Category Archives: Security

AWS: Kubernetes and External Secrets Operator for AWS Secrets Manager

24 August 2024
 

  We have a new EKS cluster 1.30 on our project, where we want to completely remove the old IRSA with OIDC and start using EKS Pod Identities – see AWS: EKS Pod Identities – a replacement for IRSA? Simplifying IAM access management. And everything seems to work fine, but when I started deploying our… Read More »

AWS: IAM Access Analyzer policy generation – create an IAM Policy

24 August 2024
 

  Quite often for a new project that is just building its infrastructure and CI/CD to do so as an MVP/PoC, and at the beginning, no time is spent on tuning AWS IAM Roles and IAM Policies, but simply connecting AdministratorAccess. Actually, this is exactly what happened in my project, but we are growing, and… Read More »

Terraform: managing EKS Access Entries and EKS Pod Identities

24 August 2024
 

 So, we have an AWS Elastic Kubernetes Service cluster with Authentication mode EKS API and ConfigMap, which we enabled during upgrade of the EKS Terraform module from version 19.21 to 20.0. Before switching EKS Authentication mode completely to the API, we need to transfer all users and roles to Access Entries of the EKS cluster… Read More »

AWS: Kubernetes and Access Management API, the new authentication in EKS

7 July 2024
 

  Another cool feature that Amazon showed back at the last re:Invent in November 2023 is changes in how AWS Elastic Kubernetes Service authenticates and authorizes users. And this applies not only to the cluster’s users, but also to its WorkerNodes. I mean, it’s not really a new scheme (November 2023) – but I just… Read More »

AWS: RDS IAM database authentication, EKS Pod Identities, and Terraform

7 July 2024
 

  We’re preparing to migrate our Backend API database from DynamoDB to AWS RDS with PostgreSQL, and finally decided to try out AWS RDS IAM database authentication, which appeared in 2021. IAM database authentication, as the name implies, allows us to authenticate to RDS using AWS IAM instead of the login-password from the database server… Read More »

AWS: Karpenter and SSH for Kubernetes WorkerNodes

23 June 2024
 

  We have an AWS EKS cluster with WorkerNodes/EC2 created with Karpenter. The process of creating the infrastructure, cluster, and launching Karpenter is described in previous posts: Terraform: Building EKS, part 1 – VPC, Subnets and Endpoints Terraform: Building EKS, part 2 – an EKS cluster, WorkerNodes, and IAM Terraform: Building EKS, part 3 –… Read More »

Pritunl: launching a VPN in AWS on EC2 with Terraform

23 June 2024
 

  I’ve already written a little about Pritunl before – Pritunl: Running a VPN in Kubernetes. Let’s return to this topic again, but this time on EC2 in AWS, without Kubernetes. So, what we need to do is to run some kind of VPN service for the project to have access to Kubernetes APIs/Kubernetes WorkerNodes/AWS… Read More »

AWS: EKS Pod Identities – a replacement for IRSA? Simplifying IAM access management

16 December 2023
 

 Another very interesting new feature from the latest re:Invent is the EKS Pod Identities: a new ability to manage Pod access to AWS resources. The current state: IAM Roles for Service Accounts Before that, we used the IAM Roles for Service Accounts (IRSA) model, where in order to give a Pod access to, for example,… Read More »

AWS Elastic Kubernetes Service: RBAC Authorization via AWS IAM and RBAC Groups

25 November 2023
 

 We have two new projects in the Elastic Kubernetes Service (см. AWS Elastic Kubernetes Service: a cluster creation automation, part 1 – CloudFormation), each project lives in its own separate Namespace. In addition, there are two users, developers, who need to be given access to these two Namespaces, but only to Pods in them and… Read More »

VictoriaMetrics: VMAuth – Proxy, Authentication, and Authorization

27 August 2023
 

  We continue to develop our monitoring stack. See the first part – VictoriaMetrics: creating a Kubernetes monitoring stack with its own Helm chart. What do we want to do next: give access to developers so that they can set Silence for alerts themselves in Alertmanager to avoid spamming Slack, see Prometheus: Alertmanager Web UI alerts… Read More »