Amazon EFS CSI Driver
The Amazon Elastic File System Container Storage Interface (CSI) Driver implements the CSI specification for container orchestrators to manage the lifecycle of Amazon EFS file systems.
CSI Specification Compatibility Matrix
| AWS EFS CSI Driver \ CSI Spec Version | v0.3.0 | v1.1.0 | v1.2.0 |
|---|---|---|---|
| master branch | no | no | yes |
| v1.x.x | no | no | yes |
| v0.3.0 | no | yes | no |
| v0.2.0 | no | yes | no |
| v0.1.0 | yes | no | no |
Features
EFS CSI driver supports dynamic provisioning and static provisioning.Currently Dynamic Provisioning creates an access point for each PV. This mean an AWS EFS file system has to be created manually on AWS first and should be provided as an input to the storage class parameter.For static provisioning, AWS EFS file system needs to be created manually on AWS first. After that it can be mounted inside a container as a volume using the driver.
The following CSI interfaces are implemented:
- Controller Service: CreateVolume, DeleteVolume, ControllerGetCapabilities, ValidateVolumeCapabilities
- Node Service: NodePublishVolume, NodeUnpublishVolume, NodeGetCapabilities, NodeGetInfo, NodeGetId, NodeGetVolumeStats
- Identity Service: GetPluginInfo, GetPluginCapabilities, Probe
Storage Class Parameters for Dynamic Provisioning
| Parameters | Values | Default | Optional | Description |
|---|---|---|---|---|
| provisioningMode | efs-ap | false | Type of volume provisioned by efs. Currently, Access Points are supported. | |
| fileSystemId | false | File System under which access points are created. | ||
| directoryPerms | false | Directory permissions for Access Point root directory creation. | ||
| uid | true | POSIX user Id to be applied for Access Point root directory creation. | ||
| gid | true | POSIX group Id to be applied for Access Point root directory creation. | ||
| gidRangeStart | 50000 | true | Start range of the POSIX group Id to be applied for Access Point root directory creation. Not used if uid/gid is set. | |
| gidRangeEnd | 7000000 | true | End range of the POSIX group Id. Not used if uid/gid is set. | |
| basePath | true | Path under which access points for dynamic provisioning is created. If this parameter is not specified, access points are created under the root directory of the file system | ||
| az | "" | true | Used for cross-account mount. az under storage class parameter is optional. If specified, mount target associated with the az will be used for cross-account mount. If not specified, a random mount target will be picked for cross account mount |
Notes:
- Custom Posix group Id range for Access Point root directory must include both
gidRangeStartandgidRangeEndparameters. These parameters are optional only if both are omitted. If you specify one, the other becomes mandatory. - When using a custom Posix group ID range, there is a possibility for the driver to run out of available POSIX group Ids. We suggest ensuring custom group ID range is large enough or create a new storage class with a new file system to provision additional volumes.
azunder storage class parameter is not be confused with efs-utils mount optionaz. Theazmount option is used for cross-az mount or efs one zone file system mount within the same aws account as the cluster.
Encryption In Transit
One of the advantages of using EFS is that it provides encryption in transit support using TLS. Using encryption in transit, data will be encrypted during its transition over the network to the EFS service. This provides an extra layer of defence-in-depth for applications that requires strict security compliance.
Encryption in transit is enabled by default in the master branch version of the driver. To disable it and mount volumes using plain NFSv4, set volumeAttributes field encryptInTransit to "false" in your persistent volume manifest. For an example manifest, see Encryption in Transit Example.
Note Kubernetes version 1.13+ is required if you are using this feature in Kubernetes.
EFS CSI Driver on Kubernetes
The following sections are Kubernetes specific. If you are a Kubernetes user, use this for driver features, installation steps and examples.
Kubernetes Version Compability Matrix
| AWS EFS CSI Driver \ Kubernetes Version | maturity | v1.11 | v1.12 | v1.13 | v1.14 | v1.15 | v1.16 | v1.17+ |
|---|---|---|---|---|---|---|---|---|
| master branch | GA | no | no | no | no | no | no | yes |
| v1.3.x | GA | no | no | no | no | no | no | yes |
| v1.2.x | GA | no | no | no | no | no | no | yes |
| v1.1.x | GA | no | no | no | yes | yes | yes | yes |
| v1.0.x | GA | no | no | no | yes | yes | yes | yes |
| v0.3.0 | beta | no | no | no | yes | yes | yes | yes |
| v0.2.0 | beta | no | no | no | yes | yes | yes | yes |
| v0.1.0 | alpha | yes | yes | yes | no | no | no | no |
Container Images
| EFS CSI Driver Version | Image |
|---|---|
| master branch | amazon/aws-efs-csi-driver:master |
| v1.3.4 | amazon/aws-efs-csi-driver:v1.3.4 |
| v1.3.3 | amazon/aws-efs-csi-driver:v1.3.3 |
| v1.3.2 | amazon/aws-efs-csi-driver:v1.3.2 |
| v1.3.1 | amazon/aws-efs-csi-driver:v1.3.1 |
| v1.3.0 | amazon/aws-efs-csi-driver:v1.3.0 |
| v1.2.1 | amazon/aws-efs-csi-driver:v1.2.1 |
| v1.2.0 | amazon/aws-efs-csi-driver:v1.2.0 |
| v1.1.1 | amazon/aws-efs-csi-driver:v1.1.1 |
| v1.1.0 | amazon/aws-efs-csi-driver:v1.1.0 |
| v1.0.0 | amazon/aws-efs-csi-driver:v1.0.0 |
| v0.3.0 | amazon/aws-efs-csi-driver:v0.3.0 |
| v0.2.0 | amazon/aws-efs-csi-driver:v0.2.0 |
| v0.1.0 | amazon/aws-efs-csi-driver:v0.1.0 |
Features
- Static provisioning - EFS file system needs to be created manually first, then it could be mounted inside container as a persistent volume (PV) using the driver.
- Dynamic provisioning - Uses a persistent volume claim (PVC) to dynamically provision a persistent volume (PV). On Creating a PVC, kuberenetes requests EFS to create an Access Point in a file system which will be used to mount the PV.
- Mount Options - Mount options can be specified in the persistent volume (PV) or storage class for dynamic provisioning to define how the volume should be mounted.
- Encryption of data in transit - EFS file systems are mounted with encryption in transit enabled by default in the master branch version of the driver.
- Cross account mount - EFS file systems from different aws accounts can be mounted from an EKS cluster.
- Multiarch - EFS CSI driver image is now multiarch on ECR
Notes:
- Since EFS is an elastic file system it doesn't really enforce any file system capacity. The actual storage capacity value in persistent volume and persistent volume claim is not used when creating the file system. However, since the storage capacity is a required field by Kubernetes, you must specify the value and you can use any valid value for the capacity.
Installation
Set up driver permission:
The driver requires IAM permission to talk to Amazon EFS to manage the volume on user's behalf. There are several methods to grant driver IAM permission:
- Using IAM Role for Service Account (Recommended if you're using EKS): create an IAM Role for service accounts with the required permissions. Uncomment annotations and put the IAM role ARN in service-account manifest
- Using IAM instance profile - grant all the worker nodes with required permissions by attaching policy to the instance profile of the worker.
Deploy the driver:
If you want to deploy the stable driver:
kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.3"
If you want to deploy the development driver:
kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/dev/?ref=master"
Alternatively, you could also install the driver using helm:
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
helm repo update
helm upgrade --install aws-efs-csi-driver --namespace kube-system aws-efs-csi-driver/aws-efs-csi-driver
Examples
Before the example, you need to:
- Get yourself familiar with how to setup Kubernetes on AWS and how to create EFS file system.
- When creating EFS file system, make sure it is accessible from Kubernetes cluster. This can be achieved by creating the file system inside the same VPC as Kubernetes cluster or using VPC peering.
- Install EFS CSI driver following the Installation steps.
Example links
- Static provisioning
- Dynamic provisioning
- Encryption in transit
- Accessing the file system from multiple pods
- Consume EFS in StatefulSets
- Mount subpath
- Use Access Points
Development
Please go through CSI Spec and Kubernetes CSI Developer Documentation to get some basic understanding of CSI driver before you start.
Requirements
- Golang 1.13.4+
Dependency
Dependencies are managed through go module. To build the project, first turn on go mod using export GO111MODULE=on, to build the project run: make
Testing
To execute all unit tests, run: make test
License
This library is licensed under the Apache 2.0 License.
-
EKS持久化存储-AWS EFS 必要前提 集群已有IAM OIDC提供程序 安装AWS CLI(1.25.46及以上) 安装kubectl、eksctl工具 集群侧EFS CSI部署 权限配置 创建AWS IAM policy绑定到集群serviceaccount以授予EFS CSI调用AWS API的权限 下载IAM policy模板 curl -o iam-policy-example.js
-
我们之前使用EBS作为k8s的动态pvc的pv,但是EBS不支持ReadWriteMany类型的声明。 所以尝试使用efs作为存储底层来声明pvc。 动态pvc声明方案 创建efs文件存储系统 使用命令 # 创建EFS Security group VPC_ID=$(aws eks describe-cluster --name ${CLUSTER_NAME} --region ${AWS_REG
-
#AWS EKS 创建k8s生产环境实例 在AWS部署海外节点, 图简单使用web控制台创建VPC和k8s集群出错(k8s), 使用cli命令行工具创建成功 本实例为复盘, 记录aws命令行工具创建eks, 安装efs驱动、LBS、ingress-nginx,使用ECR镜像储存等 #安装命令行工具 #安装aws cli cd /tmp curl -kL "https://awscli.amazon
-
情况 根据之前的文章进行efs的驱动安装: aws–efs—使用efs创建k8s的动态pvc 然后发现efs无法挂载,查看pvc的日志报错如下: E0922 03:13:38.113819 1 efs_watch_dog.go:131] amazon-efs-mount-watchdog[Error]: Traceback (most recent call last): File
-
部署redis集群 申请AWS EFS mount -t efs fs-5f5bd3ba:/ /tmp mkdir -p /tmp/{redis1,redis2,redis3,redis4,redis5,redis6} umount /tmp 安装持久化存储 这里使用AWS EFS 文件ID fs-b035f655 redis-pv.yaml apiVersion: v1 kind: Persi
-
Amazon Elastic Block Store (EBS) CSI driver Overview The Amazon Elastic Block Store Container Storage Interface (CSI) Driver provides a CSI interface used by Container Orchestrators to manage the life
-
CSI 代表容器存储接口,CSI 试图建立一个行业标准接口的规范,借助 CSI 容器编排系统(CO)可以将任意存储系统暴露给自己的容器工作负载。有关详细信息,请查看设计方案。 csi 卷类型是一种 out-tree(即跟其它存储插件在同一个代码路径下,随 Kubernetes 的代码同时编译的) 的 CSI 卷插件,用于 Pod 与在同一节点上运行的外部 CSI 卷驱动程序交互。部署 CSI 兼容
-
我是Java Card开发的新手,我试图开发一个可以选择和读取EF数据的小程序。我想用一些假数据创建EFs和DFs,并将其存储在卡中。然后我会使用我的小程序来读取这些数据。有可能吗?如果是的话,我该怎么做呢?请帮帮我,我找了很多,但我没有找到任何解决办法。 非常感谢。
-
我想知道使用AWS OpsWorks与AWS Beanstalk和AWS CloudFormation的优缺点是什么? 我感兴趣的是一个可以自动伸缩的系统,它可以处理任意数量的并发web请求(从每分钟1000个请求到1000万rpm),包括一个可以自动伸缩的数据库层。 理想情况下,我希望有效地共享一些硬件资源,而不是为每个应用程序提供单独的实例。在过去,我主要使用EC2实例RDS Cloudtop
-
介绍如何在AWS上获取在云联壹云平台需要使用的配置参数。 获取AWS的访问密钥 使用AWS主账号(或拥有AdministratorAccess管理权限的子账号)登录AWS管理控制台,单击 “IAM” 菜单项,进入IAM控制面板页面。 单击左侧菜单栏 “用户” 菜单项,进入用户管理列表,单击用户名名称项,进入指定用户详情页面。注意需要选择有足够管理权限的用户。 单击“安全证书”页签。 单击 “创建访
-
AWS Global Infrastructure AWS Global Cloud - A single global cloud, is made up of devices and Services in many regions. AWS Region - A physical location around the world where Amazon have equipment(de