Kubernetes EFS로 PV/PVC 구성

사전준비

---

Kubernetes 클러스터, EFS 구성이 되어있다고 가정함.

보안 그룹 설정

• EFS의 Security Group에 kubernetes Security group에 대한 인바운드 규칙(2049포트)을 추가해주어야 한다.

nfs 패키지 설치

sudo apt-get -y install nfs-common

위 패키지를 설치하지 않을 경우, 마운트 시 아래와 같은 에러가 발생한다.

mount: /etc/mnt: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount. helper program.

efs mount 확인

mkdir -m777 /etc/mnt
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-xxxxxxxxx.efs.ap-northeast-2.amazonaws.com:/ /etc/mnt

EFS Provisioner 구성

---

https://github.com/kubernetes-retired/external-storage/tree/master/aws/efs/deploy

service_accout.yaml

# service_account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: efs-provisioner

rbac.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-provisioner-runner
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-efs-provisioner
subjects:
  - kind: ServiceAccount
    name: efs-provisioner
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-efs-provisioner
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-efs-provisioner
subjects:
  - kind: ServiceAccount
    name: efs-provisioner
    namespace: default
roleRef:
  kind: Role
  name: leader-locking-efs-provisioner
  apiGroup: rbac.authorization.k8s.io

manifest.yaml

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: efs-provisioner
spec:
  selector:
    matchLabels:
      app: efs-provisioner
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: efs-provisioner
    spec:
      serviceAccount: efs-provisioner
      containers:
        - name: efs-provisioner
          image: quay.io/external_storage/efs-provisioner:v2.4.0
          env:
            - name: FILE_SYSTEM_ID
              value: "<FILE_SYSTEM_ID>"
            - name: AWS_REGION
              value: "<AWS_REGION>"
            - name: PROVISIONER_NAME
              value: "<PROVISIONER_NAME>"
          volumeMounts:
            - name: pvcs
              mountPath: /pvcs
      volumes:
        - name: pvcs
          nfs:
            server: "<EFS_SERVER_URL>"
            path: /

• FILE_SYSTEM_ID: EFS 파일시스템 ID

• AWS_REGION: AWS 리전 (ap-northeast-2)

• PROVISIONER_NAME: Provisioner 이름

• EFS_SERVER_URL: EFS DNS 도메인

  storage_class.yaml

  kind: StorageClass
  apiVersion: storage.k8s.io/v1
  metadata:
    namespace: default
    name: efs-provisioner
  provisioner: <PROVISIONER_NAME>

  설치

  kubectl apply -f .