Mounting encrypted EFS (AWS) to kubernetes pod

8/13/2018

Trying to mount an encrypted EFS (AWS) to my k8s cluster,

I created everything that is needed (storageclass, PV, PVC) and everything was working fine when the EFS wasn't encrypted.

But now when trying to create the pod I get this error:

 Warning  FailedMount  42s  kubelet, ip-10-10-21-111.ap-southeast-2.compute.internal  Unable to mount volumes for pod "apim-rdbms-6d7c484c88-4xp6l_default(e6a2e36d-9ec4-11e8-b026-0644ba7f9448)": timeout expired waiting for volumes to attach/mount for pod "default"/"apim-rdbms-6d7c484c88-4xp6l". list of unattached/unmounted volumes=[apim-rdbms-efs]

I didn't see any special instructions regarding connecting the pod to encrypted EFS, When tried to mount the nodes to the EFS I had no issue.

Should I install tls on my cluster nodes? Is there a k8s flag I need to use? couldn't find info regarding this.

-- Shachar Hamuzim Rajuan
aws-ebs
kubernetes

1 Answer

8/14/2018

So the oroblem was that I didn't mount target my efs to security groups that my nodes are assigened to.

After creating the encrypted EFS you need to mount the EFS.You can create one mount target in each Availability Zone in your VPC. All EC2 instances in a VPC within a given Availability Zone share a single mount target for a given file system. If you have multiple subnets in an Availability Zone, you create a mount target in one of the subnets. 

You can see mounting instructions here:

https://docs.aws.amazon.com/efs/latest/ug/manage-fs-access-create-delete-mount-targets.html

-- Shachar Hamuzim Rajuan
Source: StackOverflow