Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eks: PoC: Zalando IAM AWS Proxy #7818

Draft
wants to merge 3 commits into
base: eks
Choose a base branch
from
Draft

eks: PoC: Zalando IAM AWS Proxy #7818

wants to merge 3 commits into from

Conversation

mikkeloscar
Copy link
Contributor

This adds a Proof of Concept proxy which can translate from Zalando IAM tokens to AWS IAM credentials which gives access in EKS.

The AWS IAM credentials are mapped to a username in Kubernetes: zalando-iam:zalando:service:{{SessionName}} Where SessionName will be the UID of the Zalando IAM token. Such that a user for a service becomes e.g.: zalando-iam:zalando:service:stups_<app_id> which is what we have in place today.

The idea is that the proxy works as a secondary API-endpoint to be called by services with Zalando IAM tokens: https://<local-id>-zalando-iam-aws-proxy.<account>.zalan.do

It may even make sense to set this URL as the api_server_url in cluster registry for EKS clusters, such that existing clients like CDP will just transparently work.

@mikkeloscar mikkeloscar added the minor Minor changes, e.g. low risk config updates, changes that do not introduce a new API call. label Jul 5, 2024
mikkeloscar
mikkeloscar commented Jul 5, 2024
View reviewed changes
cluster/manifests/zalando-iam-aws-proxy/deployment.yaml Outdated
serviceAccountName: zalando-iam-aws-proxy
containers:
- name: proxy
image: mikkeloscar/zalando-iam-aws-proxy:2
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to use a properly built image

@mikkeloscar mikkeloscar changed the title PoC: Zalando IAM AWS Proxy eks: PoC: Zalando IAM AWS Proxy Jul 5, 2024
@mikkeloscar mikkeloscar force-pushed the eks-zalando-iam-proxy branch 26 times, most recently from d20da96 to 5a87b71 Compare July 15, 2024 15:55
@mikkeloscar mikkeloscar force-pushed the eks-zalando-iam-proxy branch 3 times, most recently from 4183f30 to 8dd0955 Compare July 17, 2024 13:40
@mikkeloscar
PoC: Zalando IAM AWS Proxy
f851058 
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
@mikkeloscar
Make deployment-service-controller call via serviceaccount
7ae1e90 
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
@mikkeloscar
Dynamic maxPods based on instance-type/ENI
46b35ab 
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
minor Minor changes, e.g. low risk config updates, changes that do not introduce a new API call.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mikkeloscar