feat(eks): improve security using IRSA conditions #8084
Conversation
|
@eladb I've chosen to put the custom resource in the |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Rarely there is a need to use a CloudFormation intrinsic in a JSON hash key. This is impossible since intrinsics are not strings. To circumvent that, CfnJson can be used to "delay" the rendition of the object using a simple custom resource which simply parses and reflects the input value as an attribute. Required in order to implement EKS IRSA (#8084) and other federated identity use cases.
|
Yep, this looks lot better. Probably the lack of knowledge on how the tokenisation works within CDK. I'll dive a bit deep to understand it. Meanwhile I'll do my adjustments when this lands on the |
Rarely there is a need to use a CloudFormation intrinsic in a JSON hash key. This is impossible since intrinsics are not strings. To circumvent that, CfnJson can be used to "delay" the rendition of the object using a simple custom resource which simply parses and reflects the input value as an attribute. Required in order to implement EKS IRSA (#8084) and other federated identity use cases. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
vlesierse
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
eladb
changed the title
| @@ -198,7 +198,7 @@ export class ClusterResourceHandler extends ResourceHandler { | |||
| Endpoint: cluster.endpoint, | |||
| Arn: cluster.arn, | |||
| CertificateAuthorityData: cluster.certificateAuthority?.data, | |||
| OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer, | |||
| OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer?.substring(8), // Strips off https:// from the issuer url | |||
There was a problem hiding this comment.
This is technically a breaking change. Perhaps the correct approach is to add another attribute OpenIdConnectIssuer which will return the value without the https:// prefix.
There was a problem hiding this comment.
Ah yeah. Good one. I'll make the change.
There was a problem hiding this comment.
Should I create the additional property on the Cluster construct as well?
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Rarely there is a need to use a CloudFormation intrinsic in a JSON hash key. This is impossible since intrinsics are not strings. To circumvent that, CfnJson can be used to "delay" the rendition of the object using a simple custom resource which simply parses and reflects the input value as an attribute. Required in order to implement EKS IRSA (aws#8084) and other federated identity use cases. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
| @@ -708,7 +723,7 @@ export class Cluster extends Resource implements ICluster { | |||
| * @param id the id of this service account | |||
| * @param options service account options | |||
| */ | |||
| public addServiceAccount(id: string, options: ServiceAccountOptions) { | |||
| public addServiceAccount(id: string, options: ServiceAccountOptions = { }) { | |||
There was a problem hiding this comment.
the options is still mandatory here and user will still need to run addServiceAccont(id, {}) if no options.
Maybe this?
public addServiceAccount(id: string, options?: ServiceAccountOptions = { }) { There was a problem hiding this comment.
The default value turns it into optional. The “?” Is not needed
Currently the
ServiceAccountconstruct creates a role with no conditions to the trust relationship or assume role policy. Without this it is possible for other pods in the same namespace to assume the role. To tighten this security the conditions needs to be set.Documentation: https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html#create-service-account-iam-role
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license