실습 4탄 = 17/17
EKS에서 EFS를 사용할수 있다.
1
service account에서 사용할 정책을 만든다.
iam 정책 설정 한다.
2
서비스 어카운트를 만든다.
서비스 어카운트를 정책에 연결한다.
서비스 어카운트로 사용한다.
3
EFS 드라이버를 설치한다.
사용자와 AWS 스토리지와 연결하기 위함이다.
helm으로 드라이버를 설치한다.
4
파일 시스템을 생성한다.
5
테스트 pod를 만들어 확인한다.
AmazonEKS_EFS_CSI_Driver_Policy 라는 정책을 만든다.
curl -o iam-policy-example.json https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.3.2/docs/iam-policy-example.json
aws iam create-policy --policy-name AmazonEKS_EFS_CSI_Driver_Policy --policy-document file://iam-policy-example.json
echo $CLUSTER_NAME
eksctl create iamserviceaccount --name efs-csi-controller-irsa --namespace kube-system --cluster $CLUSTER_NAME --attach-policy-arn arn:aws:iam::$ACCOUNT_ID:policy/AmazonEKS_EFS_CSI_Driver_Policy --approve
helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
kubectl get pod -n kube-system -l "app.kubernetes.io/name=aws-efs-csi-driver,app.kubernetes.io/instance=aws-efs-csi-driver"
//설치 확인
1
# VPC ID 등 정보 확인
vpc_id=`aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.resourcesVpcConfig.vpcId" --output text`
echo $vpc_id
vpc-0d892b1
cidr_range=$(aws ec2 describe-vpcs --vpc-ids $vpc_id --query "Vpcs[].CidrBlock" --output text)
echo $cidr_range
192.168.0.0/16
2
# EFS 에 적용될 보안 그룹 생성
인바운드에 tcp 2049 허용 설정
export security_group_id=$(aws ec2 create-security-group --group-name MyEfsSecurityGroup --description "My EFS security group" --vpc-id $vpc_id --output text)
echo $security_group_id
sg-05d4
aws ec2 authorize-security-group-ingress --group-id $security_group_id --protocol tcp --port 2049 --cidr $cidr_range
3
# EFS 파일시스템 생성
file_system_id=`aws efs create-file-system --region $AWS_DEFAULT_REGION --performance-mode generalPurpose --query 'FileSystemId' --output text`
echo $file_system_id
fs-008
4
# (옵션) EFS 파일시스템 생성 확인
aws efs describe-file-systems --file-system-id $file_system_id
5
## 서브넷 정보 확인
퍼블릭 서브넷에 EFS 마운트
aws ec2 describe-subnets --filters "Name=vpc-id,Values=$vpc_id" --query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' --output table
+------------------+------------------+----------------------------+
| AvailabilityZone | CidrBlock | SubnetId |
+------------------+------------------+----------------------------+
| ap-southeast-1a | 192.168.1.0/24 | subnet-0db670660f38063e2 |
| ap-southeast-1a | 192.168.3.0/24 | subnet-09cb7ad7b952007bf |
| ap-southeast-1c | 192.168.4.0/24 | subnet-04839ffd6b83b4921 |
| ap-southeast-1c | 192.168.2.0/24 | subnet-03180945d53bb003e |
+------------------+------------------+----------------------------+
6
탑재 대상 설정(mount-target)
# aws efs create-mount-target --file-system-id $file_system_id --subnet-id <서브넷ID> --security-groups $security_group_id
PublicSubnet1=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=$CLUSTER_NAME-PublicSubnet1 --query 'Subnets[0].SubnetId' --output text)
PublicSubnet2=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=$CLUSTER_NAME-PublicSubnet2 --query 'Subnets[0].SubnetId' --output text)
aws efs create-mount-target --file-system-id $file_system_id --subnet-id $PublicSubnet1 --security-groups $security_group_id
aws efs create-mount-target --file-system-id $file_system_id --subnet-id $PublicSubnet2 --security-groups $security_group_id
7
콘솔에서 확인한다.
네트워크
1
# StorageClass 생성
curl -o storageclass.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml
cat storageclass.yaml | sed "s/fs-92107410/$file_system_id/g" | kubectl apply -f -
storageclass.storage.k8s.io/efs-sc created
2
## 확인
kubectl get sc
(seo-sing-admin@myeks:default) [root@myeks-host dynamic-provisioning]# kubectl get sc
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
efs-sc efs.csi.aws.com Delete Immediate false 73s gp2 (default) kubernetes.io/aws-ebs Delete WaitForFirstConsumer false 2d16h
kubectl get sc
3
# 샘플 파드(PVC) 생성 >> EFS 탑재 대상 상태가 '사용 가능' 일때 파드 생성하자!
# Test automatic provisioning by deploying a Pod that makes use of the PersistentVolumeClaim:
curl -o pod.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/pod.yaml
kubectl apply -f pod.yaml
4
# 확인
kubectl get pod,pvc,pv
Every 2.0s: kubectl get pv,pvc -A Tue Sep 28 09:40:31 2021
NAMESPACE NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
default persistentvolumeclaim/efs-claim Pending efs-sc 10s
5
## EFS-CSI 컨트롤러 파드 확인
kubectl get pods -n kube-system -l app=efs-csi-controller
NAME READY STATUS RESTARTS AGE
efs-csi-controller-868dc45697-bld9l 3/3 Running 0 74m
efs-csi-controller-868dc45697-m6q5m 3/3 Running 0 74m
kubectl logs -n kube-system -l app=efs-csi-controller -c csi-provisioner --tail 10
ResourceVersion:"76339", FieldPath:""}): type: 'Normal' reason: 'ProvisioningSucceeded' Successfully provisioned volume pvc-917b6eb8-3659-4fe6-8cc0-d8d152e6201d
...
6
kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
efs-app 1/1 Running 0 5m15s 192.168.1.203 ip-192-168-1-88.ap-northeast-2.compute.internal <none> <none>
7
# 볼륨 사용 확인
kubectl exec efs-app -- bash -c "cat data/out"
kubectl exec efs-app -- bash -c "tail -f data/out"
kubectl exec efs-app -- bash -c "df -hT --type=nfs4"
Filesystem Type Size Used Avail Use% Mounted on
127.0.0.1:/ nfs4 8.0E 0 8.0E 0% /data
8
# EFS 액세스 포인트 확인
aws efs describe-access-points --output table
9
# 삭제
kubectl delete -f pod.yaml
cat storageclass.yaml | sed "s/fs-92107410/$file_system_id/g" | kubectl delete -f -
1
# 샘플 파일 다운로드
git clone https://github.com/kubernetes-sigs/aws-efs-csi-driver.git
cd aws-efs-csi-driver/examples/kubernetes/multiple_pods/
tree
2
# EFS 파일시스템 ID 확인
# aws efs describe-file-systems --query "FileSystems[*].FileSystemId" --output text
# aws efs describe-file-systems | jq -r ".FileSystems[].FileSystemId"
file_system_id=$(aws efs describe-file-systems | jq --raw-output '.FileSystems[].FileSystemId')
echo $file_system_id
3
# 생성
kubectl apply -f specs/storageclass.yaml
cat specs/pv.yaml | sed "s/fs-4af69aab/$file_system_id/g" | kubectl apply -f -
kubectl apply -f specs/claim.yaml
4
# 확인 >> 아래 PV 상태가 Bound 될따까지 기다린 후 아래 실습 진행!
kubectl get sc,pvc,pv
kubectl get pv -w
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
efs-pv 5Gi RWX Retain Bound default/efs-claim efs-sc 61s
5
# 파드 생성
kubectl apply -f specs/pod1.yaml
kubectl apply -f specs/pod2.yaml
kubectl get pods -w
6
# 확인
kubectl describe pv efs-pv
Name: efs-pv
Labels: <none>
Annotations: pv.kubernetes.io/bound-by-controller: yes
Finalizers: [kubernetes.io/pv-protection]
StorageClass: efs-sc
Status: Bound
Claim: default/efs-claim
Reclaim Policy: Retain
Access Modes: RWX
VolumeMode: Filesystem
Capacity: 5Gi
Node Affinity: <none>
Message:
Source:
Type: CSI (a Container Storage Interface (CSI) volume source)
Driver: efs.csi.aws.com
FSType:
VolumeHandle: fs-b1bc34d1
ReadOnly: false
VolumeAttributes: <none>
Events: <none>
kubectl describe pod app1
Containers:
app1:
...
/data from persistent-storage (rw)
Volumes:
persistent-storage:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: efs-claim
ReadOnly: false
7
# 확인
kubectl exec -it app1 -- sh -c "df -hT | egrep 'Type|nfs4'"
kubectl exec -it app2 -- sh -c "df -hT | egrep 'Type|nfs4'"
kubectl exec -ti app1 -- tail /data/out1.txt
kubectl exec -ti app2 -- tail /data/out1.txt
kubectl exec -ti app1 -- tail /data/out1.txt -f
kubectl exec -ti app2 -- tail /data/out1.txt -f
8
# 삭제
kubectl delete -f specs/
1
# 리소스 삭제
helm -n kube-system uninstall aws-efs-csi-driver
2
# EFS 마운트 타켓 삭제
targets=$(aws efs describe-mount-targets --file-system-id $file_system_id | jq --raw-output '.MountTargets[].MountTargetId')
echo $targets
for target in ${targets[@]}
do
echo "deleting mount target " $target
aws efs delete-mount-target --mount-target-id $target
done
3
# EFS 생성 때 사용한 보안그룹 삭제
aws ec2 delete-security-group --group-id $security_group_id
4
# EFS 삭제 : 위 마운트 타켓 삭제 후 1분 정도 후에 EFS 삭제를 실행하자!
aws efs delete-file-system --file-system-id $file_system_id
5
# IRSA 삭제
eksctl delete iamserviceaccount --cluster $CLUSTER_NAME --namespace kube-system --name efs-csi-controller-irsa --wait
https://www.eksworkshop.com/beginner/190_efs/efs-csi-driver/
https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html
https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html
https://brunch.co.kr/@topasvga/1872
https://brunch.co.kr/@topasvga/1816
https://brunch.co.kr/@topasvga/1679
감사합니다.