AWS EFS
Overview
The AWS EFS add-on facilitates access to Amazon EFS for Kubernetes workloads running on a managed Kubernetes cluster.
Supported Providers
Prerequisites
- AWS Workload Identity
- AWS Account
How to Enable
To use the AWS EFS add-on for your Kubernetes cluster, ensure you have created an AWS IAM Role with the necessary permissions to use the AWS EFS filesystem. The ARN (Amazon Resource Name) of this role is required for the configuration steps that follow. For the required permissions, you can attach the managed policy AmazonEFSCSIDriverPolicy
to the IAM Role and verify that the EFS filesystem policy permits access.
The AWS EFS add-on can be enabled for your Kubernetes cluster either during the cluster creation process or at any time thereafter. The following sections outline the methods for enabling the add-on:
At Cluster Creation
-
Through Cluster Manifest: Add the following snippet to your cluster manifest when creating the cluster:
YAMLspec: ... addOns: awsEFS: roleArn: 'arn:aws:iam::999999999999:role/mk8s-efs-driver' ...
-
Using the Console: If you’re creating the cluster through the console, navigate to
Add-ons
, find theAWS EFS
add-on in the list of available add-ons, toggle it on, and then enter the ROLE ARN required for accessing the AWS EFS filesystem.
After Cluster Creation
If the AWS EFS add-on was not enabled during the cluster creation, you can still enable it using either of the following methods:
Using Manifest
To enable the AWS EFS add-on after cluster creation, add the following to your cluster’s YAML manifest:
-
Direct Edit & Apply: Navigate to your cluster in the Console, and use the
Edit & Apply
option. -
CLI Application: Apply the entire manifest using the
cpln apply >_
command or through thecpln
CLI.YAMLspec: ... addOns: awsEFS: roleArn: 'arn:aws:iam::999999999999:role/mk8s-efs-driver' ...
Using the UI
- Navigate to the Control Plane Console: Open Control Plane Console.
- Select Your Kubernetes Cluster: In the Control Plane Console, go to
Kubernetes
in the left sidebar, and click on the cluster you wish to configure. - Activate the Dashboard: Choose
Add-ons
, find theAWS EFS
add-on in the list, and toggle it on. - Enter Role ARN: Provide the ROLE ARN necessary for AWS EFS filesystem access.
Usage Instructions
After enabling the AWS EFS add-on, two additional steps are required before you can successfully create Kubernetes volumes using AWS EFS.
First, it’s essential to update the trust policy to grant the Managed Kubernetes cluster the necessary permissions to assume the AWS Role for accessing AWS EFS. This step ensures that your Kubernetes cluster can securely interact with the AWS EFS service.
Second, you must properly configure the Kubernetes Storage Class. This configuration allows Kubernetes to understand how to provision storage based on AWS EFS for your applications.
Follow the steps below to configure:
Step 1 - Create OIDC Identity Provider in aws (If not already done)
Skip this step if you have already created the provider as part of the AWS Workload Identity configuration.
- Retrieve the cluster’s oidcProviderUrl:
cpln mk8s get -o json $cluster_name | jq -r '.status.oidcProviderUrl'
- Access the AWS console and navigate to IAM. In the left panel, under
Access management
, selectIdentity providers
and then clickAdd provider
. - Select
OpenID Connect
, paste theProvider URL
obtained in the previous step, and clickGet thumbprint
. - In the
Audience
field, entersts.amazonaws.com
.
Step 2 - Update Trust Policy
- Obtain the trust policy template:
cpln mk8s get -o json $cluster_name | jq -r '.status.addOns.awsEFS.trustPolicy'
- Update the
Trust Policy
of the IAM Role in your AWS Account to reflect these changes.
Step 3 - Create Storage Class
Create the following Storage Class in your Managed Kubernetes cluster. For guidance on accessing your cluster, refer to the documentation page of your Provider.
Ensure to replace the fileSystemId
with the correct one from your account.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-dynamic
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap
fileSystemId: fs-999999999999 # Replace with your EFS FileSystemId
directoryPerms: '700'
gidRangeStart: '1000' # optional
gidRangeEnd: '2000' # optional
basePath: '/dynamic_provisioning' # optional
subPathPattern: '${.PVC.namespace}/${.PVC.name}' # optional
ensureUniqueDirectory: 'true' # optional
reuseAccessPoint: 'false' # optional
Step 4 - Example on creating volumes
Create the following PersistentVolumeClaim
and Pod
in your Managed Kubernetes cluster. This example demonstrates creating a Pod that writes the current date to a file every 5 seconds, utilizing a volume backed by the AWS EFS, as configured previously.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-claim
spec:
accessModes:
- ReadWriteMany
storageClassName: efs-dynamic
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Pod
metadata:
name: efs-app
spec:
terminationGracePeriodSeconds: 0
containers:
- name: app
image: centos
command: ['/bin/sh']
args: ['-c', 'while true; do echo $(date -u) >> /data/out; sleep 5; done']
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: efs-claim