amazon-eks-pod-identity-webhook icon indicating copy to clipboard operation
amazon-eks-pod-identity-webhook copied to clipboard

Published 20 hours ago verified publisher icon aws

Decouple IAM Role conditions from kubernetes IdP details

Open cgetzen opened this issue 3 years ago • 1 comments

What would you like to be added: I'd like to decouple the IAM roles' trust policy from kubernetes cluster details, while maintaining the service account level access controls.

The condition looks like

"StringEquals": {
  "oidc.eks.us-west-1.amazonaws.com/id/ABCDEFGHIJKL:sub": "system:serviceaccount:kube-system:my-service-account"
}

There is no way to replace ABCDEFGHIJKL with * in this. Removing it entirely allows any pod to assume the role.

It would be great if there was identical condition key like subject, that did not contain which IdP it was from.

Alternatively, it would be great to allow each EKS to set it's own subject prefix, so that we can target a subset of clusters that should have access (e.g. "production:subject": "system:serviceaccount:kube-system:my-service-account)

Why is this needed:

This is needed when we have many clusters and roles, some of which are ephemeral.

cgetzen avatar Aug 13 '21 00:08 cgetzen

this is something you cannot achieve in the webhook. We have same problem.. This topic is being discussed here: https://github.com/aws/containers-roadmap/issues/1408

xavipanda avatar Sep 09 '21 06:09 xavipanda