In Kubernetes, Role-Based Access Control is a key method for making your cluster secure. If you are running the cluster on AWS Elastic Kubernetes Service (EKS), Identity and Access Management (IAM) also allows you to assign permissions to EC2 instances (Kubernetes nodes) to restrict access to resources. The problem here is that all pods running on the Kubernetes node share the same set of permissions and this can cause a violation of the least privilege principle. So how to figure it out?
Although there are some tools like kiam or kube2iam developed by the community, this post will explain what IAM Roles for Service Accounts (IRSA) is and how to enable it on your EKS cluster.
What is IRSA?
IAM Roles for Service Accounts (IRSA) is a feature of AWS which allows you to make use of IAM roles at the pod level by combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations.
Before starting the setup, check your EKS cluster version. IRSA is available on Amazon EKS versions 1.14 or later. To use this feature, you need to update your existing cluster to version 1.14 or later.
Example Scenario: Let’s assume we need to list IAM groups in our pods and we have the following configuration:
- name: eks-irsa-test
Save this configuration as pods-irsa.yaml and apply:
The pod runs a container of the image amazon/aws-cli:latest with the command "sleep 3600" which allows the container to run at least 3600 seconds so that we can get into the shell in the container and run aws cli commands.
Before moving on to how we enable IRSA, let’s first check if the current pods can list IAM groups.
Step 1: Create an IAM OIDC identity provider for your cluster
EKS clusters have an OpenID Connect issuer URL associated with them. To use IAM roles for service accounts, an IAM OIDC provider must exist for the cluster. Use the command below to create your OIDC identity provider for your cluster. Be sure that you are using eksctl version 0.32.0 or later.