ENV
export CLUSTER_NAME="<CLUSTER_NAME>"
export AWS_REGION=ap-northeast-2
export CLUSTER_OIDC=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | cut -c 9-100)
export ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
Shell
복사
EFS CSI 드라이버 신뢰 정책 생성
cat << EOF > aws-efs-csi-driver-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/OIDC"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
Shell
복사
sed 명령어로 취환
sed -i "s|ACCOUNT_ID|$ACCOUNT|g" aws-efs-csi-driver-trust-policy.json
sed -i "s|OIDC|$CLUSTER_OIDC|g" aws-efs-csi-driver-trust-policy.json
Shell
복사
IAM 역할 생성
aws iam create-role --role-name AmazonEKS_EFS_CSI_DriverRole --assume-role-policy-document file:///home/ec2-user/aws-efs-csi-driver-trust-policy.json
Shell
복사
IAM 역할에 정책 연결
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy --role-name AmazonEKS_EFS_CSI_DriverRole
Shell
복사
aws-efs-csi-driver addon 생성
eksctl create addon --name aws-efs-csi-driver --cluster $CLUSTER_NAME --service-account-role-arn arn:aws:iam::$ACCOUNT:role/AmazonEKS_EFS_CSI_DriverRole --force
Shell
복사
Create EFS
aws efs create-file-system \
--performance-mode generalPurpose \
--throughput-mode bursting \
--encrypted \
--tags Key=Name,Value=skills-efs
Shell
복사
Security Group Change
BASTION_SG_ID=$(aws ec2 describe-instances --filter Name=tag:Name,Values=skills-bastion --query "Reservations[].Instances[].SecurityGroups[].GroupId" --output text)
EKS_NODE_GROUP_SG_ID=$(aws ec2 describe-instances --filter Name=tag:Name,Values=skills-app-node --query "Reservations[1].Instances[].SecurityGroups[].GroupId" --output text)
Shell
복사
aws ec2 authorize-security-group-ingress --group-id $BASTION_SG_ID --protocol tcp --port 2049 --cidr 0.0.0.0/0 > /dev/null
aws ec2 authorize-security-group-egress --group-id $BASTION_SG_ID --protocol tcp --port 2049 --cidr 0.0.0.0/0 > /dev/null
aws ec2 authorize-security-group-ingress --group-id $EKS_NODE_GROUP_SG_ID --protocol tcp --port 2049 --cidr 0.0.0.0/0 > /dev/null
aws ec2 authorize-security-group-egress --group-id $EKS_NODE_GROUP_SG_ID --protocol tcp --port 2049 --cidr 0.0.0.0/0 > /dev/null
Shell
복사
Get EFS ID
EFS_ID=$(aws efs describe-file-systems --query "FileSystems[].FileSystemId" --output text)
sed -i "s|EFS_ID|$EFS_ID|g" statefulset-efs.yaml
Shell
복사
Create Mount Target
SUBNET_IDS=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.resourcesVpcConfig.subnetIds" --output text)
# EFS 마운트 타겟 생성 (각 서브넷에 대해)
for SUBNET_ID in $SUBNET_IDS; do
aws efs create-mount-target \
--file-system-id $EFS_ID \
--subnet-id $SUBNET_ID \
--security-groups $EKS_NODE_GROUP_SG_ID
done
Shell
복사
마운트 타겟 상태 확인
aws efs describe-mount-targets --file-system-id $EFS_ID
Shell
복사
Create StatefulSet
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-storage
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-app
fileSystemId: EFS_ID # 바꿔주기
directoryPerms: "777"
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: efs-app-sts
spec:
selector:
matchLabels:
app: test-efs
serviceName: efs-app
replicas: 3
template:
metadata:
labels:
app: test-efs
spec:
terminationGracePeriodSeconds: 10
containers:
- name: linux
image: amazonlinux:2
command: ["/bin/sh"]
args:
[
"-c",
"while true; do echo $(date -u) >> /efs-data/out.txt; sleep 5; done",
]
volumeMounts:
- name: efs-storage
mountPath: /efs-data
volumeClaimTemplates:
- metadata:
name: efs-storage
spec:
accessModes: [ReadWriteMany]
storageClassName: efs-storage
resources:
requests:
storage: 1Gi
YAML
복사
kubectl apply -f statefulset-efs.yaml
Shell
복사