Using encrypted EBS Volumes with Kubernetes on AWS

Sunday, Aug 4, 2019| Tags: k8s, kubernetes, eks, aws, amazon

Lot of people run Kubernetes on AWS and need to use encrypted EBS volumes for security and compliace.

I will lay down the steps below in order to use it.

  1. Create a storage class
  2. Create a PersistentVolume (or dynamically provisoned PersistentVolumeClaim) using the storage class
  3. Create a pod to use the PersistentVolumeClaim

1. Create a storage class

You must create a storage class that can be used for creating a PV/PVC.

Create a file encrypted-gp2.yaml with below contents.

1
2
3
4
5
6
7
8
9
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: encrypted-gp2
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp2
  fsType: ext4
  encrypted: "true"


Create the StorageClass by running below command

1
kubectl -f encrypted-gp2.yaml

2. Create a PersistentVolume or a dynamically provisioned PersistentVolumeClaim

Let’s create a dynamically provisioned PersistentVolumeClaim.

Create a file encrypted-pvc.yaml with below contents.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: app1-pvc
spec:
  storageClassName: encrypted-gp2
  accessModes:
    - ReadWriteOnce
  volumeMode: Block
  resources:
    requests:
      storage: 10Gi


Create the PersistentVolumeClaim by running below command

1
kubectl -f encrypted-pvc.yaml

3. Create a pod to use the PVC

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: v1
kind: Pod
metadata:
  name: app1
spec:
  containers:
    - name: app1
      image: nginx
      volumeMounts:
      - mountPath: "/var/www/html"
        name: mypd
  volumes:
    - name: mypd
      persistentVolumeClaim:
        claimName: app1-pvc

That is all you need to use encrypted EBS volumes with Kubernetes on AWS.



Comments