aws-iam-authenticator
devspace-plugin-loft
aws-iam-authenticator | devspace-plugin-loft | |
---|---|---|
9 | 57 | |
2,144 | 19 | |
0.8% | - | |
8.2 | 7.1 | |
7 days ago | 10 days ago | |
Go | ||
Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
aws-iam-authenticator
-
A Step-by-Step Guide to Easily Deploying EKS Infrastructure and Applications Using Terraform
curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64 chmod +x ./aws-iam-authenticator mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
-
Ask r/kubernetes: What are you working on this week?
I will be setting up vcluster to work with aws-iam-authenticator. This should work just by following the readme, so I'll be spending extra time automating the setup.
-
Using client-go to `kubectl apply` against the Kubernetes API directly with multiple types in a single YAML file
Edit: Because I need to do this for more than one cluster and am creating clusters programmatically (AWS EKS API + CloudFormation/eksctl), I would like to minimize the overhead of creating ServiceAccounts across many cluster contexts, across many AWS accounts. Ideally, the only authentication step involved in creating my clientset is using aws-iam-authenticator to get a token using cluster data (name, region, CA cert, etc). There hasn't been a release of aws-iam-authenticator for a while, but the contents of master allow for the use of a third-party role cross-account role and external ID to be passed. IMO, this is cleaner than using a ServiceAccount (and IRSA) because there are other AWS services the application (the backend API which creates and applies add-ons to these clusters) needs to interact with.
-
Five Dex Alternatives for Kubernetes Authentication
Access to Kubernetes clusters in Amazon EKS is controlled by the AWS IAM Authenticator for Kubernetes. The authenticator runs on the EKS control plane and depends on the aws-auth ConfigMap for configuration settings. Every time you use kubectl to perform actions on the EKS cluster, the AWS IAM Authenticator generates an STS token (AWS Security Token Service). Kubernetes uses the IAM authenticator service to verify the identity of users specified in this security token.
-
Launch HN: Infra (YC W21) – Open-source access management for Kubernetes
As someone who is a big fan of Teleport, sorry, I just don't get it.
> Teleport doesn't provide identity provider integrations beyond GitHub (e.g. Okta) in their open source project
Right, and if you're a small team (5-10 people, like you're targeting) you don't really need SSO on the infra layer. It's a nice to have, it's best practice, but the truth is, by the time you really need it (enough engineers that account management is a pain), you typically have the budget for an Enterprise license.
> They have a different architecture that involves deploying a centralized proxy service (whereas Infra verifies credentials at the destination infrastructure vs at a central proxy).
So anyway you need to deploy something central to issue certificates. And anyway, if, to quote you, "We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually.", isn't that the central proxy service? Yet the open-source version avoids it somehow?
> We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually
So you want to sell to teams that a) are too small to afford the license for a product like Teleport Enterprise, b) have enough money that they can afford a premium product above and beyond the free offering provided by their Kubernetes vendor, like https://github.com/kubernetes-sigs/aws-iam-authenticator (for EKS), c) are willing to install and maintain another agent on their cluster (infra), but aren't willing to install and maintain the central proxy point?
> we've designed Infra around an extensible REST API from the start whereas Teleport uses GRPC.
This isn't really important from a product perspective. For what it's worth, Teleport started with a REST API; they moved to gRPC because, if I recall correctly, gRPC helped them scale to support larger infrastructure better.
If you're launching a competing product to Teleport, which is now by far the most mature product in the space, then currently, at least from where I'm sitting, you aren't offering sufficient added value compared to the incumbent offerings, which also include CloudFlare Access, Checkpoint Harmony Connect SASE, Hashicorp Boundary (their offerings aren't quite Kubernetes native, but it's the same idea)...
-
Kubernetes Multi-Cluster Part 3: Authentication and Access Control
If you’re looking for a cloud provider that caters to identity and access management, then tools like aws-iam-authenticator (AWS) and Anthos Identity Service (Google) are good places to start.
-
Kubernetes Cluster Authentication using AWS IAM
AWS IAM Authenticator.
- EKS, grupos IAM, "dono do cluster" e system:masters
-
EKS Auth Deep Dive
aws-auth configmap is based on aws-iam-authenticator and has several configuration options:
devspace-plugin-loft
- Sources to enable EKS multitenant cluster
-
Is Kubernetes suitable for large, multi-tenant application management?
I'm biased but I do think what you're describing is a good use case for Kubernetes. I work for Loft Labs, we're the company that created vcluster. We do have a commercial product called Loft that lets you manage vclusters and offer them self-service to developers. If you want to get more info on that, the web site is loft.sh.
-
Questions for Heroku-like Project
There are some products available, for example Loft who open sourced vcluster
-
How do you maintain development environments?
We run on EKS and use https://loft.sh/ to deploy development environments. The engineer runs the single service locally that they want to modify. Any other services or databases that service connects to run remotely in our Development EKS cluster using Loft and port forwards to the engineers local environment.
-
Multi cluster vs namespaces
Lastly, one day my employer will let my run Loft so that I can provide on-demand ephemeral k8s clusters to my dev + test teams.
-
Dedicated backend resources per client
Have a look at https://github.com/loft-sh/kiosk and maybe the paid version https://loft.sh/
-
Create new pods/containers for each new user that signs up?
How many friends? I would recommend evaluating Loft which is free for up to 3 users.
-
For devex folks specifically: how do you think about balancing dev empowerment with environment stability?
Automate the setup of new k8s environments, ideally they should be ephemeral, disposed regularly and rebuilt by the devs themselves, on demand. This will also keep costs in check, devs don't work 24/7 so why should their cloud infrastructure? A tool worth checking would be Loft
-
RBAC MANAGEMENT
Loft solves this + much more. There are cost-saving features too, so it might actually pay for itself. Don't hesitate to book a demo.
-
7 Kubernetes Cost Optimization Tools To Observe and Save on Costs
Loft.sh provides self-serve Kubernetes solutions for cost optimization, CI/CD, policy enforcement, user management, collaboration, and more. It helps save on Kubernetes costs by using quotas and space constraints which helps while sharing your clusters among multiple users and teams. Auto delete for idle namespaces and sleep mode for idle workloads also saves costs.
What are some alternatives?
aws-vault - A vault for securely storing and accessing AWS credentials in development environments
skaffold - Easy and Repeatable Kubernetes Development
dex - OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
minikube - Run Kubernetes locally
iam-policy-json-to-terraform - Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document
vcluster - vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
aws-ebs-csi-driver - CSI driver for Amazon EBS https://aws.amazon.com/ebs/
k3s - Lightweight Kubernetes
aws-efs-csi-driver - CSI Driver for Amazon EFS https://aws.amazon.com/efs/
kubernetes - Production-Grade Container Scheduling and Management
audit2rbac - Autogenerate RBAC policies based on Kubernetes audit logs
jspolicy - jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript