amazon-eks-pod-identity-webhook
aws-sdk-go
amazon-eks-pod-identity-webhook | aws-sdk-go | |
---|---|---|
8 | 35 | |
584 | 8,549 | |
1.0% | 0.2% | |
6.8 | 9.4 | |
23 days ago | 8 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
amazon-eks-pod-identity-webhook
-
Grant Kubernetes Pods Access to AWS Services Using OpenID Connect
Its not specific to EKS, you can find the underlying webhook that injects the "identity" here: https://github.com/aws/amazon-eks-pod-identity-webhook
You have to jump through much of the same hoops you describe, having a public `.well-known` endpoint for example. I have achieved this in the past by putting the OIDC discovery information in an S3 bucket.
-
k3s on AWS,does it make sense?
You can install the pod identity webhook and AWS cloud provider, csi provider etc on a bare kube cluster and get pretty close to the EKS experience. Not something I’d do for prod, but interesting as a learning exercise.
-
IAM roles for pods in external k8s cluster
Yes you absolutely can. https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
-
Unable to read token file , permission denied
Is your pod running as an unprivileged user? Sounds like https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 to me.
-
Zero-configuration IRSA on kOps
On EKS, the pod identity webhook is commonly used as the mechanism for adding the necessary parts of the Pod spec. This webhook looks for ServiceAccounts with a specific set of annotations telling it what ARN it can assume and various other settings. When a Pod is created that uses one of these ServiceAccounts, the webhook mutates the Pod using information found in the ServiceAccount annotations.
-
Using IAM Roles for ServiceAccounts on kOps
If you prefer, you could create ServiceAccounts with these details and use the EKS identity webhook, but I don't see kOps supporting that webhook as a native addon.
-
[AWS-EFS][IAM] AWS EFS CSI instructions say to use a service account w/ IAM role association, but is it possible with KIAM instead?
The Amazon EKS Pod Identity Webhook on the cluster watches for pods that are associated with service accounts with this special annotation & injects Web Identity Token credentials into the pod as environment variables (technical details here).
-
Understanding AWS K8s architecture using EC2
I don’t know how KOPs manages IAM creds for pods these days, but you can use this (my recommendation) https://github.com/aws/amazon-eks-pod-identity-webhook, or something like KIAM or kube2iam
aws-sdk-go
- my first go project, a CLI application to store IP addresses
-
Go 1.21 will (probably) download newer toolchains on demand by default
I'm... really not sure I agree with this, from a philosophical point of view. It feels like this is making "eh, we'll just upgrade our Go version next quarter" too easy; ultimately some responsibility toward updating your application's Go version to work with what new dependencies require should fall on Us, the application developers. Sure, we're bad at it. Everyone's lived through running years-old versions of some toolchain. But I think this just makes the problem worse, not better.
Its compounded by the problem that, when you're setting up a new library, the `go` directive in the mod file defaults to your current toolchain; most likely a very current one. It would take a not-insignificant effort on the library author's part to change that to assert the true-minimum version of Go required, based on libraries and language features and such. That's an effort most devs won't take on.
I'd also guess that many developers, up-to this point if not indefinitely because education is hard, interpreted that `go` directive to mean more-of "the version of go this was built with"; not necessarily "the version of go minimally required". There are really major libraries (kubernetes/client-go [1]) which assert a minimum go version of 1.20; the latest version (see, for comparison, the aws-sdk, which specifies a more reasonable go1.11 [2]). I haven't, you know, fully audited these libraries, but 1.20 wasn't exactly a major release with huge language and library changes; do they really need 1.20? If devs haven't traditionally operated in this world where keeping this value super-current results in actually significant downstream costs in network bandwidth (go1.20 is 100mb!) and CI runtime, do we have confidence that the community will adapt? There's millions of Go packages out there.
Or, will a future version of Go patch a security update, not backport it more than one version or so, and libraries have to specify the newest `go` directive version, because manifest security scanning and policy and whatever? Like, yeah, I get the rosy worldview of "your minimum version encodes required language and library features", but its not obvious to me that this is how this field is, or even will be, used.
Just a LOT of tertiary costs to this change which I hope the team has thought through.
[1] https://github.com/kubernetes/client-go/blob/master/go.mod#L...
[2] https://github.com/aws/aws-sdk-go/blob/main/go.mod
- How to get better on golang
-
Send an Email through AWS SES with GoLang
This email was sent with " + "Amazon SES using the " + "AWS SDK for Go.
-
Looking for library recommendations: Django -> Golang port
I figured I'd ask the community for some recommendations for the following capabilities that Django + python stack is giving me at the moment: 1. Amazon SES Mailing (considering - aws-sdk-go) 2. Django Admin (considering go-admin 3. Django Signals (considering syncsignals 4. Celery (No contenders here)
-
S3 upload with progress
I've been trying to implement some logging of progress when uploading objects to S3. My code is building on this example and can be found here.
-
Background process in Lambda using SQS
Now that you have everything you need, let’s install the AWS SDK for Go library.
- Node.js 18 support in Lambda added to Go SDK
- Node.js 18 Runtime support added to Golang SDK
-
AWS and its complicated shit needs to die
Counterpoint 2: Amazon is bad and should feel bad for making this an internal and embedding it in the Credentials struct.
What are some alternatives?
kiam - Integrate AWS IAM with Kubernetes
minio-go - MinIO Go client SDK for S3 compatible object storage
external-dns - Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services
Moto - A library that allows you to easily mock out tests based on AWS infrastructure.
amazon-eks-ami - Packer configuration for building a custom EKS AMI
botocore - The low-level, core functionality of boto3 and the AWS CLI.
aws-efs-csi-driver - CSI Driver for Amazon EFS https://aws.amazon.com/efs/
twitter-scraper - Scrape the Twitter frontend API without authentication with Golang.
cachet - Go(lang) client library for Cachet (open source status page system).
goamz
paypal - Golang client for PayPal REST API
google-play-scraper - Golang scraper to get data from Google Play Store