As we continue to enhance the capabilities of Convox's v3 Rack's Kubernetes environments, we are thrilled to introduce the support for AWS EKS Pod Identities. This new feature offers a significant boost to the security and compliance of your AWS Kubernetes deployments by integrating fine-grained IAM role management directly at the Pod level.
AWS EKS Pod Identities allow for a more secure and streamlined way to manage IAM roles within your Kubernetes clusters. By binding AWS IAM roles to Kubernetes service accounts, Pods can assume these roles automatically, eliminating the need to manage AWS credentials manually. This method not only enhances security but also simplifies the management of access to AWS resources.
convox.yml
.
Configuring your Kubernetes deployments to use AWS EKS Pod Identities involves a few straightforward steps:
First, activate the EKS pod identity agent with this command:
convox rack params set pod_identity_agent_enable=true -r rackName
This enables the necessary agent that facilitates the IAM role assumption process for your Pods.
convox.yml
In your convox.yml
, specify the AWS IAM policies required for each service. Here's an example of how to configure this:
services:
web:
build: .
port: 3000
accessControl:
awsPodIdentity:
policyArns:
- "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
- "arn:aws:iam::123456789012:policy/MyCustomPolicy"
Deploy your application with updated configurations using:
convox deploy -a appName -r rackName
Ensure your rack is updated to at least version 3.18.1
to use this feature. For detailed update instructions, refer to the Convox documentation on Updating a Rack.
The integration of AWS EKS Pod Identities into Convox's Kubernetes platform is a testament to our commitment to providing advanced and secure container orchestration solutions. By leveraging this feature, developers can achieve a higher level of security and efficiency, ensuring that their Kubernetes environments are both robust and compliant with the latest security standards.