EKS Pod Identity vs IRSA | Securely Connect Kubernetes Pods to AWS Services

00:00

how do you securely connect workloads

00:01

running in an Amazon eks cluster to

00:04

other services in AWS like S3 well today

00:08

we're going to be talking about eks pod

00:10

identity which is a relatively new

00:12

feature which enables you to connect up

00:14

IM am identity and access management

00:16

roles to pods um and workloads running

00:19

in your Amazon ekas clusters now I know

00:22

this sounds a whole lot like Ursa I

00:24

roles for service accounts but E's pod

00:27

identity streamlines a lot of the

00:28

operational overhead associated with

00:30

using Ursa while being backwards

00:32

compatible with Ursa but before we get

00:35

into all of it I think first let's start

00:37

from a point of understanding how

00:38

authorization Works in kubernetes uh for

00:41

users so let's say that as a user you're

00:44

trying to use something like Cube cuddle

00:46

to request from the kubernetes API um

00:50

information about some of the pods

00:52

running in kubernetes well the first

00:54

thing kubernetes is going to do is

00:57

authenticate your request now let's take

00:59

this part for granted because it's not

01:01

super critical to understanding how po

01:03

identity works but essentially what

01:04

happens here is kubernetes figures out

01:07

who you are uh next we'll need to do

01:09

authorization using kubernetes rbac and

01:12

this is typically done through uh two

01:15

types of roles um so first we'll talk

01:18

about cluster roles which are roles a

01:20

set of permissions scoped to the cluster

01:24

um then we've also got rols uh which are

01:28

scoped to

01:31

a namespace uh now this is what grants

01:34

our user permissions so again we wanted

01:36

to get some information about a pod so

01:39

let's say that uh we have a pod running

01:41

in

01:42

kubernetes right here and so once

01:46

kubernetes has approved this request

01:47

authenticated and authorized um go back

01:50

to the API server and our user gets his

01:53

or her response okay uh we're able to

01:56

retrieve information about pods as users

01:58

but what about when workloads Within

01:59

kubernetes want to access the kubernetes

02:02

API here's where service accounts come

02:05

in so um within our cluster here within

02:08

this namespace we'll have a service

02:11

account which I'll mark As sa these

02:13

service accounts can be bound to roles

02:15

in cluster rols as well um by the way

02:18

these bindings are done using cluster

02:19

roll bindings and Ro bindings for both

02:21

service accounts and users I've just

02:23

kind of simplified it here just a little

02:25

bit okay um so that's how workloads are

02:28

able to access the kubernetes API so now

02:29

now that uh the Pod references the

02:32

service account which is bound to these

02:33

roles it has permissions that are

02:35

defined in these roles so it can also

02:38

let's say access the kubernetes API now

02:40

we can talk about how eks pod identity

02:42

fits into the puzzle uh let's say that

02:44

in AWS we have an S3

02:47

bucket um and we want to access that S3

02:50

bucket using an approved AWS

02:54

SDK um so we'll draw that out here we'll

02:58

say it's using an SDK well this request

03:01

is going to fail because uh we haven't

03:04

created an IM rooll and connected up to

03:06

this pod just yet so an IM IM rooll uh

03:09

essentially gives us um permissions to

03:12

access this S3 bucket so that's what

03:14

we'll have to create first uh with pod

03:16

identity so um in am identity and access

03:20

management we create this role and let's

03:22

say we give it something very simple

03:24

like S3 list

03:27

bucket uh this uh IM roll has to set a

03:31

principle of this right here this is one

03:34

of the big improvements over IM rolles

03:36

for service accounts eks pod identity uh

03:39

allows you to not have to create an oidc

03:42

provider for every cluster and so these

03:45

roles can really be scoped to multiple

03:47

clusters you also have attribute based

03:49

access control which makes these roles

03:51

that much more powerful but okay this is

03:53

the first step for working with pod

03:55

identity uh the next thing we'll need to

03:56

do is deploy the Pod identity agent um

04:00

I'm just going to simplify that here and

04:01

just say Pia the Pod identity agent this

04:04

can be installed using an eks add-on

04:06

which makes that operational overhead

04:08

really negligible um it'll kind of help

04:11

you manage that agent running in your

04:13

cluster the last thing you need to do is

04:16

create an association now this

04:18

essentially you're telling eks that uh

04:21

for this role where you pass in the Arn

04:24

um in this namespace and for this

04:26

service account we're associating those

04:28

three um and now now when our pod tries

04:30

to access the S3 bucket the Pod identity

04:33

agent here is going to mutate the Pod

04:36

spec to make sure it has the right

04:37

credentials the SDK knows to look for

04:39

those credentials and allows us to

04:41

authenticate and authorize that request

04:43

to S3 enabling our kubernetes workloads

04:46

running an eks to securely access

04:49

Services outside of the cluster okay so

04:52

today we've talked a little bit about

04:53

eks po identity um and how it presents a

04:56

few improvements over the previous

04:58

experience with irsa irsa continues to

05:01

be supported and eks pod identity is

05:03

backwards compatible with it if you want

05:05

to learn more about eks po identity

05:08

check out the links in the description

05:09

below and be sure to like And subscribe

05:12

thanks for watching