问题
I want to deploy an application in AWS EKS using kubernetes. My application needs to access the SQS and AWS S3. I am not sure how to allow the kubernetes application to access the SQS and S3. I looked into RBAC but I guess RBAC only provides access to manage the cluster, namespace or pods.
I am trying to pass the access key and secret key as the secrets to the environment variable and allow the permission. But I think this is not a good idea.
Is there any other way like creating the IAM role and passing the role to the pods running the application? If I try to provide the permission in the worker node role then all the pods sharing the node will get that permission. I need something like the specific pod or container will get the permission
I also tried to create the RBAC in which a role is assigned to the group and the group is bind to the namespace.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: default
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxx:role/EksWorkers-NodeInstanceRole-xxxxx
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::xxxxxxxxx:role/iam-role-for-application
groups:
- app-group
and
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admins
namespace: default
subjects:
- kind: Group
name: app-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
回答1:
aws-auth
configMap is used to map users/roles to the cluster.
Update: Here is how you can do it natively
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ https://docs.aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html
For giving an IAM role to pods you can use one of the below tools
https://github.com/jtblin/kube2iam
https://github.com/uswitch/kiam
Amazon team is working on to bring this natively
https://github.com/aws/containers-roadmap/projects/1?card_filter_query=iam https://github.com/aws/containers-roadmap/issues/23
来源:https://stackoverflow.com/questions/57668633/allow-kubernetes-application-to-access-other-aws-resources