![]() ![]() Use IAM Roles when multiple users need identical access to the cluster ¶ If you need to grant an IAM user access to an EKS cluster, create an entry in the aws-auth ConfigMap for that user that maps to a specific Kubernetes RBAC group. ![]() Employ least privileged access to AWS Resources ¶Īn IAM User does not need to be assigned privileges to AWS resources to access the Kubernetes API. If such applications run on AWS infrastructure, like EC2 instances, consider using an instance profile and mapping that to a Kubernetes RBAC role in the aws-auth ConfigMap instead. At times, you may need to grant an exception for applications that have to consume the Kubernetes API from outside the cluster, e.g. If it is compromised, lost, or stolen, an attacker may be able to perform all the actions associated with that token until the service account is deleted. Recommendations ¶ Don't use a service account token for authentication ¶Ī service account token is a long-lived, static credential. They are similar to IAM Roles in that they define a set of actions (verbs) that can be performed against a collection of Kubernetes resources (objects). RBAC groups can be referenced in Kubernetes RoleBindings or ClusterRoleBindings. IAM Users and Roles, and Kubernetes RBAC groups. The aws-auth ConfigMap is used to create a static mapping between IAM principals, i.e. Once the user's identity has been authenticated by the AWS IAM service, the kube-apiserver reads the aws-auth ConfigMap in the kube-system Namespace to determine the RBAC group to associate with the user. This is handled automatically when you use a client like kubectl, however, if you're using the Kubernetes dashboard, you will need to generate a new token and re-authenticate each time the token expires. The token has a time to live (TTL) of 15 minutes after which a new token will need to be generated. The token consists of a pre-signed URL that includes an Amazon credential and signature. To manually generate a authentication token, type the following command in a terminal window: the user's account, Arn, and UserId to the kube-apiserver. This URL validates the request's signature and returns information about the user, e.g. If the request is well-formed, the webhook calls a pre-signed URL embedded in the token's body. As you execute commands, the token is passed to the kube-apiserver which forwards it to the authentication webhook. On EKS, these bearer tokens are generated by the AWS CLI or the aws-iam-authenticator client when you run kubectl commands. The webhook authentication strategy calls a webhook that verifies bearer tokens. EKS currently has native support for webhook token authentication, service account tokens, and as of February 21, 2021, OIDC authentication. Bearer Tokens, X.509 certificates, OIDC, etc. The Kubernetes project supports a variety of different strategies to authenticate requests to the kube-apiserver service, e.g. The rules governing the actions that a resource is allowed to perform are expressed as IAM policies. EC2, or an AWS principal such as an IAM User or Role. Within AWS, a resource can be another AWS service, e.g. Authentication involves the verification of a identity whereas authorization governs the actions that can be performed by AWS resources. Identity and Access Management (IAM) is an AWS service that performs two essential functions: Authentication and Authorization. Monitoring for Network performance issues Review and revoke unnecessary anonymous access Grant least privileged access to applications Use dedicated service accounts for each application When your application needs access to IMDS, use IMDSv2 and increase the hop limit on EC2 instances to 2ĭisable auto-mounting of service account tokens Scope the IAM Role trust policy for IRSA to the service account name Restrict access to the instance profile assigned to the worker node ![]() Update the aws-node daemonset to use IRSA Use tools to make changes to the aws-auth ConfigMapĪlternative Approaches to Authentication and Access Management Use IAM Roles when multiple users need identical access to the clusterĮmploy least privileged access when creating RoleBindings and ClusterRoleBindingsĬreate the cluster with a dedicated IAM role Don't use a service account token for authenticationĮmploy least privileged access to AWS Resources ![]()
0 Comments
Leave a Reply. |