I have an EBS volume that I am using that is not encrypted and has a bunch on data on it. I want to take a snapshot of the data on that volume, create a new EBS volume from that snapshot but encrypt it, and then and use it in my EKS cluster. I know how to create a persistent volume, persistent volume claim and then mount it in a pod for an unencrypted EBS volume. How do I do this with an encrypted EBS volume? I did try the above, restored the snapshot and selected to use encryption with the default key and successfully mounted the encrypted EBS volume to the pod and I could see the files but when I opened the files they were indeed unreadable and therefore encrypted. I assume I need to apply the key somewhere somehow to allow me to properly read the files in the pod?
Here is the code to create the persistent volume :
apiVersion: v1
kind: PersistentVolume
metadata:
name: existing-volume-2
annotations:
#pv.kubernetes.io/provisioned-by: ebs.csi.aws.com
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: standard-rwo
claimRef:
name: my-pvc
namespace: default
awsElasticBlockStore:
volumeID: "vol-xxx82072b1bd3a222"
fsType: ext4
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/zone
operator: In
values:
- us-east-1a
Here is the code for the persistent volume claim -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
storageClassName: standard-rwo
volumeName: existing-volume-2
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
Here is the code to bring up the pos that will use the PVC -
apiVersion: v1
kind: Pod
metadata:
name: web-server
spec:
containers:
- name: web-server
image: alpine:latest
command:
- /bin/sh
- "-c"
- "sleep 60m"
volumeMounts:
- mountPath: /tmp
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: my-pvc
I figured it out - (from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html )
1 - Create a snapshot of the original unencrypted volume.
2 - Create a copy of the snapshot you just took and check the option to make it encrypted.
3 - Create the new encrypted volume by restoring the copy that you just encrypted. That volume will be encrypted by default.
4 - Create the persistent volume using the new encrypted volume.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.