Comments (6)
davidegiunchi
commented on August 15, 2024
2
I'm using EKS on AWS and ~ 1 and half years ago i've successfully migrated from kube2iam to IRSA.
If you are using EKS, IRSA is surely a drop-in-replacement for kube2iam and i don't think that there's a reason to prefer kube2iam.
I think that it works even on manually provisioned K8S clusters on EC2:
https://dev.to/olemarkus/zero-configuration-irsa-on-kops-1po1
https://kops.sigs.k8s.io/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa
from kube2iam.
mindgrep
commented on August 15, 2024
Firstly, thank you very much for the work on kube2iam, we have been using it in EKS for a while now in production. We started looking at IAM roles for service accounts recently because of the lack of support for IMDSv2 (now fixed, thanks to you and to the author of that PR for that), and also because until recently, this project appeared to have stopped being actively supported (understandably so).
But IAM roles for service accounts provided by AWS has been anything but smooth for us in adoption.
They basically provide 2 ways to use them, for cross-account IAM role access (which is our main use case), as documented here:
- Creating an identity provider from another account's cluster or
- Using chained AssumeRole operations
The first option is basically discouraged (blocked) by our corporate account governance due to security concerns, so we are left with option 2. With option 2, it seems like AWS has provided a half-baked solution - they provide an admission controller that injects env vars needed to make role assumption work for a container running in EKS. However, this does not suffice for cross account role assumption, which uses IAM role chaining.
For role chaining to work, the running container has to know both the local role and the "chained" remote account role arns. So for us as a platform team, we would need to have every single tenant update their deployments to inject these values into their deployments.. OR for us to create some tooling (like a controller) to inject these automatically.
So this makes staying with kube2iam a much more preferred option :) as long as it supports our current infrastructure.
Since IMDSv2 is now supported, we can consider staying with kube2iam. However, we are migrating to ipv6 networking for pods.. and currently kube2iam does not support ipv6 "out of the box" (it uses iptables which is ipv4 only).
We would not mind PRing support for ipv6 to the project, if that is something you would consider.
The underlying go iptables library does support ipv4 as well as ipv6.
from kube2iam.
mischmi2
commented on August 15, 2024
We still use kube2iam because IAM roles for service accounts require exposure of unauthenticated public json oauth provider data in an S3 bucket or a server, and our organization policies prohibit such things, meaning the entire integration AWS has set out isn't accessible to us. Very similar to @mindgrep 's comment about corporate governance.
from kube2iam.
Related Issues (20)
- At times few Kube2iam pods ending up in pending state
- AWS Trust Policy Behavior Change
- imdsv2 failing for kube2iam deployed on azure aks to assume aws iam role.
- Release Charts action is failing HOT 2
- Add helm chart with ARM support HOT 1
- Can you use kube2iam with a local kubernetes cluster?
- Kube2iam helm support for custom securityContext
- The `/github subscribe [repository name]` Command Fails To Subscribe
- How to use kube2iam on self hosted cluster
- Request failing with error "pod with specificed IP not found"
- not seeing 3.x.x version in helm charts HOT 3
- "Error getting instance id, got status: 503 Service Unavailable" HOT 1
- `0.11.2` missing `amd64` image version HOT 6
- New version of kube2iam fails to get regions HOT 10
- Updating crypto lib
- Cannot delete kube2iam from EKS HOT 1
- Kube2iam not assuming roles on kops HOT 1
- Is this project inactive or considered dead? HOT 1
- Current Kube2iam image have vulnerabilities at go.sum and go.mod HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube2iam.