Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Efs encryption at rest #39

Merged
merged 38 commits into from
Mar 22, 2023
Merged

Efs encryption at rest #39

merged 38 commits into from
Mar 22, 2023

Conversation

aliaksei-ivanou
Copy link
Contributor

Issue #, if available:

Description of changes:
Creating a workload demonstrating EFS encryption-at-rest capabilities.

team-platform is responsible for creating a storage class efs-encrypted.

team-data deploys an example workload that uses the encrypted storage class via a PersistentVolumeClaim (PVC) efs-encrypted-claim.

❯ kubectl get storageclass
NAME                      PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
efs-encrypted (default)   efs.csi.aws.com         Delete          Immediate              false                  70m
efs-sc                    efs.csi.aws.com         Delete          Immediate              false                  91m
gp2 (default)             kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  119m

❯ kubectl get storageclass efs-encrypted -o jsonpath='{.parameters.kmsKeyId}'
arn:aws:kms:us-east-1:111222333444:key/19f4f602-dcf3-42a5-8eef-38f2af4b3626%  

❯ kubectl get pvc -n data
NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS    AGE
efs-encrypted-claim   Bound    pvc-06df2640-ae2f-44ae-8d5c-82c72e56a9ae   10Gi       RWX            efs-encrypted   63m

❯ kubectl get pods -n data
NAME                 READY   STATUS    RESTARTS   AGE
efs-encryption-app   1/1     Running   0          63m

❯ kubectl describe pvc efs-encrypted-claim -n data
Name:          efs-encrypted-claim
Namespace:     data
StorageClass:  efs-encrypted
Status:        Bound
Volume:        pvc-06df2640-ae2f-44ae-8d5c-82c72e56a9ae
Labels:        argocd.argoproj.io/instance=team-data
Annotations:   pv.kubernetes.io/bind-completed: yes
               pv.kubernetes.io/bound-by-controller: yes
               volume.beta.kubernetes.io/storage-provisioner: efs.csi.aws.com
               volume.kubernetes.io/storage-provisioner: efs.csi.aws.com
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      10Gi
Access Modes:  RWX
VolumeMode:    Filesystem
Used By:       efs-encryption-app
Events:        <none>

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aliaksei-ivanou
Adding EFS workloads
26d4a83
@aliaksei-ivanou
Adding fileSystemId
05c07b5
@aliaksei-ivanou
Trying another fileSystemId
453a4a3
@aliaksei-ivanou
Using the existing EFS file system
d2fa221
@aliaksei-ivanou
Adding accessPointID
d8591d9
@aliaksei-ivanou
Removing access point
4d77fb3
@aliaksei-ivanou
Removing the redundant comment
7b62e83
@aliaksei-ivanou
Adding efs-access-point
684bd36
@aliaksei-ivanou
Fixing the name in EFSAccessPoint
c199891
@aliaksei-ivanou
Trying to use a pre-created access point for EFS
c1bdcd1
@aliaksei-ivanou
Adding EFS AP
9f13678
@aliaksei-ivanou
Reoving the AP and the KMS key
96adfe3
@aliaksei-ivanou
Adding EFS AP
2bc64e5
@aliaksei-ivanou
Changing AP name
7901bf5
@aliaksei-ivanou
Using another provisioning mode
4fab3b1
@aliaksei-ivanou
Setting provisioning mode explicitly to efs
b80b9df
@aliaksei-ivanou
Provisioning mode efs is not supported.
7ed7fb8 
Only Access point provisioning: 'efs-ap' is supported
@aliaksei-ivanou
Adding clear dependency between StorageClass and
b8b8f97 
Access Point
@aliaksei-ivanou
Updating accessPointId
7fb9bfa
@aliaksei-ivanou
Updating EFS AP name
3191bfc
@aliaksei-ivanou
Replacing AP id with alias
b1667f5
@aliaksei-ivanou
Trying to isolate the issue
7a9a366
@aliaksei-ivanou
Removing the AP and providing the permissions in
bcf0b22 
the storage class
@aliaksei-ivanou
Adding the customer provided KMS key
5cdb0b7
@aliaksei-ivanou
Fixing the if statement
3c2f729
@aliaksei-ivanou
Adding a pod named with a single container.
0e8f0db 
The container runs the busybox image and writes
the text "Hello, world!" to a file called
data.txt in the mount path /mnt/data.
@aliaksei-ivanou
Changing the directoryPerms
42d36db
@aliaksei-ivanou
Updating the pod config
f0e6608
@aliaksei-ivanou
Updating fileSystemId
c95ff8a
@aliaksei-ivanou
Updating the workloads
3bf99b7
shapirov103
shapirov103 reviewed Mar 22, 2023
View reviewed changes
Copy link
Contributor

@shapirov103 shapirov103 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, please share functional verification result.

@aliaksei-ivanou
Copy link
Contributor Author 

❯ kubectl get pods -o wide -n data

NAME                 READY   STATUS    RESTARTS   AGE     IP            NODE                           NOMINATED NODE   READINESS GATES
ebs-encryption-app   1/1     Running   0          82m     10.0.127.0    ip-10-0-125-125.ec2.internal   <none>           <none>
efs-encryption-app   1/1     Running   0          2m50s   10.0.96.233   ip-10-0-125-125.ec2.internal   <none>           <none>
❯ kubectl exec efs-encryption-app -n data -- bash -c "cat example/out.txt"
Wed Mar 22 19:29:29 UTC 2023
Wed Mar 22 19:29:34 UTC 2023
Wed Mar 22 19:29:39 UTC 2023
Wed Mar 22 19:29:44 UTC 2023
Wed Mar 22 19:29:49 UTC 2023
Wed Mar 22 19:29:54 UTC 2023
Wed Mar 22 19:29:59 UTC 2023
Wed Mar 22 19:30:04 UTC 2023
Wed Mar 22 19:30:10 UTC 2023
Wed Mar 22 19:30:15 UTC 2023
Wed Mar 22 19:30:20 UTC 2023
❯ kubectl exec ebs-encryption-app -n data -- bash -c "cat example/out.txt"
Wed Mar 22 18:07:47 UTC 2023
Wed Mar 22 18:07:52 UTC 2023
Wed Mar 22 18:07:57 UTC 2023
Wed Mar 22 18:08:02 UTC 2023
Wed Mar 22 18:08:07 UTC 2023

shapirov103
shapirov103 approved these changes Mar 22, 2023
View reviewed changes
Copy link
Contributor

@shapirov103 shapirov103 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@shapirov103 shapirov103 merged commit 83d87da into aws-samples:main Mar 22, 2023
@aliaksei-ivanou aliaksei-ivanou deleted the efs-encryption-at-rest branch March 22, 2023 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shapirov103 shapirov103 shapirov103 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aliaksei-ivanou @shapirov103