AWS re:Invent 2023
Securing Kubernetes Workloads in Amazon Eks Con335

Title

AWS re:Invent 2023 - Securing Kubernetes workloads in Amazon EKS (CON335)

Summary

  • Securing Access into the Cluster: The talk began with an analogy of securing a city's gate to introduce the concept of securing access into a Kubernetes cluster. The presenters discussed the evolution of Amazon EKS access management, highlighting the initial use of Kubernetes permissions combined with IAM and the challenges faced by customers. They introduced an upcoming feature called Access Management to address these issues, which includes AWS native APIs, simplifies access, and provides granular control.

  • Securing Access from the Cluster: The session moved on to securing access from within the cluster to external resources. The presenters discussed IAM roles for service accounts (IRSA), which allows granular IAM permissions for pods. They acknowledged customer feedback on the user experience challenges with IRSA and announced a new feature called EKS Pod Identity, which simplifies trust, is backward compatible, and supports scalable ABAC.

  • Securing Access within the Cluster: The final part of the talk focused on securing access within the cluster. The presenters introduced network policies and announced native support for network policies in VPC CNI, which uses eBPF for performance and integrates with EC2 security groups for pods.

  • Recent Security-Related Announcements: The presenters briefly mentioned recent security-related announcements, including NLB support for EC2 security groups, private link support for EKS management APIs, enhancements to Amazon Detective and GuardDuty for EKS, and the ability to sign and verify container images.

Insights

  • Access Management Feature: The upcoming Access Management feature for EKS is designed to streamline the process of setting up access to Kubernetes clusters. It addresses customer feedback by eliminating the need for multiple APIs during cluster bootstrapping and reducing the risk of lockouts due to configuration errors.

  • EKS Pod Identity vs. IRSA: EKS Pod Identity is introduced as an alternative to IRSA, offering a more integrated experience with IAM and simplifying the process of granting IAM permissions to pods. This feature is particularly beneficial for customers in regulated industries or those with dynamic environments requiring quick and automated setup.

  • Network Policy Support in VPC CNI: The integration of network policy support into VPC CNI is a significant improvement for EKS users. It simplifies network policy enforcement by eliminating the need for third-party plugins and leverages eBPF for better performance.

  • Security Enhancements: The recent security-related announcements reflect AWS's commitment to providing comprehensive security solutions for EKS. These enhancements, such as the ability to sign and verify container images, demonstrate AWS's focus on maintaining a secure and trustworthy container ecosystem.

  • Customer Feedback and AWS Response: Throughout the talk, the presenters emphasized how AWS values customer feedback and continuously evolves its services to meet customer needs. The introduction of new features and enhancements is a direct response to the challenges and requirements expressed by AWS customers.

Securing Containerized Workloads on Amazon Ecs and Aws Fargate Con325Securing the Software Supply Chain with Docker Scout and Amazon Ecr Sec105