aws-efs-csi-driver: Access Denied when using Access Points

/kind bug

What happened? Creating a ReadWriteMany persistent volume in EKS using an Access point on a file system produces the following error messages:

2021-03-04 14:43:18,573 - INFO - version=1.26.3 options={'tls': None, 'rw': None, 'accesspoint': 'fsap-redacted'}
2021-03-04 14:43:19,488 - WARNING - Could not start amazon-efs-mount-watchdog, unrecognized init system "aws-efs-csi-dri"
2021-03-04 14:43:19,942 - INFO - Starting TLS tunnel: "/usr/bin/stunnel /var/run/efs/stunnel-config.fs-0205e2f4.var.lib.kubelet.pods.f91bf3bc-95d0-4e52-a1ed-7e351d6ad6f4.volumes.kubernetes.io~csi.efs-pv.mount.20168"
2021-03-04 14:43:20,402 - INFO - Started TLS tunnel, pid: 4401
2021-03-04 14:43:20,403 - INFO - Executing: "/sbin/mount.nfs4 127.0.0.1:/ /var/lib/kubelet/pods/f91bf3bc-95d0-4e52-a1ed-7e351d6ad6f4/volumes/kubernetes.io~csi/efs-pv/mount -o rw,noresvport,nfsvers=4.1,retrans=2,hard,wsize=1048576,timeo=600,rsize=1048576,port=20168"
2021-03-04 14:43:20,952 - ERROR - Failed to mount fs-redacted.efs.us-east-1.amazonaws.com at /var/lib/kubelet/pods/f91bf3bc-95d0-4e52-a1ed-7e351d6ad6f4/volumes/kubernetes.io~csi/efs-pv/mount: returncode=32, stderr="mount.nfs4: access denied by server while mounting 127.0.0.1:/"

Creating the same persistent volume without the access point (top-level fs only) mounts correctly. What you expected to happen? I would expect the access point to mount correctly, especially on the example used (multiple_pods in this repo)

How to reproduce it (as minimally and precisely as possible)? Update the volumeHandle in pv.yaml and add a fs access point id. Anything else we need to know?:

Environment

Kubernetes version (use kubectl version): EKS v1.18 w/ node version 1.18.9
Driver version: v1.1.0
Brand new EKS Cluster, latest available EFS and EBS CSI drivers, along with VPC CNI, new IAM roles and policies, new EFS filesystem, Security groups are functional and working.
EFS and EBS CSI drivers installed using Kustomization method.

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 17 (5 by maintainers)

Most upvoted comments

@KarstenSiemer EFS Encryption document provides more information into how encryption works for EFS.

While the KMS key that you created will be used by EFS to encrypt/decrypt data at rest, encryption in transit is handled by tls tunnel created by efs-utils on behalf of the driver while mounting and this does not require KMS.

kbasv on May 19, 2021

I gave this a try and it works perfectly! Thanks @kbasv and the “workaround” with the tags is actually quite clever 😉

However I did change StringLike to StringEquals 😉

https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/4a8153ecbfa12afeb1a62e0aab4aab016d5804c2/docs/iam-policy-example.json#L19

My terraform resource now looks like this if anyone is curious

data "aws_iam_policy_document" "efs_csi" {
  statement {
    actions = [
      "elasticfilesystem:DescribeFileSystems",
    ]
    resources = [aws_efs_file_system.csi.arn]
  }

  statement {
    actions = [
      "elasticfilesystem:DescribeAccessPoints",
    ]
    resources = ["*"]
  }

  statement {
    actions = [
      "elasticfilesystem:CreateAccessPoint",
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
      values   = ["true"]
    }
  }

  statement {
    actions = [
      "elasticfilesystem:DeleteAccessPoint",
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
      values   = ["true"]
    }
  }
}

Skaronator on Mar 18, 2021

I have deployed the driver into several clusters many of which are in the same aws account, so I have personally settled with this:

resource "aws_iam_policy" "aws_efs_csi_driver" {
  count  = var.aws_efs_csi_driver_enabled ? 1 : 0
  name   = "aws-efs-csi-driver-${var.name}"
  policy = <<-EOD
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "elasticfilesystem:DescribeAccessPoints",
          "elasticfilesystem:DescribeFileSystems"
        ],
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": [
          "elasticfilesystem:CreateAccessPoint"
        ],
        "Resource": "*",
        "Condition": {
          "StringLike": {
            "aws:RequestTag/efs.csi.aws.com/cluster": "true",
            "aws:RequestTag/cluster-name": "${var.name}"
          }
        }
      },
      {
        "Effect": "Allow",
        "Action": "elasticfilesystem:DeleteAccessPoint",
        "Resource": "*",
        "Condition": {
          "StringEquals": {
            "aws:ResourceTag/efs.csi.aws.com/cluster": "true",
            "aws:ResourceTag/cluster-name": "${var.name}"
          }
        }
      }
    ]
  }
  EOD
}

I have added the cluster-name tag into the drivers deployment by specifying the --tags=cluster-name:name flag like that. Now they cannot interfere with other clusters access points. This works very well, I am quite pleased. Anyhow this is all I needed and did not need to specify any rules among ClientRootAccess or something like that

KarstenSiemer on Apr 15, 2021

Mh weird. It didn’t seem like to work properly all the time with my policy above. The log didn’t really helped me but after re-adding this part it seems to work fine again:

  statement {
    actions = [
      "elasticfilesystem:ClientRootAccess",
      "elasticfilesystem:ClientWrite",
      "elasticfilesystem:ClientMount",
    ]
    resources = [aws_efs_file_system.csi.arn]
    condition {
      test     = "Bool"
      variable = "elasticfilesystem:AccessedViaMountTarget"
      values   = ["true"]
    }
  }

Is that expected?

Edit: Maybe something weird happend when updating the csi driver and then changing the permissions multiple times without re-deploying. I’m refreshing all nodes now and that should probably fix the flaky csi driver. Not sure if I change the policy again. If it works now I’ll not touch it again 😄

Skaronator on Mar 18, 2021

@Skaronator PR 309 allows adding tags to your access points. You can modify the policy described in this example to add additional tags. These tags can be passed in as additional tags from cmd line option tags. The driver appends these tags when it creates access points.

The above tags can be used as a mechanism to limit the driver to access points created by driver.

kbasv on Mar 17, 2021