将角色传递给运行在 kube.netes 上的 docker 容器
[英]Pass Role to docker container running on kubernetes
问题描述
I am running a self hosted kube.netes cluster on AWS.
我在 AWS 上运行一个自托管的 kube.netes 集群。 I want to pass AWS IAM roles to containers.我想将 AWS IAM 角色传递给容器。
Right now what we do is, a role is given to all the worker nodes and the containers running on the machines would get the credentials from the machine itself.现在我们所做的是,为所有工作节点分配一个角色,并且在机器上运行的容器将从机器本身获取凭据。
This creates an issue.这就产生了一个问题。 I have to allow a superset of all the permissions required by all the containiers that are running in the cluster.我必须允许集群中运行的所有容器所需的所有权限的超集。 so if there is one container that requires a permission to a S3 bucket and an other container that requires permissions to SQS then I need to give both the permissions to the cluster.因此,如果有一个容器需要 S3 存储桶的权限,而另一个容器需要 SQS 的权限,那么我需要同时授予集群权限。 This in turn gives all the permissions to all the containers running in the cluster, which is not desirable.这反过来又将所有权限授予集群中运行的所有容器,这是不可取的。
So my question is that is there a way to pass different roles to individual containers.所以我的问题是有没有办法将不同的角色传递给各个容器。
I know we can use Access keys and Secret keys to do this.我知道我们可以使用访问密钥和秘密密钥来做到这一点。 I am looking for a way to do this without using them.我正在寻找一种无需使用它们即可执行此操作的方法。
1 个解决方案
解决方案1
2 已采纳 2020-04-23 11:09:37
If you run your containers in EKS you can pass IAM roles to Pods binding them to k8s Service Accounts, see here如果您在 EKS 中运行您的容器,您可以将 IAM 角色传递给 Pod,将它们绑定到 k8s 服务帐户,请参见此处
For self-managed clusters there are 3rd-party open-source projects solving the same issue kiam and kube-aws-iam-controller对于自我管理的集群,有解决相同问题的第 3 方开源项目kiam和kube-aws-iam-controller
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.