Tag Archives: AWS IAM

AWS: EKS Pod Identities – a replacement for IRSA? Simplifying IAM access management

16 December 2023
 

 Another very interesting new feature from the latest re:Invent is the EKS Pod Identities: a new ability to manage Pod access to AWS resources. The current state: IAM Roles for Service Accounts Before that, we used the IAM Roles for Service Accounts (IRSA) model, where in order to give a Pod access to, for example,… Read More »

AWS Elastic Kubernetes Service: RBAC Authorization via AWS IAM and RBAC Groups

25 November 2023
 

 We have two new projects in the Elastic Kubernetes Service (см. AWS Elastic Kubernetes Service: a cluster creation automation, part 1 – CloudFormation), each project lives in its own separate Namespace. In addition, there are two users, developers, who need to be given access to these two Namespaces, but only to Pods in them and… Read More »

Terraform: Building EKS, part 2 – an EKS cluster, WorkerNodes, and IAM

10 September 2023
 

  We continue the topic of deploying an AWS Elastic Kubernetes Service cluster using Terraform. In the first part, we prepared an AWS VPC. In this part, we’ll deploy the EKS cluster itself, and will configure AIM for it, and in the next parts, we’ll install Karpenter and the rest of the controllers. All the… Read More »

ArgoCD: a Helm chart deployment, and working with Helm Secrets via AWS KMS

22 November 2020
 

 In the previous post ArgoCD: an overview, SSL configuration, and an application deploy we did a quick overview on how to work with the ArgoCD in general, and now let’s try to deploy a Helm chart. The most interesting part of this is how to enable the Helm Secrets. Had some pain with this, but… Read More »

AWS: eksctl – “Put http://169.254.169.254/latest/api/token: net/http: request canceled”

26 April 2020
 

 We have a Docker image with the eksctl tool included. We also have an ЕС2 with Linux with the eksctl. There is an AWS IAM Instance Profile attached to this EC2 with the AdminAccess policy assigned. On this ЕС2 we have Jenkins running in a Docker container, and it spawns its jobs inside in additional… Read More »

AWS Elastic Kubernetes Service: a cluster creation automation, part 1 – CloudFormation

24 April 2020
 

 The task is: create automation to roll out an AWS Elastic Kubernetes Service cluster from scratch. Will use: Ansible: to automate CloudFormation stack creation and to execute eksctl with necessary parameters CloudFormation with NestedStacks: to create an infrastructure – VPC, subnets, SecurityGroups, IAM-roles, etc eksctl: to create a cluster itself using resources created by CloudFormation… Read More »

AWS Elastic Kubernetes Service: running ALB Ingress controller

21 April 2020
 

 AWS ALB Ingress Controller for Kubernetes – is a Kubernetes controller which actually controls AWS Application Load Balancers (ALB) in an AWS account when an Ingress resource with the kubernetes.io/ingress.class: alb annotation is created in a Kubernetes cluster. This Ingress resource in its turn describes an ALB Listeners configuration with SSL termination or traffic routing… Read More »

Kubernetes: part 5 — RBAC authorization with a Role and RoleBinding example

26 March 2020
 

 The next task is to add a new user who will have access to check pods state and watch logs – any other operations must be prohibited. AWS EKS uses AWS IAM for authentification in a Kubernetes cluster (check the Kubernetes: part 4 – AWS EKS authentification, aws-iam-authenticator and AWS IAM post for details), bot… Read More »

Kubernetes: part 4 – AWS EKS authentification, aws-iam-authenticator and AWS IAM

3 September 2019
 

  Let’s proceed with our AWS Elastic Kubernetes Service, EKS. Previous parts: Kubernetes: part 1 – architecture and main components overview Kubernetes: part 2 – a cluster set up on AWS with AWS cloud-provider and AWS LoadBalancer Kubernetes: part 3 – AWS EKS overview and manual EKS cluster set up. In the previous – Kubernetes:… Read More »

AWS: IAM users keys rotation, EC2 IAM Roles and Jenkins

30 May 2019
 

 Today I checked our IAM-users and “suddenly” recalled that it’s good to update their credentials sometimes: Well, that’s good to do but here is a question: it’s simple enough to set an expire for keys in IAM, but what to do with all scripts which are used in our Jenkins and which are using those… Read More »