Merge pull request #39 from aliaksei-ivanou/efs-encryption-at-rest

Efs encryption at rest

security/envs/dev/templates/team-platform.yaml

@@ -19,6 +19,8 @@ spec:
     helm:
       values: |
         spec:
+          efsKmsKey: {{ index .Values.spec "efsKmsKey" }}
+          efsFileSystemId: {{ index .Values.spec "efsFileSystemId" }}
           ebsKmsKey: {{ index .Values.spec "ebsKmsKey" }}
   syncPolicy:
     automated:

teams/team-data/dev/templates/efs-ecncrypted-storage-pvc.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: efs-encrypted-claim
+spec:
+  accessModes:
+  - ReadWriteMany
+  storageClassName: efs-encrypted
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: efs-encryption-app
+spec:
+  containers:
+    - name: app
+      image: centos
+      command: ["/bin/sh"]
+      args: ["-c", "while true; do echo $(date -u) >> /example/out.txt; sleep 5; done"]
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: /example
+  volumes:
+    - name: persistent-storage
+      persistentVolumeClaim:
+        claimName: efs-encrypted-claim

teams/team-platform/dev/templates/efs-encrypted-storage-class.yaml

@@ -0,0 +1,18 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: efs-encrypted
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: efs.csi.aws.com
+mountOptions:
+  - tls
+parameters:
+  fileSystemId: {{ .Values.spec.efsFileSystemId }}
+  provisioningMode: efs-ap
+  directoryPerms: "700"
+  gidRangeStart: "1000" # optional
+  gidRangeEnd: "2000" # optional
+{{ if .Values.spec.efsKmsKey }}
+  kmsKeyId: {{ .Values.spec.efsKmsKey }}
+{{ end }}