Using instance profiles and kube2iam seems to be considered best practice, but I'm not very happy with it.
It's effectively using blacklisting where we should use whitelisting instead. It would be much better if we could somehow securely get the keys to the system without having to use the instance wide readable metadata service.
Using instance profiles and kube2iam seems to be considered best practice, but I'm not very happy with it. It's effectively using blacklisting where we should use whitelisting instead. It would be much better if we could somehow securely get the keys to the system without having to use the instance wide readable metadata service.