Allow kubernetes application to access other AWS resources?

主宰稳场 提交于 2019-12-11 17:14:06

问题


I want to deploy an application in AWS EKS using kubernetes. My application needs to access the SQS and AWS S3. I am not sure how to allow the kubernetes application to access the SQS and S3. I looked into RBAC but I guess RBAC only provides access to manage the cluster, namespace or pods.

I am trying to pass the access key and secret key as the secrets to the environment variable and allow the permission. But I think this is not a good idea.

Is there any other way like creating the IAM role and passing the role to the pods running the application? If I try to provide the permission in the worker node role then all the pods sharing the node will get that permission. I need something like the specific pod or container will get the permission

I also tried to create the RBAC in which a role is assigned to the group and the group is bind to the namespace.

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: default
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxx:role/EksWorkers-NodeInstanceRole-xxxxx
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::xxxxxxxxx:role/iam-role-for-application
      groups:
        - app-group

and

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admins
  namespace: default
subjects:
- kind: Group
  name: app-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

回答1:


aws-auth configMap is used to map users/roles to the cluster.

Update: Here is how you can do it natively

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ https://docs.aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html

For giving an IAM role to pods you can use one of the below tools

https://github.com/jtblin/kube2iam

https://github.com/uswitch/kiam

Amazon team is working on to bring this natively

https://github.com/aws/containers-roadmap/projects/1?card_filter_query=iam https://github.com/aws/containers-roadmap/issues/23



来源:https://stackoverflow.com/questions/57668633/allow-kubernetes-application-to-access-other-aws-resources

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!