Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decouple IAM Role conditions from kubernetes IdP details #121

Open
cgetzen opened this issue Aug 13, 2021 · 1 comment
Open

Decouple IAM Role conditions from kubernetes IdP details #121

cgetzen opened this issue Aug 13, 2021 · 1 comment

Comments

@cgetzen
Copy link

cgetzen commented Aug 13, 2021
edited
Loading

What would you like to be added:
I'd like to decouple the IAM roles' trust policy from kubernetes cluster details, while maintaining the service account level access controls.

The condition looks like

"StringEquals": {
  "oidc.eks.us-west-1.amazonaws.com/id/ABCDEFGHIJKL:sub": "system:serviceaccount:kube-system:my-service-account"
}

There is no way to replace ABCDEFGHIJKL with * in this.
Removing it entirely allows any pod to assume the role.

It would be great if there was identical condition key like subject, that did not contain which IdP it was from.

Alternatively, it would be great to allow each EKS to set it's own subject prefix, so that we can target a subset of clusters that should have access (e.g. "production:subject": "system:serviceaccount:kube-system:my-service-account)

Why is this needed:

This is needed when we have many clusters and roles, some of which are ephemeral.
@xavipanda
Copy link

this is something you cannot achieve in the webhook. We have same problem..
This topic is being discussed here: aws/containers-roadmap#1408

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgetzen @xavipanda