Introducing AWS EKS Pod Identities

Introduction

As we continue to enhance the capabilities of Convox's v3 Rack's Kubernetes environments, we are thrilled to introduce the support for AWS EKS Pod Identities. This new feature offers a significant boost to the security and compliance of your AWS Kubernetes deployments by integrating fine-grained IAM role management directly at the Pod level.

What is AWS EKS Pod Identity?

AWS EKS Pod Identities allow for a more secure and streamlined way to manage IAM roles within your Kubernetes clusters. By binding AWS IAM roles to Kubernetes service accounts, Pods can assume these roles automatically, eliminating the need to manage AWS credentials manually. This method not only enhances security but also simplifies the management of access to AWS resources.

Feature Overview

• Enhanced Security: By associating IAM roles with Pods, you can ensure that each Pod has only the permissions it needs, minimizing potential security risks.
• Simplified Credential Management: Eliminates the need to embed AWS credentials in your applications, using Kubernetes service accounts to manage permissions.
• Easy Configuration: Integrate IAM roles with your Pods through simple modifications in your convox.yml.

‍

How to Configure and Use AWS EKS Pod Identities

Configuring your Kubernetes deployments to use AWS EKS Pod Identities involves a few straightforward steps:

Enabling the Pod Identity Agent

First, activate the EKS pod identity agent with this command:

convox rack params set pod_identity_agent_enable=true -r rackName

This enables the necessary agent that facilitates the IAM role assumption process for your Pods.

Configuring convox.yml

In your convox.yml, specify the AWS IAM policies required for each service. Here's an example of how to configure this:

services:
 web:
   build: .
   port: 3000
   accessControl:
     awsPodIdentity:
       policyArns:
         - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
         - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
         - "arn:aws:iam::123456789012:policy/MyCustomPolicy"

Deploying Changes

Deploy your application with updated configurations using:

convox deploy -a appName -r rackName

Ensure your rack is updated to at least version 3.18.1 to use this feature. For detailed update instructions, refer to the Convox documentation on Updating a Rack.

Conclusion

The integration of AWS EKS Pod Identities into Convox's Kubernetes platform is a testament to our commitment to providing advanced and secure container orchestration solutions. By leveraging this feature, developers can achieve a higher level of security and efficiency, ensuring that their Kubernetes environments are both robust and compliant with the latest security standards.

‍