đĻ Mounting S3 in AWS EKS PodsÂļ
đĻ Mounting an S3 Bucket in AWS EKS PodsÂļ
This guide explains how to mount an AWS S3 bucket inside a Kubernetes pod running on Amazon EKS using the CSI driver.
It covers IAM permissions, StorageClass, PersistentVolume (PV), PersistentVolumeClaim (PVC), and pod configuration.
đ IAM Permissions for S3 AccessÂļ
Assign the following IAM policy to your EKS node role (AmazonEKSNodeRole) to allow access to your S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::unibeam-eks-mount",
"arn:aws:s3:::unibeam-eks-mount/*"
]
}
]
}
IAM Policy
Ensure your EKS nodes have this policy attached for seamless S3 integration.
đž StorageClassÂļ
Define a StorageClass for S3-backed volumes:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: s3-storage-class
provisioner: ebs.csi.aws.com
parameters:
type: "s3"
bucket: "unibeam-eks-mount"
mountOptions: "rw" # Read/Write permissions
Âļ
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: s3-storage-class
provisioner: ebs.csi.aws.com
parameters:
type: "s3"
bucket: "unibeam-eks-mount"
mountOptions: "rw" # Read/Write permissions
đ PersistentVolume (PV) ExampleÂļ
Create a PersistentVolume referencing your S3 bucket:
apiVersion: v1
kind: PersistentVolume
metadata:
name: s3-pv
spec:
capacity:
storage: 50Gi # Virtual size for the PV
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ebs.csi.aws.com
volumeHandle: unibeam-eks-mount # S3 bucket name
volumeAttributes:
bucket: "unibeam-eks-mount"
đ PersistentVolumeClaim (PVC) ExampleÂļ
Request storage from the S3-backed PV:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: s3-pvc
namespace: unibeam
spec:
storageClassName: s3-storage-class
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
Âļ
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: s3-pvc
namespace: unibeam
spec:
storageClassName: s3-storage-class
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
đŗ Pod Configuration to Mount S3Âļ
Mount the S3 volume inside your pod:
apiVersion: v1
kind: Pod
metadata:
name: s3-mount-pod
spec:
containers:
- name: app-container
image: nginx # Replace with your container image
volumeMounts:
- mountPath: "/mnt/s3"
name: s3-storage
volumes:
- name: s3-storage
persistentVolumeClaim:
claimName: s3-pvc
Namespace
Ensure your PVC and pod are in the same namespace (e.g., unibeam).
đ Advanced Example: Static ProvisioningÂļ
For static provisioning and custom mount options:
apiVersion: v1
kind: PersistentVolume
metadata:
name: s3-pv
spec:
capacity:
storage: 1200Gi # Ignored, required
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "s3-storage-class" # Required for static provisioning
claimRef: # To ensure no other PVCs can claim this PV
namespace: unibeam # Namespace is required even though it's in "default" namespace.
name: s3-pvc # Name of your PVC
mountOptions:
- allow-delete
- region us-east-1
- prefix pcap/
csi:
driver: s3.csi.aws.com # Required
volumeHandle: s3-csi-driver-volume
volumeAttributes:
bucketName: unibeam-eks-mount
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: s3-pvc
namespace: unibeam
spec:
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "s3-storage-class" # Required for static provisioning
resources:
requests:
storage: 1200Gi # Ignored, required
volumeName: s3-pv # Name of your PV
---
apiVersion: v1
kind: Pod
metadata:
name: s3-app
namespace: unibeam
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args: ["-c", "echo 'Hello from the container!' >> /data/$(date -u).txt; tail -f /dev/null"]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: s3-pvc
Âļ
apiVersion: v1
kind: PersistentVolume
metadata:
name: s3-pv
spec:
capacity:
storage: 1200Gi # Ignored, required
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "s3-storage-class" # Required for static provisioning
claimRef: # To ensure no other PVCs can claim this PV
namespace: unibeam # Namespace is required even though it's in "default" namespace.
name: s3-pvc # Name of your PVC
mountOptions:
- allow-delete
- region us-east-1
- prefix pcap/
csi:
driver: s3.csi.aws.com # Required
volumeHandle: s3-csi-driver-volume
volumeAttributes:
bucketName: unibeam-eks-mount
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: s3-pvc
namespace: unibeam
spec:
accessModes:
- ReadWriteMany # Supported options: ReadWriteMany / ReadOnlyMany
storageClassName: "s3-storage-class" # Required for static provisioning
resources:
requests:
storage: 1200Gi # Ignored, required
volumeName: s3-pv # Name of your PV
---
apiVersion: v1
kind: Pod
metadata:
name: s3-app
namespace: unibeam
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args: ["-c", "echo 'Hello from the container!' >> /data/$(date -u).txt; tail -f /dev/null"]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: s3-pvc
đ¯ Mounting S3 in SIM ServiceÂļ
To mount the S3 bucket in a specific path (e.g., /usr/local/lib/pcap):
volumes:
- name: pcap-volume
persistentVolumeClaim:
claimName: s3-pvc
volumeMounts:
- name: pcap-volume
mountPath: /usr/local/lib/conf/pcap
readOnly: false
Testing
After deployment, verify the mount by writing and reading files in the mounted directory inside your pod.