Creating an AWS EFS

Important: This procedure is optional and is required only if you want to use AWS EFS for storing the policy package during static deployment, instead of AWS S3.

To create an AWS EFS:

1. Login to the AWS environment.

2. Navigate to Services.

   A list of AWS services appears.

3. In Storage, click EFS.

   The File Systems screen appears.

4. Click Create file system.

   The Configure network access screen appears.

5. In the VPC list, select the VPC where you will be creating the Kubernetes cluster.

6. Click Next Step.

   The Configure file system settings screen appears.

7. Click Next Step.

   The Configure client access screen appears.

8. Click Next Step.

   The Review and create screen appears.

9. Click Create File System.

   The file system is created.

   Note the value in the File System ID column. You need to specify this value as the value of the volumeHandle parameter in the pv.yaml file in step 10c.

10. Perform the following steps if you want to use a persistent volume for storing the policy package instead of the AWS S3 bucket.

    a. Create a file named storage_class.yaml for creating an AWS EFS storage class.

    The following snippet shows the contents of the storage_class.yaml file.

      kind: StorageClass
      apiVersion: storage.k8s.io/v1
      metadata:
        name: efs-sc
      provisioner: efs.csi.aws.com
    

    Important: If you want to copy the contents of the storage_class.yaml file, then ensure that you indent the file as per YAML requirements.

    b. Run the following command to provision the AWS EFS using the storage_class.yaml file.

    kubectl apply -f storage_class.yaml

    An AWS EFS storage class is provisioned.

    c. Create a file named pv.yaml for creating a persistent volume resource.

    The following snippet shows the contents of the pv.yaml file.

      apiVersion: v1
      kind: PersistentVolume
      metadata:
        name: efs-pv1
        labels:
          purpose: policy-store
      spec:
        capacity:
          storage: 1Gi
        volumeMode: Filesystem
        accessModes:
          - ReadWriteMany
        persistentVolumeReclaimPolicy: Retain
        storageClassName: **efs-sc**
        csi:
          driver: efs.csi.aws.com
          volumeHandle: **fs-618248e2:**/
    

    Important: If you want to copy the contents of the pv.yaml file, then ensure that you indent the file as per YAML requirements.

    This persistent volume resource is associated with the AWS EFS storage class that you have created in step 10b.

    In the storageClassName parameter, ensure that you specify the same name for the storage class that you specified in the storage_class.yaml file in step 10a.

    For example, specify efs-sc as the value of the storageClassName parameter.

    d. Run the following command to create the persistent volume resource.

    kubectl apply -f pv.yaml

    A persistent volume resource is created.

    e. Create a file named pvc.yaml for creating a claim on the persistent volume that you have created in step 10d.

    The following snippet shows the contents of the pvc.yaml file.

      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: efs-claim1
      spec:
        selector:
          matchLabels:
            purpose: "policy-store"
        accessModes:
          - ReadWriteMany
        storageClassName: **efs-sc**
        resources:
          requests:
            storage: 1Gi
    

    Important: If you want to copy the contents of the pvc.yaml file, then ensure that you indent the file as per YAML requirements.

    This persistent volume claim is associated with the AWS EFS storage class that you have created in step 10b. The value of the storage parameter in the pvc.yaml defines the storage that is available for saving the policy dump.

    In the storageClassName parameter, ensure that you specify the same name for the storage class that you specified in the storage_class.yaml file in step 10a.

    For example, specify efs-sc as the value of the storageClassName parameter.

    f. Run the following command to create the persistent volume claim.

    kubectl apply -f pvc.yaml -n <Namespace>

    For example:

    kubectl apply -f pvc.yaml -n iap-java

    A persistent volume claim is created. In this example, iap-java is the namespace where the Application Protector Java Container will be deployed.

    g. On the Linux instance, create a mount point for the AWS EFS by running the following command.

    mkdir /efs

    This command creates a mount point efs on the file system.

    h. Install the Amazon EFS client using the following command.

    sudo yum install -y amazon-efs-utils

    For more information about installing the EFS client, refer to the section Manually installing the Amazon EFS client in the Amazon Elastic File System User Guide.

    i. Run the following mount command to mount the AWS EFS on the directory created in step 10g.

    sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <file-system-id>.efs.<aws-region>.amazonaws.com:/ /efs

    For example:

    sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-618248e2.efs.<aws-region>.amazonaws.com:/ /efs

    Ensure that you set the value of the <file-system-id> parameter to the value of the volumeHandle parameter, as specified in the pv.yaml file in step 10c.

    For more information about the permissions required for mounting an AWS EFS, refer to the section Working with Users, Groups, and Permissions at the Network File System (NFS) Level in the AWS documentation.