Amazon EFS CSI Driver
CSI Specification Compability Matrix
|AWS EFS CSI Driver \ CSI Version||v0.3.0||v1.1.0|
Currently only static provisioning is supported. This means an AWS EFS filesystem needs to be created manually on AWS first. After that it can be mounted inside a container as a volume using the driver.
The following CSI interfaces are implemented:
- Node Service: NodePublishVolume, NodeUnpublishVolume, NodeGetCapabilities, NodeGetInfo, NodeGetId
- Identity Service: GetPluginInfo, GetPluginCapabilities, Probe
Encryption In Transit
One of the advantages of using EFS is that it provides encryption in transit support using TLS. Using encryption in transit, data will be encrypted during its transition over the network to the EFS service. This provides an extra layer of defence-in-depth for applications that requires strict security compliance.
To enable encryption in transit,
tls needs to be set in the
MountFlags fields. For an example of using it in kubernetes, see the persistence volume manifest in Encryption in Transit Example
Note Kubernetes version 1.13+ is required if you are using this feature in Kubernetes.
EFS CSI Driver on Kubernetes
The following sections are Kubernetes specific. If you are a Kubernetes user, use this for driver features, installation steps and examples.
Kubernetes Version Compability Matrix
|AWS EFS CSI Driver \ Kubernetes Version||maturity||v1.11||v1.12||v1.13||v1.14||v1.15|
|EFS CSI Driver Version||Image|
- Static provisioning - EFS filesystem needs to be created manually first, then it could be mounted inside container as a persistent volume (PV) using the driver.
- Mount Options - Mount options can be specified in the persistence volume (PV) to define how the volume should be mounted. Aside from normal mount options, you can also specify
tlsas a mount option to enable encryption in transit of the EFS filesystem.
- Since EFS is an elastic filesystem it doesn't really enforce any filesystem capacity. The actual storage capacity value in persistence volume and persistence volume claim is not used when creating the filesystem. However, since the storage capacity is a required field by Kubernetes, you must specify the value and you can use any valid value for the capacity.
Deploy the driver:
If you want to deploy the stable driver:
kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=master"
If you want to deploy the development driver:
kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/dev/?ref=master"
Before the example, you need to:
- Get yourself familiar with how to setup Kubernetes on AWS and how to create EFS filesystem.
- When creating EFS filesystem, make sure it is accessible from Kuberenetes cluster. This can be achieved by creating the filesystem inside the same VPC as Kubernetes cluster or using VPC peering.
- Install EFS CSI driver following the Installation steps.
- Static provisioning
- Encryption in transit
- Accessing the filesystem from multiple pods
- Consume EFS in StatefulSets
- Golang 1.12.7+
Dependencies are managed through go module. To build the project, first turn on go mod using
export GO111MODULE=on, to build the project run:
To execute all unit tests, run:
This library is licensed under the Apache 2.0 License.