Open JonVDB opened 1 month ago
@JonVDB please check the content on EFS filesystem and EFS addon in our workshop for security patterns in EKS here: https://catalog.us-east-1.prod.workshops.aws/workshops/90c9d1eb-71a1-4e0e-b850-dba04ae92887/en-US/security/065-data-encryption/1-stack-setup
You will see steps and policies to configure your EFS filesystem with e2e encryption. Please let me know if that solves the issue, we can then update the docs with that reference.
@shapirov103 Hey, I wasn't aware that there was a Workshop for the EFS CSI Driver. I've only used the QuickStart docs. The instructions in the Workshop work perfectly! Issue solved. Thank you!
Describe the bug
When deploying a StorageClass, PersistentVolumeClaim and Pod while using the
EfsCsiDriverAddOn
to dynamically provision an EFS Access Point and mount it to the Pod, mounting fails with the errormount.nfs4: access denied by server while mounting 127.0.0.1:/
.Expected Behavior
Mounting the EFS Access Point to the Pod succeeds.
Current Behavior
Running
kubectl describe pod/efs-app
shows the following Event logs for the Pod:However, the creation of the EFS Access Point does succeed, as seen in the AWS Console and via command
kubectl describe pvc/efs-claim
:Then the details of the Storage Class, by running command
kubectl describe sc/efs-sc
:Lastly I have also checked the efs-csi-controller logs using command
kubectl logs deployment/efs-csi-controller -n kube-system -c efs-plugin
:Reproduction Steps
export default class ClusterConstruct extends Construct { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id);
} }
AmazonElasticFileSystemClientReadWriteAccess
policy. This dit not fix the issue.const nodeRole = new CreateRoleProvider("blueprint-node-role", new cdk.aws_iam.ServicePrincipal("ec2.amazonaws.com"), [ cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSWorkerNodePolicy"), cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryReadOnly"), cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore"), cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKS_CNI_Policy"), cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"), cdk.aws_iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonElasticFileSystemClientReadWriteAccess"), // <- ]); const mngProps: MngClusterProviderProps = { version: cdk.aws_eks.KubernetesVersion.of('auto'), instanceTypes: [new cdk.aws_ec2.InstanceType("m5.xlarge")], amiType: cdk.aws_eks.NodegroupAmiType.AL2_X86_64, nodeRole: getNamedResource("node-role") as cdk.aws_iam.Role, desiredSize: 2, maxSize: 3, };
// ...
const blueprint = EksBlueprint.builder() // ... .clusterProvider(new MngClusterProvider(mngProps)) // <- .resourceProvider("node-role", nodeRole) // <- // ...