search

kubernetes-sigs / aws-iam-authenticator

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
Apache License 2.0
2.2k stars 421 forks source link

[Feature request]: support EC2 instance identities #696

Closed gilbahat closed 2 months ago

gilbahat commented 7 months ago

What would you like to be added?

EC2 instance identities (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html) are unique ad-hoc IAM roles assigned to EC2 Instances. They are not currently supported by aws-iam-authenticator

Why is this needed?

opened to match pull request [https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/693]

First and foremost because they're there and support can be enabled. As implemented, aws-iam-authenticator throws an incorrect error.

I envision two possible use cases: cluster admission control and limited pre-access.

  1. cluster admission control - in this scenario, a node candidate will be unable to connect as a node to the cluster until authorized by some other means (let's say an integrity check or security audit). A single IAM role shared by many nodes is unsuitable for this purpose, but ad-hoc identities are. The authorizing mechanism will add the relevant credentials to the auth-map once the node has been vetted.

  2. limited pre-access. while candidate nodes are assumed to have system:nodes / system:bootstrapper privileges which are elevated, using them directly may be undesirable security-wise, for two reasons:

a. it may rightfully trigger a violation from monitoring tools b. it entails using a superuser for what may be better served by a user with limited access

thus, using a scoped user for AWS identities may allow e.g. read-only access for data that might be useful by the node to configure/tune itself or other such customizations.

Anything else we need to know?

No response

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 2 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/696#issuecomment-2254354144): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.