k8s Authentication

with IAM
#

OIDC built in at the eks cluster

hugotse can use aws sts assume-role to assume S3Admin
kevintse can use aws sts assume-role-with-web-identity with web-identity to assume S3Admin

EKS has some webhooks, it will monitor our changes on cluster

You can create a custom admission webhooks, deny / modify specfic requests of api servers

When the admission webhook detects a service account associated to a pod and that account annotate with iam arn, it will

admission webhook -> send OICD token to AWS IAM
AWS IAM -> verify the OICD token and return web identity token to the webhook
admission webhook save the web identity token and mount it as a volume in the pod
Application -> use the web identity token with aws sts assume-role-with-web-identity to access AWS Service

with Service Account Token Volume Projection, any pod attached with a service account will automatically mount with a OICD token

if you are an iam user, use access key
if you are in aws services (like ec2 instance), attach iam role
or with oidc, use web identity token
- oidc user get web identity token from aws iam with oidc token
- oidc user use the token to assume role

oidc user kevintse have right to use assume-role-with-web-identity
a role has a trusted relationship with oicd user kevintse to assume role with web identity