kiam
Integrate AWS IAM with Kubernetes (by uswitch)
amazon-eks-pod-identity-webhook
Amazon EKS Pod Identity Webhook (by aws)
Our great sponsors
kiam | amazon-eks-pod-identity-webhook | |
---|---|---|
5 | 8 | |
1,144 | 581 | |
- | 1.4% | |
3.9 | 6.8 | |
about 2 months ago | 6 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kiam
Posts with mentions or reviews of kiam.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-07-04.
-
AWS Access Keys - A Reference
IMDS for the underlying nodes, if EKS on EC2 is deployed and kiam or similar isn't deployed
-
Application using multiple aws users
Take a look at this GitHub project- https://github.com/uswitch/kiam
- 5 Razones de por qué aprender EKS practicando
-
5 Reasons why to learn EKS practicing
There are multiple solutions for this like Kube2IAM, KIAM, and IAM Roles for Service Accounts which, if we are in AWS and EKS (running in EC2 instances), this one is my go-to 😎.
-
[AWS-EFS][IAM] AWS EFS CSI instructions say to use a service account w/ IAM role association, but is it possible with KIAM instead?
How Kiam provides a pod with the AWS role credentials is by intercepting API calls to the metadata service (technical details here & here).
amazon-eks-pod-identity-webhook
Posts with mentions or reviews of amazon-eks-pod-identity-webhook.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-05-04.
-
Grant Kubernetes Pods Access to AWS Services Using OpenID Connect
Its not specific to EKS, you can find the underlying webhook that injects the "identity" here: https://github.com/aws/amazon-eks-pod-identity-webhook
You have to jump through much of the same hoops you describe, having a public `.well-known` endpoint for example. I have achieved this in the past by putting the OIDC discovery information in an S3 bucket.
-
k3s on AWS,does it make sense?
You can install the pod identity webhook and AWS cloud provider, csi provider etc on a bare kube cluster and get pretty close to the EKS experience. Not something I’d do for prod, but interesting as a learning exercise.
-
IAM roles for pods in external k8s cluster
Yes you absolutely can. https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
-
Unable to read token file , permission denied
Is your pod running as an unprivileged user? Sounds like https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 to me.
-
Zero-configuration IRSA on kOps
On EKS, the pod identity webhook is commonly used as the mechanism for adding the necessary parts of the Pod spec. This webhook looks for ServiceAccounts with a specific set of annotations telling it what ARN it can assume and various other settings. When a Pod is created that uses one of these ServiceAccounts, the webhook mutates the Pod using information found in the ServiceAccount annotations.
-
Using IAM Roles for ServiceAccounts on kOps
If you prefer, you could create ServiceAccounts with these details and use the EKS identity webhook, but I don't see kOps supporting that webhook as a native addon.
-
[AWS-EFS][IAM] AWS EFS CSI instructions say to use a service account w/ IAM role association, but is it possible with KIAM instead?
The Amazon EKS Pod Identity Webhook on the cluster watches for pods that are associated with service accounts with this special annotation & injects Web Identity Token credentials into the pod as environment variables (technical details here).
-
Understanding AWS K8s architecture using EC2
I don’t know how KOPs manages IAM creds for pods these days, but you can use this (my recommendation) https://github.com/aws/amazon-eks-pod-identity-webhook, or something like KIAM or kube2iam
What are some alternatives?
When comparing kiam and amazon-eks-pod-identity-webhook you can also consider the following projects:
kube2iam - kube2iam provides different AWS IAM roles for pods running on Kubernetes
external-dns - Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services
aws-efs-csi-driver - CSI Driver for Amazon EFS https://aws.amazon.com/efs/
amazon-eks-ami - Packer configuration for building a custom EKS AMI
kube-secrets-init - Kubernetes mutating webhook for `secrets-init` injection
aws-sdk-go - AWS SDK for the Go programming language.
client-go - Go client for Kubernetes.
kiam vs kube2iam
amazon-eks-pod-identity-webhook vs external-dns
kiam vs aws-efs-csi-driver
amazon-eks-pod-identity-webhook vs amazon-eks-ami
kiam vs kube-secrets-init
amazon-eks-pod-identity-webhook vs aws-efs-csi-driver
kiam vs aws-sdk-go
amazon-eks-pod-identity-webhook vs aws-sdk-go
kiam vs client-go