-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mount issues with module aws_efs_csi_driver #1197
Comments
I was finally able to determine that the sticking point is the default filesystem policy implemented by the module {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonSecureTransport",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:elasticfilesystem:eu-west-3:xxxxxxxxxxxxxxx:file-system/fs-xxxxxxxxxxxxxx",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
} accordingly, I tried enabling transport encryption, (reference: https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/encryption_in_transit) ---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-sc
provisioner: efs.csi.aws.com
mountOptions:
- iam
- tls
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]
volumeAttributes:
encryptInTransit: "true"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-claim
spec:
accessModes:
- ReadWriteMany
storageClassName: efs-sc
resources:
requests:
storage: 5Gi
volumeName: efs-pv without success because I always come back to my initial error In the meantime I found a solution at the level of the creation of the EFS volume by adding That being said I still consider that the right way to do would be to activate EFS + TLS! Someone would tell me: if there is something missing in what I did? or if it is really a bug ?? |
I close the ticket, my conclusion is that the policy injected by the terraform-aws-modules/efs/aws module is not compatible with a mount established in tls with the stunnel binary of aws-efs-csi-driver |
hello here from September 2023 the stateful example in the repo still broken and doesn't allow to mount efs shared storage neither to nodes nor to pods proposed solution by @bla-ckbox with let's make |
Description
When using the EFS add-on and EFS filesystem provisioned with terraform, mount fail with error, see #1171
Fix in #1191 does not seem to be sufficient, i still have the same error with in v4.17.0
Versions
Reproduction Code
Steps to reproduce the behavior:
Create the folowing workload:
Expected behaviour
Pod should launch
Actual behaviour
Error message:
The text was updated successfully, but these errors were encountered: