How do I mount an encrypted Amazon EFS file system to a pod in Amazon EKS?

4 minute read

I want to mount an encrypted Amazon Elastic File System (Amazon EFS) file system to a pod in Amazon Elastic Kubernetes Service (Amazon EKS).

Short description

You can encrypt data in your Amazon EFS file system using one of the following methods:

In the "Resolution" section, choose an encryption method based on your needs.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Encrypt data in transit with TLS

1. Deploy the Amazon EFS Container Storage Interface (CSI) driver for your Amazon EKS cluster.

2. Create an Amazon EFS file system without encryption for your cluster.

3. Clone the GitHub repository to your local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Go to the encryption_in_transit example directory:

cd aws-efs-csi-driver/examples/kubernetes/encryption_in_transit/

5. Retrieve your Amazon EFS file system ID:

aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text

6. Go to the pv.yaml file in the /examples/kubernetes/encryption_in_transit/specs/ directory. Then, replace the value of VolumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted. For example:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: [FileSystemId]
    volumeAttributes:
      encryptInTransit: "true"

Note: The volumeAttributes: encryptInTransit mount option activates encryption in transit.

7. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/encryption_in_transit/specs/ directory:

kubectl apply -f specs/storageclass.yaml
kubectl apply -f specs/pv.yaml
kubectl apply -f specs/claim.yaml
kubectl apply -f specs/pod.yaml

8. After the objects are created, verify that your pod is running:

kubectl get pods

9. List the persistent volumes in the default namespace:

kubectl get pv

10. Describe the persistent volume:

kubectl describe pv efs-pv

Note: The Amazon EFS file system ID is listed as the VolumeHandle.

11. Verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti efs-app -- tail -f /data/out.txt

Encrypt data at rest

1. Deploy the Amazon EFS CSI driver for your Amazon EKS cluster.

2. Create an Amazon EFS file system by enabling encryption at rest for your Amazon EKS cluster.

3. Clone the following GitHub repository to your local system:

git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git

4. Go to the multiple_pods example directory:

cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/

5. Retrieve your Amazon EFS file system ID:

aws efs describe-file-systems

Example output:

{
 "FileSystems": [
 {
 "SizeInBytes": {
 "Timestamp": ,
 "Value":
 },
 "ThroughputMode": "",
 "CreationToken": “”,
 "Encrypted": true,
 "CreationTime": ,
 "PerformanceMode": "",
 "FileSystemId": "[FileSystemId]",
 "NumberOfMountTargets": ,
 "LifeCycleState": "available",
 "KmsKeyId": "arn:aws:kms:ap-southeast-1:<account_id>:key/854df848-fdd1-46e3-ab97-b4875c4190e6",
 "OwnerId": ""
 },
 ]
}

6. Go to the pv.yaml file in the /examples/kubernetes/multiple_pods/specs/ directory. Then, replace the value of volumeHandle with the FileSystemId of the Amazon EFS file system that needs to be mounted. For example:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: [FileSystemId]

7. Deploy the storage class, persistent volume claim, persistent volume, and pod from the /examples/kubernetes/multiple_pods/specs/ directory:

kubectl apply -f specs/storageclass.yaml
 kubectl apply -f specs/pv.yaml
 kubectl apply -f specs/claim.yaml
 kubectl apply -f specs/pod1.yaml
 kubectl apply -f specs/pod2.yaml

8. After the objects are created, verify that your pod is running:

kubectl get pods

9. List the persistent volumes in the default namespace:

kubectl get pv

10. Describe the persistent volume:

kubectl describe pv efs-pv

11. Verify that the data is written onto the Amazon EFS file system:

kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt

Topics

Containers

Relevant content

Why is my EFS File system policy blocking Fargate from mounting the EFS even though it includes the Task Execution Role arn?
Olly
asked 7 months ago
Pod cannot mount persistent volume from EFS
rePost-User-8190828
asked 6 days ago
Mounting EBS or EFS as File System in on Premise Instances
della
asked 6 months ago
EKS pods see inconsistent data when using EFS PV
Ronald
asked 4 months ago
How can lambda mount a file system from a different account
Yan Hrushchynskyi
asked 7 months ago
How do I mount an Amazon EFS file system on an Amazon ECS container or task running on Fargate?
AWS OFFICIALUpdated 2 years ago
How do I turn on encryption at rest for an existing Amazon EFS file system?
AWS OFFICIALUpdated 4 months ago
How do I create the correct EFS access point configuration to mount my file system using a Lambda function?
AWS OFFICIALUpdated a year ago
How can I use system policies to control access to my EFS file system?
AWS OFFICIALUpdated 6 months ago
Amazon Managed Grafana now supports connection to data sources hosted in Amazon Virtual Private Cloud
EXPERT
Priyanka Verma
published 6 months ago