| kata-irc-bot | <jrieck> Hey team, quick question. If I am running kata containers in AWS EKS, do I still get access to the aws iam assume role functionality? or does the VM encapsulation prevent this in some way | 14:50 |
|---|---|---|
| kata-irc-bot | <jrieck> https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html | 14:51 |
| kata-irc-bot | <eric.ernst> Did you try and it didn't? | 14:55 |
| kata-irc-bot | <jrieck> im about to PoC it out today, just curious if anyone else tried. I can report back | 14:57 |
| kata-irc-bot | <eric.ernst> My guess would be probably. It depends on how the container obtains it's certificate to be able to use this. If it doesn't work then it may be worth seeing what's in the resulting config.json | 15:07 |
| kata-irc-bot | <jrieck> Okay, give me a bit and I'll let you know | 15:07 |
| kata-irc-bot | <jrieck> ```{"level":"error","ts":1644506961.1222587,"logger":"setup","msg":"unable to build REST config","e rror":"open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory"}``` | 15:29 |
| kata-irc-bot | <jrieck> i wonder if i need to do an extra step to mount it | 15:30 |
| kata-irc-bot | <jrieck> It does work with qemu, but that error is from firecracker | 15:34 |
| kata-irc-bot | <jrieck> Could I potentially query the service account API to grab those creds manually | 16:06 |
| kata-irc-bot | <eric.ernst> It's because we don't have shared fs with FC | 16:14 |
| kata-irc-bot | <eric.ernst> So it's failing to mount the secre in the guest | 16:14 |
| kata-irc-bot | <eric.ernst> This would work well w QEMU, and Cloud Hypervisor (smaller, more similar to FC) | 16:14 |
| kata-irc-bot | <jrieck> That makes sense as to why it doesnt work, we really like FC because we are running untrusted code in these particular pods | 16:15 |
| kata-irc-bot | <jrieck> If I granted the iam permissions to the underlying node, would the FC pod be able to get access to those permissions as well? | 16:17 |
| kata-irc-bot | <eric.ernst> I would consider CLH if you want this compatibility/feature to work | 16:38 |
| kata-irc-bot | <eric.ernst> If certs get updated, FC pods will lose connectivity. | 16:38 |
| kata-irc-bot | <eric.ernst> Supporting volume mounts (these secrets) are critical for this use case. | 16:39 |
| kata-irc-bot | <jrieck> Gotcha, does CLH focus on security in the same way that FC does | 16:47 |
| kata-irc-bot | <jrieck> potentially found a solutionL https://github.com/jtblin/kube2iam - going to PoC this out and report back | 17:26 |
| kata-irc-bot | <jrieck> it works!!! | 18:48 |
| kata-irc-bot | <jrieck> ```apiVersion: v1 kind: Pod metadata: name: aws-cli labels: name: aws-cli annotations: iam.amazonaws.com/role: arn:aws:iam::875991226415:role/jdr-kube2iam-test spec: runtimeClassName: kata-fc containers: - image: fstab/aws-cli command: ["bash", "-c", "/home/aws/aws/env/bin/aws s3 ls jdr-test-bucket123 && echo 'done'"] name: aws-cli``` | 18:48 |
| kata-irc-bot | <jrieck> using kube2iam | 18:48 |
| kata-irc-bot | <jrieck> prob a good PSA for others in this similar situation to not use the built in SA EKS integration and go with kube2iam | 18:48 |
| kata-irc-bot | <eric.ernst> **If they are using Firecracker, yeah for sure! | 19:25 |
| kata-irc-bot | <eric.ernst> And, re: security, that indeed is a focus item for Cloud Hypervisor and part of the intention of the project. | 19:26 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!