Like volume path mounts, mounting EFS access points allows you to expose separate data stores with independent ownership and permissions from a single EFS volume. In this case, the separation is managed on the EFS side rather than the kubernetes side.
Note: Because access point mounts require TLS, this is not supported in driver versions at or before 0.3
.
Following this doc, create a separate access point for each independent data store you wish to expose in your cluster, tailoring the ownership and permissions as desired. There is no need to use different EFS volumes.
Note: Although it is possible to configure IAM policies for access points, by default no additional IAM permissions are necessary.
This example assumes you are using two access points.
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv1
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]::[AccessPointId]
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv2
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: [FileSystemId]::[AccessPointId]
In each PersistentVolume, replace both the [FileSystemId]
in spec.csi.volumeHandle
and the [AccessPointId]
value of the accesspoint
option in spec.mountOptions
.
You can find these values using the AWS CLI:
>> aws efs describe-access-points --query 'AccessPoints[*].{"FileSystemId": FileSystemId, "AccessPointId": AccessPointId}'
If you are using the same underlying EFS volume, the FileSystemId
will be the same in both PersistentVolume specs, but the AccessPointId
will differ.
Note: The double colon in the volumeHandle
is intentional.
The middle field indicates the subpath; if omitted, no subpath is used.
See below for more information.
Create PVs, persistent volume claims (PVCs), and storage class:
>> kubectl apply -f examples/kubernetes/volume_path/specs/example.yaml
After the objects are created, verify the pod is running:
>> kubectl get pods
Also you can verify that data is written into the EFS filesystems:
>> kubectl exec -ti efs-app -- tail -f /data-dir1/out.txt
>> kubectl exec -ti efs-app -- ls /data-dir2
- Using access points via
volumeHandle
automatically adds thetls
mount option. - It is deprecated to specify access points via
mountOptions
, e.g.
spec:
mountOptions:
- tls
- accesspoint=fsap-068c22f0246419f75
as this could subject you to issue #167.
- It is possible to use a combination of volume path and access points
with a
volumeHandle
of the form[FileSystemId]:[Subpath]:[AccessPointId]
, e.g.volumeHandle: fs-e8a95a42:/my/subpath:fsap-19f752f0068c22464
. In this case:- The
[Subpath]
will be under the configured access point directory. For example, if you configured your access point with/ap1
, the above would mount to/ap1/my/subpath
. - As with normal volume path, the
[Subpath]
must already exist prior to consuming the volume from a pod.
- The