EFS

아래 yaml은 코드로 관리 가능

create-efs-stack.yaml

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  ClusterName:
    Description: The name of the cluster
    Type: String
  Region:
    Description: The AWS region to create the resources in
    Type: String
    Default: ap-southeast-1
    AllowedValues:
      - us-east-1
      - us-west-1
      - us-west-2
      - eu-west-1
      - eu-central-1
      - ap-southeast-1
      - ap-southeast-2
      - ap-northeast-1
      - ap-northeast-2
      - sa-east-1
  VpcId:
    Description: The VPC ID where the EFS and mount targets will be created
    Type: String
  PrivateSubnet1:
    Description: The first private subnet ID for the EFS mount target
    Type: String
  PrivateSubnet2:
    Description: The second private subnet ID for the EFS mount target
    Type: String
  PrivateSubnet3:
    Description: The third private subnet ID for the EFS mount target
    Type: String
  ClusterSecurityGroup:
    Description: The security group ID of the EKS cluster nodes
    Type: String

Resources:
  MyEfsFileSystem:
    Type: 'AWS::EFS::FileSystem'
    Properties: 
      PerformanceMode: 'generalPurpose'
      ThroughputMode: 'elastic'
      BackupPolicy:
        Status: 'ENABLED'
      LifecyclePolicies:
        - TransitionToIA: 'AFTER_30_DAYS'
      Encrypted: true
      FileSystemTags:
        - Key: Name
          Value: !Sub "${ClusterName}-cluster-efs"
        - Key: elasticfilesystem-default-backup
          Value: enabled

  EfsSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable NFS access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 2049
          ToPort: 2049
          SourceSecurityGroupId: !Ref ClusterSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: -1
          FromPort: -1
          ToPort: -1
          CidrIp: 0.0.0.0/0

  MountTarget1:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref MyEfsFileSystem
      SubnetId: !Ref PrivateSubnet1
      SecurityGroups: 
        - !Ref EfsSecurityGroup
    DependsOn: EfsSecurityGroup

  MountTarget2:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref MyEfsFileSystem
      SubnetId: !Ref PrivateSubnet2
      SecurityGroups: 
        - !Ref EfsSecurityGroup
    DependsOn: EfsSecurityGroup

  MountTarget3:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref MyEfsFileSystem
      SubnetId: !Ref PrivateSubnet3
      SecurityGroups: 
        - !Ref EfsSecurityGroup
    DependsOn: EfsSecurityGroup

Outputs:
  FileSystemId:
    Description: 'The ID of the EFS file system'
    Value: !Ref MyEfsFileSystem
    Export:
      Name: EfsFileSystemId

변수 할당 및 프라이빗 서브넷 ID 조회 및 환경 변수에 저장 (최대 3개 프라이빗 서브넷)

CLUSTER_NAME="main"
REGION="ap-southeast-1"
STACK_NAME=${CLUSTER_NAME}-cluster-efs

VPC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.resourcesVpcConfig.vpcId" --output text --region $REGION)
CLUSTER_SECURITY_GROUP_ID=$(aws eks describe-cluster \
    --name $CLUSTER_NAME \
    --region $REGION \
    --query "cluster.resourcesVpcConfig.clusterSecurityGroupId" \
    --output text)

# 서브넷 ID를 탭으로 구분된 문자열로 가져오기
PRIVATE_SUBNET_IDS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=map-public-ip-on-launch,Values=false" --query "Subnets[*].SubnetId" --output text --region $REGION)

# 배열의 내용 출력
echo "All Private Subnet IDs: $PRIVATE_SUBNET_IDS"
echo "Number of Private Subnets: $(echo "$PRIVATE_SUBNET_IDS" | wc -w)"

# 각 서브넷 ID를 개별 변수에 할당 (탭을 구분자로 사용)
PRIVATE_SUBNET1=$(echo "$PRIVATE_SUBNET_IDS" | cut -f1)
PRIVATE_SUBNET2=$(echo "$PRIVATE_SUBNET_IDS" | cut -f2)
PRIVATE_SUBNET3=$(echo "$PRIVATE_SUBNET_IDS" | cut -f3)

변수 값 확인

echo "CLUSTER_NAME: $CLUSTER_NAME"
echo "REGION: $REGION"
echo "STACK_NAME: $STACK_NAME"
echo "VPC_ID: $VPC_ID"
echo "CLUSTER_SECURITY_GROUP_ID: $CLUSTER_SECURITY_GROUP_ID"
echo "PRIVATE_SUBNET1: $PRIVATE_SUBNET1"
echo "PRIVATE_SUBNET2: $PRIVATE_SUBNET2"
echo "PRIVATE_SUBNET3: $PRIVATE_SUBNET3"

EFS stack 생성

aws cloudformation create-stack --stack-name $STACK_NAME \
  --template-body file://create-efs-stack.yaml \
  --parameters ParameterKey=ClusterName,ParameterValue=$CLUSTER_NAME \
               ParameterKey=Region,ParameterValue=$REGION \
               ParameterKey=VpcId,ParameterValue=$VPC_ID \
               ParameterKey=PrivateSubnet1,ParameterValue=$PRIVATE_SUBNET1 \
               ParameterKey=PrivateSubnet2,ParameterValue=$PRIVATE_SUBNET2 \
               ParameterKey=PrivateSubnet3,ParameterValue=$PRIVATE_SUBNET3 \
               ParameterKey=ClusterSecurityGroup,ParameterValue=$CLUSTER_SECURITY_GROUP_ID \
  --region $REGION

생성된 EFS 의 ID를 가져와 환경변수에 저장

EFS_ID=$(aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='FileSystemId'].OutputValue" --output text --region $REGION)
echo $EFS_ID

ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo $ACCOUNT_ID

efs-policy

eks-values/aws/efs

aws iam create-policy \
  --policy-name AmazonEKS_EFS_CSI_Driver_Policy \
  --policy-document file://efs-csi-driver-policy.json

ROLE_NAME=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.roleArn" --output text | awk -F'/' '{print $NF}')
echo $ROLE_NAME

aws iam put-role-policy --role-name $ROLE_NAME --policy-name AmazonEKS_EFS_CSI_Driver_Policy --policy-document file://efs-csi-driver-policy.json

eksctl create iamserviceaccount \
  --name efs-csi-controller-sa \
  --namespace kube-system \
  --cluster $CLUSTER_NAME \
  --attach-policy-arn arn:aws:iam::$ACCOUNT_ID:policy/AmazonEKS_EFS_CSI_Driver_Policy \
  --approve \
  --override-existing-serviceaccounts

helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/

helm upgrade --install aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
  --namespace kube-system \
  --set controller.serviceAccount.create=false \
  --set controller.serviceAccount.name=efs-csi-controller-sa

cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: efs-retain
provisioner: efs.csi.aws.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
  provisioningMode: efs-ap
  fileSystemId: $EFS_ID
  directoryPerms: "700"
  gidRangeStart: "1000"
  gidRangeEnd: "2000"
EOF

Previousalb controller, istio Nextloki

Last updated 1 year ago

Was this helpful?