►
From YouTube: kubernetes sig-aws 20190906
Description
kubernetes sig-aws meeting 20190906
A
Hello,
everybody:
it
is
Friday
September
6th
2019.
This
is
the
AWS
bi-weekly
meeting
criminals
addressed
by
weekly
meeting
I.
Am
your
moderator,
facilitator,
Justin,
Santa,
Barbara
I
work
at
Google,
a
reminder
that
this
meeting
is
being
recorded
and
will
be
put
on
the
internet.
Shorts
be,
and
so
please
be
mindful
of
our
code
of
conduct
and
be
a
good
person.
I
have
pasted
a
link
in
the
chat
to
the
agenda.
A
C
Nick,
if
you
want
to
go
first
yeah
minds
I,
just
it's
a
very
quick
update,
I
was
just
gonna
say
that
yesterday
merged
actually
I
guess.
Yesterday
we
merged
the
oh
one
to
release
of
the
at
mesh
controller
and
it
adds
initial
cloud
map
support.
So
you
can
basically,
your
your
pod.
Endpoints
can
be
registered
with
AWS
cloud
map,
which
is
a
type
of
service
discovery
and
app
mesh
uses
cloud
map
to
basically
tell
the
envoys
that
it
manages
about
those
endpoints.
So,
instead
of
using
cube
dinosaur
coordinates
as
your
service
discovery.
C
C
C
A
B
B
B
So
I've
got
a
config
map,
I'm
gonna
mount
into
my
pod,
just
just
as
a
example,
but
I'm
mounting
one
thing
just
for
a
second
part
of
the
example,
which
is
an
AWS
config
file,
but
also
this
primary
script
is:
what's
gonna
get
running
the
pod,
so
the
script
is
just
installing
the
AWS
CLI,
echoing
out
a
projected
identity,
token
and
then
calling
get
caller
identity.
So
to
give
just
a
little
bit
of
background
on
what
will
be
going
on
here.
B
B
B
Oh,
I
DC
metadata
and
one
of
the
key
pieces
is
the
signing
keys
for
projected
service
account
contains
kubernetes
has
two
types
of
service
account
opens.
There's
the
legacy
service
account
tokens
which
you're
probably
familiar
with
this
is
what
gets
autumn
out
in
every
pot.
It's
for
you
cause
to
talk
to
the
API
server
and
authenticate
that
way.
Those
are
static,
tokens
they
don't
expire,
you
can
delete
them
and
that
the
service
account
token
controller,
recreates
them,
but
it's
really
difficult
to
might
migrate.
Rotate.
B
The
signing
key
for
those
you'd
have
to
at
a
new
new
signing
key
delete,
all
the
existing
tokens,
which
could
be
really
disruptive
and
then
get
all
new
tokens
issued
with
anything.
It's
a
long
process
that
you
don't.
Nobody
really
ever
goes
through.
The
news
type
of
service
account
tokens.
The
projected
service
account
tokens
are
temporary
and
they're.
Actually,
oh
I
be
C
value.
T
these
JSON
web
tokens.
They
support
configurable
audience
so
legacy
service.
Account
tokens
can
only
talk
to
the
kubernetes
api
server.
B
Aws
has
had
since,
like
2014
this
concept
of
I
get
external
identity
providers,
so
you
can
have
your
either
sam'l
or
o
ID
see
a
provider
allow
users
to
authenticate
AWS
without
having
to
create
an
iamb
user
with
password
for
every
user,
so
you
could
make
it
a
Google
octa
whatever,
but
it
senses,
just
oh
IDC
and
kubernetes
supports,
give
doling
out
o
ID
c
tokens.
We
can
put
these
two
things
together,
so
in
this
example,
I
have
a
kubernetes
cluster
that
I
just
created
yesterday,
and
this
is
the
token
issue
or
end
point.
B
B
Yes,
there
we
go
and
if
we
go
to
the
keys
endpoint,
we
can
see
here's
a
site,
it's
a
RSA
signing
key.
So
this
is
just
for
STS,
Amazon,
secure
token
service
or
any
other
provider,
or
any
consumer
of
these
tokens
to
see
is
when
I
get
a
token.
Is
it
properly
signed
embedded
in
the
token
it's
this
URL
to
say,
go.
Look
it
up
here
and
see
if
this
is
actually
signed
by
the
cranky.
B
So
that's
kind
of
by
way
of
background.
That's
just
just
to
let
you
know
kind
of.
What's
going
on
in
the
back,
so
kubernetes
is
now
issuing
these
token
saying,
look
here
for
validating
them
and
the
key
configuration
kubernetes
is,
you
can
add
a
new
volume
type
called
predicted
volume
token,
and
it
mounts
one
of
these
tokens
into
the
pot.
Now
there's
a
lot
of
there
can
be
a
lot
of
configuration
to
set
that
up.
B
So
what
we've
done
to
make
that
a
little
bit
easier
is
added
a
new
web
hook
to
our
eks
clusters,
and
you
can
run
the
slip
up
in
your
own
cluster.
What
it
does
is
when
a
service
count
is
annotated
with
a
with
an
AWS
roll
arm
like
this,
and
you
given
up
given
a
certain
pod
like
this,
every
pod
create
will
be
evaluated
to
say:
what's
the
service
account
on
it?
Look
the
the
web
book
will
look
up.
The
service
account
look
for
an
annotation.
B
If
the
annotation
is
present,
it
will
add
the
following
environment
variables,
AWS
roll
iron
and
token
identity
file.
So
you
can
see
those
two
here
and
then
also
a
volume
mount
so
creating
a
print.
This
whole
configuration
of
a
projected
bond
up.
You
don't
have
to
use
the
web
hook.
If
you
don't
want
to
and
the
annotation
you
can
add
the
environment
variables
and
volumes
to
your
Web
book.
If
you
don't
want
to
use
the
book
at
all,
that's
that's
fine.
B
The
web
hook
will
short-circuit
if
you've
already
added
them
and
you've
annotated
the
pot,
and
so
there
won't
be
any
adverse
reaction
going
on,
but
that's
that's
basically
what
I'm
going
to
demo.
So
the
other
point
is
every
AWS
SDK
at
this
point
has
been
updated
with
support
for
these
two
new
environment
variables.
So
if
the
SDK
detects
icy,
they
do
its
role,
Arn
and
web
identity
token
file.
Instead
of
going
to
the
node
level
instance
metadata
I'm
going
to
call
STS
assume
role
with
web
identity.
B
It's
an
existing
API
call
to
get
my
credentials
instead,
yeah
instead
of
doing
you
know:
I
am
bs
environment
variables,
AWS,
config
file,
etc.
So,
let's,
let's
see
how
that
works.
So
back
to
the
demo,
I've
got
a
script.
I'm
gonna
run,
install
the
AWS
PI
echo
out
or
cut
out
the
the
current
token
file
and
get
called
in
and
I've
I'm
gonna
create
a
service
account
token,
with
this
role,
Arn
and
one
other
key
pieces.
B
I
have
there's
two
directions
in
the
trust
here
on
the
service
account
I
have
to
say
which
role
I
want
to
assume,
but
also
on
the
roll
itself.
I've
edited
the
trust
relationship
to
say,
I,
trust
this
issuer
and
I'm
gonna
actually
lock
that
down
even
further
to
say
that
it
needs
to
be
for
a
specific
service
account,
so
I
go
back
actually
conditioned
had
this
condition
policy
to
my
I
am
trust
document.
Let's
remove
that
guy,
don't
need
this
I
didn't
used
to
subject.
I,
don't
need
a
scope
in
the
name
space.
B
And
this
my
service
account
is
what
we
called
over
there.
Aws
say:
AWS
IRS
a
demo,
so
we're
saying
that
this
role
can
only
be
assumed
by
this
specific
service
account
if
I
didn't
add
the
string
equals
than
the
entire
any
service
account
in
the
entire
cluster
could
assume
the
role
if
I
wanted
that
so
I've
tightened
that
down
now.
So,
if
we
go
back
to
this
and
then
the
the
last
thing
is
we're
creating
a
deployment,
we're
just
have
one:
it's
gonna
run
the
script
on
entry.
B
A
B
B
B
B
I'll
get
the
logs
out
of
it
and
we'll
see
that
the
identity
in
there-
okay,
it's
still
installing
it-
was
clie,
really
quick,
predictors
kind
of
token
we're,
not
I
figure
it
out.
Okay
access
denied,
that's
probably
the
string
equals
I
just
tested
this.
Without
that
I
probably
worked
this
condition
really
quick.
So
let's
remove
the
condition
that.
B
A
A
B
B
So
this
should
be
installing
the
claw
and
then
there
it
is
okay.
So
what
we
have
is
the
role
that
we
wanted.
So
that's
the
s3
reader
role
and
then
the
the
database
flies
using
photo
core
underneath
and
it
generates
a
automatic
session
me
if
I
were
to
actually
do
this
again.
I
go
to
my
deployment,
channel
and
I
were
to
uncomment.
B
B
You
okay!
So
now
you
can
see
it's
using
the
note
in
since
well
it's
using
the
instance
metadata
the
instance
metadata
is
still
on
by
default
in
the
UK
Asami.
It's
up
to
you
to
sort
of
block.
My
MDS
instance
metadata
access
from
your
pods,
because
during
a
migration
period,
if
you're
using
the
node
role
for
everything,
that's
up
to
you
to
determine
where
that
would
come
in.
But
that's
that's
kind
of
the
demo.
I
can
show
one
more
thing:
hey.
E
B
B
Rsa
key
that
you,
a
second
RSA
key
you'll,
have
to
give
the
API
server
private
key
and
public
heat
as
it
uses
the
private
key
to
create
the
tokens.
These
projected
service
account
tokens.
One
of
the
key
differences
is
they're
not
stored
in
a
TV
like
legacy
service
account
opens
or
you
can
get
them
as
secrets.
So
not
only
are
they
short
lived
and,
and
they
automatically
rotate,
so
the
cubelet
will
remount
a
new
token
before
it's
expired
in
the
pod,
but
the
yeah
they
never
hit
in
the
database.
So
they're
ephemeral,
all
right.
B
B
The
first
is
just
how
I
created
an
OID
C
provider,
in
my
account
that
the
cluster
is
in
with
this
URL,
this
URL
I
can
use
and
that's
a
per
cluster
URL
I
can
easily
create
that
same
identity
provider
in
my
other
account
and
have
my
pod,
the
annotation
on
that
pod,
directly
assume
a
role
in
a
second
account.
There's
nothing
specific
in
my
cluster,
that's
finding
the
pods
necessarily
to
my
to
my
account
right
or
the
the
service
account
provider.
So
that's
one
way.
B
B
But
I've
already
have
a
config
file,
AWS
config
file,
and
it's
got
two
roles
in
it.
It's
got
I'm
sorry.
The
first
role
is
the
one
that
I
want
to
assume
with
this
web
identity
token.
The
second
is
another
role.
It
happens
to
be
in
my
account,
but
it
could
be
in
any
other
account
in
this
second
role.
So
two
things
the
first
role.
I'll
share.
This
really
quick
has
two
permissions
in
list
buckets,
and
it
has
a
second
permission
that
it
can
assume
this
second
role,
don't
make
the
SDSU
role
in
the
second
role.
B
I.
Go
to
that.
Second
role,
really
quick,
go
back
to
roles
you
can
highlight
and
show
how
this
works.
So
the
second
role
has
a
trust
relationship
that
says
my
account.
Id
can
assume
it.
It
doesn't
have
any
permissions
by
default.
It's
just
a
demo
that
the
role
can
be
assumed.
So
if
I
unset
either
US
role,
Arn.
B
A
B
B
B
A
B
A
D
B
Tested
it
I,
I'm,
not
sure
I,
think
cubed
I
am
in.
If
Cuba
I
am
impersonates
like
the
instance
metadata,
then
this
should
work
fine.
Actually,
this
should
just
most
SDK
for
SDKs
the
web
identity.
Assume
role
of
identity
flow
is
before
the
instance
metadata.
What
you
saw
here,
like
the
instance
metadata,
was
still
enabled
and
if
I,
if
the
token
file
in
my
River
wasn't
present,
it
fell
back
to
instance
metadata.
So
this
should
just
take
precedence
over
that
and
it
should
be
a
fairly
easy
migration.
D
B
A
E
B
Think
at
this
point,
we're
kind
of
just
like
excited
to
see
people
using
it
and
see
what
what
new
needs
people
have.
I
think
this
will
solve
like
a
lot
of
a
lot
of
use
cases
I
think
as
as
those
needs
develop
like
I
love,
I,
love
issues
on
the
the
github,
repo
and
and
contributions
as
well
like
I,
want
this
to
work
really
well
on,
like
all
cloud
providers,
so
that,
if
you're
running
this
anywhere
you
could
you
can
use
this
web
hook
to
get
a
get
a
token
and
and
talk
to
AWS.