How to accessing EFS access point storage across different namespaces

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • Is it possible to allow PV to be created in testns2 namespace to access same EFS access point created by dynamic-pvc(pvc1) in testns1 namespace ?
EFS Volume      access point    namespace    PVC        PV
EFS01           /DirA          testns1   pvc1     pv-xxxxxxx
EFS01           /DirA          testns2       pvc2     efs-pv

Resolution

  • In Dynamic provisioning, the PV are dynamically created and allocated to a single PVC in one namespace, creating a second PVC in another namespace will allocate new and different PV which can not point to same access point in EFS

  • As a workaround , we can create a PV and PVC manually in testns2 namespace and setup volumeHandle in static PV to same access point on testns1 namespace.

1, Get volumeHandle information from pv-xxxxxxx which created by pvc1 in testns1 namespace

...
  csi:
    driver: efs.csi.aws.com
    volumeHandle: 'fs-038d6a33be9527c6e::fsap-01aec0b9df8e07bb5'

2, Create a new static PV(efs-pv) and add volumeHandle get from step 1.

kind: PersistentVolume
apiVersion: v1
metadata:
  name: efs-pv
spec:
  capacity:
    storage: 5Gi
  csi:
    driver: efs.csi.aws.com
    volumeHandle: 'fs-038d6a33be9527c6e::fsap-01aec0b9df8e07bb5'
    volumeAttributes:
      encryptInTransit: 'false'
  accessModes:
    - ReadWriteMany
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  volumeMode: Filesystem

3, Create a PVC in testns2 namespace to bound with PV create in step 2 and check status change to Bound in storage page.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: pvc2
  namespace: testns2
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Mi
  volumeName: efs-pv
  storageClassName: efs-sc
  volumeMode: Filesystem

4, Bundle related pvc2 and pvc1 to different pod and check information can be shared.

Root Cause

Dynamic provisioning will automatically created new PV with new access point each time PVC created, and PVC is namespace separated.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments