For the Amazon EKS node IAM role, the Amazon EKS node kubelet daemon calls AWS APIs on behalf of the node. Service-linked roles are predefined by Amazon EKS and include all the permissions required to call other AWS services on behalf of the role. A container never has access to credentials for another container that belongs to another pod.Īuditability: Amazon CloudTrail provides access and event logging to help ensure retrospective auditing.Īmazon EKS service-linked roles are unique IAM roles that are linked directly to Amazon EKS. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.Ĭredential isolation: A container can only retrieve credentials for the IAM role associated with the service account that it belongs to. You can scope IAM permissions to a service account, and only pods that use that service account have access to those permissions. Least privilege: You don't need to provide extended permissions to the node IAM role for pods on that node to call AWS APIs. IAM roles for service accounts provide the following benefits: This service account provides AWS permissions to the containers in any pod that uses the service account. IAM roles for service accounts associate IAM roles with a Kubernetes service account. Amazon EKS identity and access managementĪmazon EKS has two native options to call AWS services from within a Kubernetes pod: IAM roles for service accounts, and Amazon EKS service-linked roles.
MICROSOFT ACCESS FOR MAC AMAZON SERIES
This article is part of a series of articles that helps professionals who are familiar with Amazon Elastic Kubernetes Service (Amazon EKS) to understand Azure Kubernetes Service (AKS).
0 kommentar(er)
