Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod.yaml

Verify that your pod is in a running state:
```
kubectl get pods
```
List the persistent volumes in the default namespace:
```
kubectl get pv
```
Describe the persistent volume:
```
kubectl describe pv efs-pv
```
Note: The Amazon EFS file system ID is listed as the VolumeHandle.

Verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti efs-app -- tail -f /data/out.txt

Encrypt data at rest

To encrypt data at rest, complete the following steps:

Deploy the Amazon EFS CSI driver for your Amazon EKS cluster.
Turn on encryption at rest for your Amazon EKS cluster to create an Amazon EFS file system.

Clone the following GitHub repository to your local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

Go to the multiple_pods example directory:

cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/

Retrieve your Amazon EFS file system ID:

aws efs describe-file-systems

Example output:

{ "FileSystems": [
 {
 "SizeInBytes": {
 "Timestamp": ,
 "Value":
 },
 "ThroughputMode": "",
 "CreationToken": "",
 "Encrypted": true,
 "CreationTime": ,
 "PerformanceMode": "",
 "FileSystemId": "[FileSystemId]",
 "NumberOfMountTargets": ,
 "LifeCycleState": "available",
 "KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
 "OwnerId": ""
 },
 ]
}

Go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory. Then, replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that you're mounting. For example:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: [FileSystemId]

Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:

kubectl apply -f specs/storageclass.yaml  
kubectl apply -f specs/pv.yaml 
kubectl apply -f specs/claim.yaml 
kubectl apply -f specs/pod1.yaml 
kubectl apply -f specs/pod2.yaml

Verify that your pod is in a running state:
```
kubectl get pods
```
List the persistent volumes in the default namespace:
```
kubectl get pv
```

Describe the persistent volume:

kubectl describe pv efs-pv

Verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt

Topics

Containers

Relevant content

DataSync with EFS Source fails when policy requires encryption in transit.
Accepted Answer
Nathan Zook--Carrum Health
asked 3 years ago
Mounting EBS or EFS as File System in on Premise Instances
della
asked 2 years ago
Is it possible to use an encrypted file system with CodeBuild?
ScottWellsSirono
asked 6 years ago
EKS pods see inconsistent data when using EFS PV
Ronald
asked 2 years ago
Mount an AWS Secrets Manager secret in an Amazon EKS pod
Damien Gallagher
asked a year ago
How do I turn on encryption at rest for an existing Amazon EFS file system?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot issues with my Amazon EFS volume mounts in Amazon EKS?
AWS OFFICIALUpdated 2 years ago
How do I mount an Amazon EFS file system on an Amazon ECS container or a task that runs on Fargate?
AWS OFFICIALUpdated 3 months ago
How do I mount an EFS file system on an ECS container or task that runs on Amazon EC2?
AWS OFFICIALUpdated 10 months ago
Demystifying EFS-Claim not bound on AWS Fargate with Amazon EKS
EXPERT
Shubham Sharan
published 2 years ago