- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 06-05-2023 01:50 AM
We can associate a specific role to the pod running the containerized MID Server in order to control the access to the cloud resources. While is not possible to associate directly the role to the pod, we can create a service account that contains the required role and associated it to our deployment.
To do so, we first need to check whether we are using an OpenID Connect provider (OIDC).
We can execute the following command to get the information in a variable:
oidc_id=$(aws eks describe-cluster --name containerized-mid-server-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
Make sure update the cluster name to the corresponding one, and then query the value of the parameter:
aws iam list-open-id-connect-providers | grep $oidc_id
If the execution of the command returns an ID (as per figure below, then there is already an IAM Provider associated and there is no create a new one.
If the return is void, we will have to create a new one. To do so, we execute command:
eksctl utils associate-iam-oidc-provider --cluster containerized-mid-server-cluster --approve
Once the IAM OIDC provider is associated to the cluster, we can create the role we require for the pod.
eksctl create iamserviceaccount --name <serviceaccountname> --namespace <namespace> --cluster <cluster_name> --role-name "<iamrolename>" --attach-policy-arn <iam_policy_arn> --approve
From the command above, the parameters are as follows:
- serviceaccountname>: name we give to our service account.
- <namespace>: namespace where to create the service account.
- <cluster_name>: name of the cluster.
- <iamrolename>: name of the role
- <iam_policy_arn>: ARN identifier of the policy you want to add to the role. In my case I use ReadOnlyAccess, but you can add as many as required.
You can check that the service account was correctly added by executing:
kubectl get serviceaccounts -n containerized-mid-server-cluster
Once the service account is created, you can modify the deployment file and include the service account parameter.
apiVersion: apps/v1
kind: Deployment
...
spec:
serviceAccountName: "is1-service-account"
containers:
- name: containerized-mid-server-cluster
imagePullPolicy: IfNotPresent
image: XXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/containerized_mid_server:latest
...
Then apply the deployment (as per
See the Containerized MID Server series:
- Creating ECS repository and EKS cluster for MID Server [Containerized MID Server series 1/3]
- Building & deploying containerized MID Server on AWS EKS [Containerized MID Server series 2/3]
- Service Account for containerized MID Server [Containerized MID Server series 3/3]
References
Assign an aws IAM Role to an EKS pod
Deploying a containerized MID server in a Kubernetes cluster
- 551 Views