Overview

The AWS EFS add-on facilitates access to Amazon EFS for Kubernetes workloads running on a managed Kubernetes cluster.

Supported Providers

Prerequisites

How to Enable

To use the AWS EFS add-on for your Kubernetes cluster, ensure you have created an AWS IAM Role with the necessary permissions to use the AWS EFS filesystem. The ARN (Amazon Resource Name) of this role is required for the configuration steps that follow. For the required permissions, you can attach the managed policy AmazonEFSCSIDriverPolicy to the IAM Role and verify that the EFS filesystem policy permits access.

The AWS EFS add-on can be enabled for your Kubernetes cluster either during the cluster creation process or at any time thereafter. The following sections outline the methods for enabling the add-on:

At Cluster Creation

  • Through Cluster Manifest: Add the following snippet to your cluster manifest when creating the cluster:

    YAML
    spec:
  ...
  addOns:
    awsEFS:
      roleArn: 'arn:aws:iam::999999999999:role/mk8s-efs-driver'
  ...

  • Using the Console: If you’re creating the cluster through the console, navigate to Add-ons, find the AWS EFS add-on in the list of available add-ons, toggle it on, and then enter the ROLE ARN required for accessing the AWS EFS filesystem.

After Cluster Creation

If the AWS EFS add-on was not enabled during the cluster creation, you can still enable it using either of the following methods:

Using Manifest

To enable the AWS EFS add-on after cluster creation, add the following to your cluster’s YAML manifest:

  • Direct Edit & Apply: Navigate to your cluster in the Console, and use the Edit & Apply option.

  • CLI Application: Apply the entire manifest using the cpln apply >_ command or through the cpln CLI.

    YAML
    spec:
  ...
  addOns:
    awsEFS:
      roleArn: 'arn:aws:iam::999999999999:role/mk8s-efs-driver'
  ...

Using the UI

  1. Navigate to the Control Plane Console: Open Control Plane Console.
  2. Select Your Kubernetes Cluster: In the Control Plane Console, go to Kubernetes in the left sidebar, and click on the cluster you wish to configure.
  3. Activate the Dashboard: Choose Add-ons, find the AWS EFS add-on in the list, and toggle it on.
  4. Enter Role ARN: Provide the ROLE ARN necessary for AWS EFS filesystem access.

Usage Instructions

After enabling the AWS EFS add-on, two additional steps are required before you can successfully create Kubernetes volumes using AWS EFS.

First, it’s essential to update the trust policy to grant the Managed Kubernetes cluster the necessary permissions to assume the AWS Role for accessing AWS EFS. This step ensures that your Kubernetes cluster can securely interact with the AWS EFS service.

Second, you must properly configure the Kubernetes Storage Class. This configuration allows Kubernetes to understand how to provision storage based on AWS EFS for your applications.

Follow the steps below to configure:

Step 1 - Create OIDC Identity Provider in aws (If not already done)

Skip this step if you have already created the provider as part of the AWS Workload Identity configuration.

  1. Retrieve the cluster’s oidcProviderUrl: 
    cpln mk8s get -o json $cluster_name | jq -r '.status.oidcProviderUrl'
  2. Access the AWS console and navigate to IAM. In the left panel, under Access management, select Identity providers and then click Add provider.
  3. Select OpenID Connect, paste the Provider URL obtained in the previous step, and click Get thumbprint.
  4. In the Audience field, enter sts.amazonaws.com.

Step 2 - Update Trust Policy

  1. Obtain the trust policy template: 
    cpln mk8s get -o json $cluster_name | jq -r '.status.addOns.awsEFS.trustPolicy'
  2. Update the Trust Policy of the IAM Role in your AWS Account to reflect these changes.

Step 3 - Create Storage Class

Create the following Storage Class in your Managed Kubernetes cluster. For guidance on accessing your cluster, refer to the documentation page of your Provider.

Ensure to replace the fileSystemId with the correct one from your account.

YAML
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-dynamic
provisioner: efs.csi.aws.com
parameters:
  provisioningMode: efs-ap
  fileSystemId: fs-999999999999 # Replace with your EFS FileSystemId
  directoryPerms: '700'
  gidRangeStart: '1000' # optional
  gidRangeEnd: '2000' # optional
  basePath: '/dynamic_provisioning' # optional
  subPathPattern: '${.PVC.namespace}/${.PVC.name}' # optional
  ensureUniqueDirectory: 'true' # optional
  reuseAccessPoint: 'false' # optional

Step 4 - Example on creating volumes

Create the following PersistentVolumeClaim and Pod in your Managed Kubernetes cluster. This example demonstrates creating a Pod that writes the current date to a file every 5 seconds, utilizing a volume backed by the AWS EFS, as configured previously.

YAML
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: efs-claim
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: efs-dynamic
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Pod
metadata:
  name: efs-app
spec:
  terminationGracePeriodSeconds: 0
  containers:
    - name: app
      image: centos
      command: ['/bin/sh']
      args: ['-c', 'while true; do echo $(date -u) >> /data/out; sleep 5; done']
      volumeMounts:
        - name: persistent-storage
          mountPath: /data
  volumes:
    - name: persistent-storage
      persistentVolumeClaim:
        claimName: efs-claim