kubernetes-sigs · leakingtapan · Jan 2, 2019 · Jan 2, 2019 · Jan 2, 2019
diff --git a/deploy/kubernetes/sample_app/pv.yaml b/deploy/kubernetes/sample_app/pv.yaml
@@ -10,6 +10,8 @@ spec:
     - ReadWriteOnce
   persistentVolumeReclaimPolicy: Recycle
   storageClassName: efs-sc
+  mountOptions:
+    - tls
   csi:
     driver: efs.csi.aws.com
     volumeHandle: fs-ff2a9557  
diff --git a/deploy/kubernetes/sample_app/storageclass.yaml b/deploy/kubernetes/sample_app/storageclass.yaml
@@ -3,3 +3,5 @@ apiVersion: storage.k8s.io/v1
 metadata:
   name: efs-sc
 provisioner: efs.csi.aws.com
+mountOptions:
+  - tls
diff --git a/docs/README.md b/docs/README.md
@@ -24,6 +24,11 @@ This driver is in alpha stage. Basic volume operations that are functional inclu
 ## Features
 Currently only static provisioning is supported. This means a AWS EFS filesystem needs to be created manually on AWS first. After that it could be mounted inside container as a volume using AWS EFS CSI Driver.
 
+### Encryption In Transit
+One of the advantages of using EFS is that it provides [encryption in transit](https://aws.amazon.com/blogs/aws/new-encryption-of-data-in-transit-for-amazon-efs/) support using TLS. Using encryption in transit, data will be encrypted during its transition over the network to EFS service. This provides extra layer of depth-in-depth for applications that requires higher secuity compliance.
+
+To enable encryption in transit, `tls` needs to be set at `NodePublishVolumeRequest.VolumeCapability.MountVolume` object's `MountFlags` fields. For example of using it in kuberentes, see persistence volume manifest in [Example](#kubernetes-example)
+
 # Kubernetes Example
 This example demos how to make a EFS filesystem mounted inside container using the driver. Before this, get yourself familiar with setting up kubernetes on AWS and [creating EFS filesystem](https://docs.aws.amazon.com/efs/latest/ug/getting-started.html). And when creating EFS filesystem, make sure it is accessible from kuberenetes cluster. This can be achieved by creating EFS filesystem inside the same VPC as kubernetes cluster or using VPC peering.
 
@@ -41,7 +46,7 @@ kubectl apply -f https://raw.githubusercontent.com/aws/aws-efs-csi-driver/master
 kubectl apply -f https://raw.githubusercontent.com/aws/aws-efs-csi-driver/master/deploy/kubernetes/node.yaml
 ```
 
-Edit the [persistence volume manifest file](../deploy/kubernetes/sample_app/pv.yaml):
+Edit the [persistence volume manifest file](../deploy/kubernetes/sample_app/pv.yaml) (note that encryption in transit is enabled using mount option):
 ```
 apiVersion: v1
 kind: PersistentVolume
@@ -55,6 +60,8 @@ spec:
     - ReadWriteOnce
   persistentVolumeReclaimPolicy: Recycle
   storageClassName: efs-sc
+  mountOptions:
+    - tls
   csi:
     driver: efs.csi.aws.com
     volumeHandle: [FileSystemId] 

diff --git a/pkg/driver/node.go b/pkg/driver/node.go
@@ -59,18 +59,33 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 		return nil, status.Error(codes.InvalidArgument, "Volume capability not supported")
 	}
 
-	options := []string{}
+	mountOptions := []string{}
 	if req.GetReadonly() {
-		options = append(options, "ro")
+		mountOptions = append(mountOptions, "ro")
 	}
 
+	if m := volCap.GetMount(); m != nil {
+		hasOption := func(options []string, opt string) bool {
+			for _, o := range options {
+				if o == opt {
+					return true
+				}
+			}
+			return false
+		}
+		for _, f := range m.MountFlags {
+			if !hasOption(mountOptions, f) {
+				mountOptions = append(mountOptions, f)
+			}
+		}
+	}
 	glog.V(5).Infof("NodePublishVolume: creating dir %s", target)
 	if err := d.mounter.MakeDir(target); err != nil {
 		return nil, status.Errorf(codes.Internal, "Could not create dir %q: %v", target, err)
 	}
 
-	glog.V(5).Infof("NodePublishVolume: mounting %s at %s", source, target)
-	if err := d.mounter.Mount(source, target, "efs", options); err != nil {
+	glog.V(5).Infof("NodePublishVolume: mounting %s at %s with options %v", source, target, mountOptions)
+	if err := d.mounter.Mount(source, target, "efs", mountOptions); err != nil {
 		os.Remove(target)
 		return nil, status.Errorf(codes.Internal, "Could not mount %q at %q: %v", source, target, err)
 	}

diff --git a/pkg/driver/node_test.go b/pkg/driver/node_test.go
@@ -77,6 +77,76 @@ func TestNodePublishVolume(t *testing.T) {
 				mockCtrl.Finish()
 			},
 		},
+		{
+			name: "success: normal with read only mount",
+			testFunc: func(t *testing.T) {
+				mockCtrl := gomock.NewController(t)
+				mockMounter := mocks.NewMockInterface(mockCtrl)
+				driver := &Driver{
+					endpoint: endpoint,
+					nodeID:   nodeID,
+					mounter:  mockMounter,
+				}
+				source := volumeId + ":/"
+
+				ctx := context.Background()
+				req := &csi.NodePublishVolumeRequest{
+					VolumeId:         volumeId,
+					VolumeAttributes: map[string]string{},
+					VolumeCapability: stdVolCap,
+					TargetPath:       targetPath,
+					Readonly:         true,
+				}
+
+				mockMounter.EXPECT().MakeDir(gomock.Eq(targetPath)).Return(nil)
+				mockMounter.EXPECT().Mount(gomock.Eq(source), gomock.Eq(targetPath), gomock.Eq("efs"), gomock.Eq([]string{"ro"})).Return(nil)
+				_, err := driver.NodePublishVolume(ctx, req)
+				if err != nil {
+					t.Fatalf("NodePublishVolume is failed: %v", err)
+				}
+
+				mockCtrl.Finish()
+			},
+		},
+		{
+			name: "success: normal with tls mount options",
+			testFunc: func(t *testing.T) {
+				mockCtrl := gomock.NewController(t)
+				mockMounter := mocks.NewMockInterface(mockCtrl)
+				driver := &Driver{
+					endpoint: endpoint,
+					nodeID:   nodeID,
+					mounter:  mockMounter,
+				}
+				source := volumeId + ":/"
+
+				ctx := context.Background()
+				req := &csi.NodePublishVolumeRequest{
+					VolumeId:         volumeId,
+					VolumeAttributes: map[string]string{},
+					VolumeCapability: &csi.VolumeCapability{
+						AccessType: &csi.VolumeCapability_Mount{
+							Mount: &csi.VolumeCapability_MountVolume{
+								MountFlags: []string{"tls"},
+							},
+						},
+						AccessMode: &csi.VolumeCapability_AccessMode{
+							Mode: csi.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER,
+						},
+					},
+					TargetPath: targetPath,
+				}
+
+				mockMounter.EXPECT().MakeDir(gomock.Eq(targetPath)).Return(nil)
+				mockMounter.EXPECT().Mount(gomock.Eq(source), gomock.Eq(targetPath), gomock.Eq("efs"), gomock.Eq([]string{"tls"})).Return(nil)
+				_, err := driver.NodePublishVolume(ctx, req)
+				if err != nil {
+					t.Fatalf("NodePublishVolume is failed: %v", err)
+				}
+
+				mockCtrl.Finish()
+			},
+		},
 		{
 			name: "fail: missing target path",
 			testFunc: func(t *testing.T) {