K
Q

Running kiam server securely

2/11/2019

Can anyone explain an example of using kiam on kubernetes to manage service-level access control to aws resources?

According to the docs:

The server is the only process that needs to call sts:AssumeRole and can be placed on an isolated set of EC2 instances that don't run other user workloads.

I would like to know to run the server part of it away from nodes that host your services.

-- ruud
amazon-iam
aws-eks
kiam
kubernetes

Similar Questions

What is most efficient way to keep "idempotentcy" when applying manifest files to deployments that have horizontal autoscalers applied to them?
Why doesn't cluster autoscaler work on AWS EKS?
Helm error: dial tcp *:10250: i/o timeout
Kubectl get events says there are no resources
How to refresh HangFire worker if they got stuck?
I want to automate k8s dummy node creation using ansible, how to do this dynamically?
How to get client ip in Kubernetes hosted application?

1 Answer

9/20/2019

Answer: KIAM architecture is well explained here: https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam

Basically you want to use Master Nodes in your cluster with IAM::STS permissions on them to install the Server portion of kiam and then let your worker nodes connect to master nodes to retrieve credentials.

DISCLAIMER: I did some digging on k2iam and kiam without going all the way through to taking them to a test bench and wasn't happy with what I found out. It turns out we don't need them anymore starting with K8s 1.13 in EKS, that is as of september 4th as native support from AWS has been added for PODS to access IAM STS.

https://docs.aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html

-- einarc
Source: StackOverflow