stackoom
  简体   繁体   中英

How to use an existing encrypted EBS volume as a persistent volume for a pod or deployment

 原文  2021-07-06 21:21:25       kubernetes/ amazon-eks/ persistent-volumes

Question

I have an EBS volume that I am using that is not encrypted and has a bunch on data on it. I want to take a snapshot of the data on that volume, create a new EBS volume from that snapshot but encrypt it, and then and use it in my EKS cluster. I know how to create a persistent volume, persistent volume claim and then mount it in a pod for an unencrypted EBS volume. How do I do this with an encrypted EBS volume? I did try the above, restored the snapshot and selected to use encryption with the default key and successfully mounted the encrypted EBS volume to the pod and I could see the files but when I opened the files they were indeed unreadable and therefore encrypted. I assume I need to apply the key somewhere somehow to allow me to properly read the files in the pod?

Here is the code to create the persistent volume :

apiVersion: v1
kind: PersistentVolume
metadata:
  name: existing-volume-2
  annotations:
    #pv.kubernetes.io/provisioned-by: ebs.csi.aws.com
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: standard-rwo
  claimRef:
    name: my-pvc
    namespace: default

  awsElasticBlockStore:
    volumeID: "vol-xxx82072b1bd3a222"
    fsType: ext4
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: topology.kubernetes.io/zone
          operator: In
          values:
          - us-east-1a

Here is the code for the persistent volume claim -

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  storageClassName: standard-rwo
  volumeName: existing-volume-2
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Here is the code to bring up the pos that will use the PVC -

apiVersion: v1
kind: Pod
metadata:
  name: web-server
spec:
  containers:
   - name: web-server
     image: alpine:latest
     command:
      - /bin/sh
      - "-c"
      - "sleep 60m"
     volumeMounts:
       - mountPath: /tmp
         name: data
  volumes:
   - name: data
     persistentVolumeClaim:
       claimName: my-pvc

1 answers

solution1
 0  2021-07-07 19:56:13

I figured it out - (from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html )

1 - Create a snapshot of the original unencrypted volume.

2 - Create a copy of the snapshot you just took and check the option to make it encrypted.

3 - Create the new encrypted volume by restoring the copy that you just encrypted. That volume will be encrypted by default.

4 - Create the persistent volume using the new encrypted volume.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Mysql data in persistent volume of EBS volume gets deleted on pod recreation How to mount a persistent volume on a Deployment/Pod using PersistentVolumeClaim? How to mount a persistent volume in a pod? Mounting a Persistent volume on to an already existing pod K8S Unable to mount AWS EBS as a persistent volume for pod Kubernetes - Get EBS Volume of a Pod How to Deploy an existing EBS volume to EKS PVC? Is there a way to create a persistent volume per pod in a kubernetes deployment (or statefulset)? Kubernetes persistent volume overriding existing data in the pod/container Connect Kubernetes Postgres pod to existing database stored on persistent volume
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM