Switch to use Kubernetes Service Account based permissions (EKS IRSA / IMDSv2)
For cases where we need to assign IAM roles/permissions to Kubernetes service accounts, we have 3 options:
- Node wide permissions, all workloads have access to them
- IAM user with static credentials passed as a
secret/configmap/env
to the application - Cloud provider native IAM integration using OIDC/Oauth (e.g. IRSA for AWS)
We currently use a mix of 1. and 2.
The native IAM integration provides the best security and flexibility as permissions can be assigned directly to the Kubernetes service account used by the pod without exposing it to other workloads or requiring IAM users.
Examples where it could be used:
- Object storage permissions
- Cluster autoscaler nodepool resize
- External-dns zone view/edit
- Cert-manager DNS zone view/edit
Edited by Grant Young