Provide IAM credentials to containers running inside a Kubernetes cluster based on annotations. Traditionally in AWS, service level isolation is done using IAM roles. IAM roles are attributed through instance profiles and are accessible by services through the transparent usage by the aws-sdk of the ec2 metadata API. When using the aws-sdk, a call is made to the EC2 metadata API which provides temporary credentials that are then used to make calls to the AWS service. The problem is that in a multi-tenanted containers based world, multiple containers will be sharing the underlying nodes. Given containers will share the same underlying nodes, providing access to AWS resources via IAM roles would mean that one needs to create an IAM role which is a union of all IAM roles. This is not acceptable from a security perspective.
Features
- It is necessary to create an IAM role which can assume other roles and assign it to each kubernetes worker and list regions
- Documentation available
- The solution is to redirect the traffic that is going to the ec2 metadata API for docker containers to a container running on each instance
- The roles that will be assumed must have a Trust Relationship which allows them to be assumed by the kubernetes worker role
- Run the kube2iam container as a daemonset
- Kubernetes annotation