K
Q

Integration Istio with AWS IAM

10/10/2018

I'm currently exploring running an Istio / Kubernetes cluster on AWS using EKS. I would like to be able to assign a different IAM role to each service running in the cluster to limit the AWS privileges of each service.

In non-Istio Kubernetes clusters this facility is provided by projects such as kube2iam but this doesn't seem ideal in the Istio world as kube2iam relies on iptables rules and Istio is already using iptables rules to divert all outbound traffic to the Envoy sidecar.

The Istio security documentation says that identity model caters for different underlying implementations and on AWS that implementation is IAM:

In the Istio identity model, Istio uses the first-class service identity to determine the identity of a service. This gives great flexibility and granularity to represent a human user, an individual service, or a group of services. On platforms that do not have such identity available, Istio can use other identities that can group service instances, such as service names.

Istio service identities on different platforms:

Kubernetes: Kubernetes service account
GKE/GCE: may use GCP service account
GCP: GCP service account
AWS: AWS IAM user/role account

But I haven't come across any additional documentation about how to assign IAM roles to Istio ServiceRoles.

Has anyone found a solution to this?

-- AEldridge
amazon-iam
amazon-web-services
istio
kubernetes

Similar Questions

Passing url query parameters in http liveness and readiness probe in kubernetes
How do I use Search Domains with Kubernetes
Can't figure out how to change this yaml file on google cloud platform
How to update application code which is deployed to Kubernetes (EKS)?
Terraform data.google_container_cluster.cluster.endpoint is null

2 Answers

10/8/2019

Istio configuration allows to exclude some IP ranges from the proxy https://istio.io/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services

So you if you add global.proxy.excludeIPRanges: "169.254.169.254/32" to the istio configuration, all requests to AWS metadata IP will not be handled by istio but directly sent to this IP.

It will allow the kube2iam iptables rule to be applied.

cf. https://github.com/istio/istio/issues/9297#issuecomment-516353921

-- gdupin
Source: StackOverflow
12/19/2018

I'm also struggling with this and have found little help. I did have success with this persons suggestion https://groups.google.com/forum/m/#!topic/istio-users/3-fp2JPb2dQ

I was having no luck getting kube2iam working until I added that serviceentry (see below or follow link)

Basically you add this

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: apipa
spec:
  hosts:
  - 169.254.169.254
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL

From looking at the istio-proxy sidecar before applying the serviceentry you could lots of 404 errors in the log with paths all looking like aws api calls. After the service entry those turned to 200's.

UPDATE.... Later I found out that this is expected requirement when using istio for any external-mesh communication. See https://istio.io/docs/concepts/traffic-management/#service-entries

-- A. Stappenbeck
Source: StackOverflow