Skip to main content

aws-efs-csi-driver


AWS EFS Container Storage Interface Driver

설치

CSI role

name = "efs-csi-driver-policy"
efs_csi_driver_policy = aws.iam.Policy(
name,
name_prefix=name,
policy=json.dumps(
{
"Statement": [
{
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Effect": "Allow",
"Resource": "*",
},
{
"Action": ["elasticfilesystem:CreateAccessPoint"],
"Condition": {
"StringLike": {
"aws:RequestTag/efs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*",
},
{
"Action": "elasticfilesystem:DeleteAccessPoint",
"Condition": {
"StringEquals": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
}
),
tags={
"Name": name,
"Stack": variable.stack_name,
"Github": variable.github,
},
opts=pulumi.ResourceOptions(parent=eks.cluster),
)

name = "efs-csi-driver-role"
efs_csi_driver_role = aws.iam.Role(
name,
name_prefix=name,
assume_role_policy=pulumi.Output.all(oidc_url=eks.oidc_provider.url,).apply(
lambda args: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": f"arn:aws:iam::{variable.account_id}:oidc-provider/{args['oidc_url']}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
f"{args['oidc_url']}:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
}
},
}
],
}
)
),
tags={
"Name": name,
"Stack": variable.stack_name,
"Github": variable.github,
},
opts=pulumi.ResourceOptions(parent=eks.cluster),
)

aws.iam.RolePolicyAttachment(
"efs-csi-driver-rpa-0",
role=efs_csi_driver_role.name,
policy_arn=efs_csi_driver_policy.arn,
opts=pulumi.ResourceOptions(parent=efs_csi_driver_role),
)

Helm

helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver \
&& helm repo update aws-efs-csi-driver
mkdir -p storage/aws-efs-csi-driver/{dynamic,helm,static}
helm search repo aws-efs-csi-driver/aws-efs-csi-driver -l | head -n 10
helm show values aws-efs-csi-driver/aws-efs-csi-driver \
--version 2.2.5 \
> storage/aws-efs-csi-driver/helm/values.yaml
pulumi stack output efs_csi_driver_role_arn
storage/aws-efs-csi-driver/helm/values.yaml
controller:
serviceAccount:
create: true
name: efs-csi-controller-sa
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>
helm upgrade aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
--install \
--version 2.2.5 \
-n kube-system \
-f storage/aws-efs-csi-driver/helm/values.yaml

EFS

# EFS

name = "efs"
efs = aws.efs.FileSystem(
name,
availability_zone_name=vpc.AZs.names[0],
creation_token="oneplatform-efs-8c0e576",
performance_mode="generalPurpose",
throughput_mode="bursting",
lifecycle_policies=[
aws.efs.FileSystemLifecyclePolicyArgs(
transition_to_ia="AFTER_14_DAYS",
transition_to_primary_storage_class=None,
)
],
encrypted=True,
opts=pulumi.ResourceOptions(protect=True),
tags={
"Name": name,
"Stack": variable.stack_name,
"Github": variable.github,
},
)

name = "efs-sg"
efs_sg = aws.ec2.SecurityGroup(
name,
name_prefix=name,
vpc_id=vpc.vpc.id,
ingress=[
aws.ec2.SecurityGroupIngressArgs(
from_port=2049,
to_port=2049,
protocol="tcp",
cidr_blocks=[vpc.vpc.cidr_block],
),
],
egress=[
aws.ec2.SecurityGroupEgressArgs(
from_port=0,
to_port=0,
protocol="all",
cidr_blocks=["0.0.0.0/0"],
),
],
opts=pulumi.ResourceOptions(parent=efs),
tags={
"Name": name,
"Stack": variable.stack_name,
"Github": variable.github,
},
)

aws.efs.MountTarget(
"efs-mount-target",
file_system_id=efs.id,
security_groups=[efs_sg.id],
subnet_id=vpc.private_subnet["0"].id,
opts=pulumi.ResourceOptions(parent=efs),
)

StorageClass

info

Provisioning 시에 선언되는 storage 크기는 더미 값입니다. 실제 사용 시에는 제한이 없습니다.

Static Provisioning

storage/aws-efs-csi-driver/static/efs-sp-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: efs-sp-sc
provisioner: efs.csi.aws.com
pulumi stack output efs_id
storage/aws-efs-csi-driver/static/efs-sp-pvc.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-sp-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sp-sc
csi:
driver: efs.csi.aws.com
volumeHandle: <FileSystemId>[:<SubPath>][:<AccessPointId>]

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-sp-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: efs-sp-sc
resources:
requests:
storage: 5Gi
info

<FileSystemId>, <FileSystemId>:<SubPath>, <FileSystemId>::<AccessPointId>, <FileSystemId>:<SubPath>:<AccessPointId>조합이 가능합니다.

Dynamic Provisioning

storage/aws-efs-csi-driver/dynamic/efs-dp-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: efs-dp-sc
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap # PVC를 선언하면 AccessPoint가 생성됩니다.
fileSystemId: <FileSystemId>
directoryPerms: "755"
basePath: "/k8s" # Default: "/". AccessPoint의 루트 디렉터리들이 생성될 위치 입니다.
storage/aws-efs-csi-driver/dynamic/efs-dp-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-dp-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: efs-dp-sc
resources:
requests:
storage: 5Gi

Reference