All the content of this website is informative and non-commercial, does not imply a commitment to develop, launch or schedule delivery of any feature or functionality, should not rely on it in making decisions, incorporate or take it as a reference in a contract or academic matters. Likewise, the use, distribution and reproduction by any means, in whole or in part, without the authorization of the author and / or third-party copyright holders, as applicable, is prohibited.
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
KubeAdm vs. EKS - The IAM Roles Madness
1.
2. Agenda
● IAM Roles
○ The old easy way
○ The old hard way
○ The KIAM way
○ The IRSA way
● NFS on K8s Options:
○ A) The Kubeadm Way
○ B) The EKS Way
2
4. AWS EC2
MD API
Iptables
(OS Level)
Application
Pod
169.254.169.254
/iam/security-credentials/role:X
AWS Account
K8s Worker: Y
AWS STS
API
DNAT: None
assumeRole role:X
attached to Y # me
return {ID, Key}
EC2: Y
Role: X
The Old Easy Way
Attached
On your Amazon EC2
workloads, you MUST retrieve
session credentials using the
method described below.
These credentials should
enable your workload to make
AWS API requests, without
needing to use
sts:AssumeRole to assume
the same role that is already
associated with the instance.
https://docs.aws.amazon.com/
AWSEC2/latest/UserGuide/ia
m-roles-for-amazon-ec2.html
✅
5. Kiam Agent
(Proxy)
Iptables
(OS Level)
Application
Pod
sts.amazon.com
/iam/security-credentials/role:X
AWS STS
API
DNAT: sts.amazon.com => None
DNAT: 169.254.169.254 => <Kiam-Agent-IP>
The Old Hard Way
AWS EC2
MD API
EC2: Y
Role: X
Attached
assumeRole role:X
attached to Y # me
return {ID, Key}
On your Amazon EC2 workloads, you CAN retrieve
session credentials using the method described below.
These credentials should enable your workload to make
AWS API requests, without needing to use
sts:AssumeRole to assume the same role that is already
associated with the instance.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide
/iam-roles-for-amazon-ec2.html
❌
✅
AWS Account
K8s Worker: Y
6. Kiam Agent
(Proxy)
AWS EC2
MD API
Iptables
(OS Level)
Application
Pod
169.254.169.254
/iam/security-credentials/role:X
Kiam Server
(Proxy)
Root
(Parent)
Account
Worker
(Master)
Other
Account
Worker
AWS STS
API
DNAT: 169.254.169.254 => <Kiam>
using role:SuperPower from account:Main
assumeRole role:X on account:Other
return sts: {ID, Key}
Account: Other
=> Role: X
Role:
SuperPower
(...)/role:X
The KIAM Way
(Kubeadm)
AWS EC2
MD API
https://github.com/uswitch/kiam/blob/master/cmd/kiam/iptables.go
❗
7. Application
Pod
Use: SA
EKS
CP
EKS
Worker
AWS STS
API
Acc: 1
Role: X
The IRSA Way
(AWS EKS)
AWS EC2
MD API
EKS Cluster
OIDC EP: Z
using EKS-Cluster-OIDC-Magic
assumeRole role:X who trusts me
return sts: {ID, Key}
Trust
KubeAPI
Kubelet
Account
IDP Prov(s)
SSO OIDC
Provider
assumeRole role:X
return {ID, Key}
Account: 1
Add
😎
assumeRole role:<Role>
return {ID, Key}
MFA!
10. NFS on Kubeadm
1. AWS EFS endpoint without
access policy (roles) only rely on
Sec. Group open to VPC CIDR (No
roles/auth same as in DUS Data
Center).
2. Test mount -t from your Mac
(Allow VPN first).
3. nfs-common & nfs-utils => AMI.
4. Helm: NFS Subdir External
Provisioner (SIG) - I don’t like SIGs
but Jenkins can be fully down or?!
5. +YAML: pv, pvc.
6. +YAML: app pod (client).
7. Deploy.
11. NFS on
AWS EKS
The EKS Way
KIAM
EFS_CSI_Driver
EKS Cluster
The EKS Way
EKS OIDC
EFS_CSI_Driver
EKS Cluster
NFS provisioner
in EKS flavor with
IARS support.
EKS works! but ✅ terraform, 💅 eksctl or 👮 AWS CLI:
https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html
Non-AWS
Standard
Full AWS
Standard
❗
Container Storage Interface (CSI)
Legacy
/ Risk of
Incompatiblity