Posted On: Sep 4, 2019
Amazon EKS now allows you to assign IAM permissions to Kubernetes service accounts. This gives you fine-grained, pod level access control when running clusters with multiple co-located services.
Previously, when running a Kubernetes cluster on AWS, you could only associate IAM roles to an EC2 node in the cluster, and every pod that ran on the node inherited the same IAM role. This made it hard to run pods with different access control requirements on the same set of nodes.
Now, Amazon EKS allows you to assign a unique IAM role to a service account that can be used by individual pods running on your Kubernetes cluster. This gives you fine-grained control over the permission sets for each individual pod that you run. The IAM role can control access to other containerized services, AWS resources external to the cluster such as databases and secrets, or third party services and applications running outside of AWS. You can securely run multiple different services on the same set of nodes, making it easier to optimize costs and availability for the cluster.
Today, EKS supports assigning IAM roles to service accounts for new clusters running Kubernetes version 1.13 and above.