Securing the CSI
A CSI is a standard driver for connecting container orchestration systems such as Kubernetes to block and file storage from various cloud providers.
For more information, please refer to the following resource:
Kubernetes Container Storage Interface (CSI) Documentation:
https://kubernetes-csi.github.io/docs/introduction.html
Securing CSI on AWS
Amazon Elastic Kubernetes Service (EKS) has a CSI driver for the following storage types:
- Block storage: EBS
- Managed NFS: EFS
- Parallel filesystem (for HPC workloads): Amazon FSx for Lustre
Here is a list of best practices to follow:
- When creating an IAM policy to connect to a CSI driver, specify the storage resource name instead of using wildcard.
- Use IAM roles for service accounts to restrict access to your pod.
- Always use the latest CSI version for your chosen storage type.
- When using the CSI driver for EBS and its snapshots, always set (in the YAML configuration file...
