| Old Method: aws-auth ConfigMap | New Method: EKS API |
|---|---|
Manual Updates: Required manual editing of the aws-auth ConfigMap to manage access. |
Automated Management: Access entries can be managed programmatically through the EKS API. |
| Scalability Issues: Difficult to manage access for a large number of users and roles. | Scalable: Easier to manage access for a large number of users and roles. |
| Risk of Misconfiguration: Errors in the ConfigMap could break access control. | Reduced Risk: Less prone to errors compared to manual ConfigMap updates. |
| Cluster Owner Issues: The default cluster creator had full admin rights, and deleting this user could result in losing access to the cluster. | Flexible Ownership: Allows changing the cluster owner and adding IAM principals by other users. |
Saifeddine Rajhi seifrajhi
🐳
seifrajhi
/ aws-configmap-vs-access-entries.md
Created
October 12, 2024 09:18
Comparison between the old ConfigMap method and the new EKS API
seifrajhi
/ cluster.yaml
Created
September 28, 2024 17:50
Yaml template to create the cluster and node groups using eksctl utility
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: eksctl.io/v1alpha5 | |
| kind: ClusterConfig | |
| metadata: | |
| name: tidb-eks-demo | |
| region: eu-west-1 | |
| addons: | |
| - name: aws-ebs-csi-driver | |
| nodeGroups: | |
| - name: admin |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: k8ssandra.io/v1alpha1 | |
| kind: K8ssandraCluster | |
| metadata: | |
| finalizers: | |
| - k8ssandracluster.k8ssandra.io/finalizer | |
| name: k8scassandra-cs-001 | |
| namespace: demo | |
| spec: | |
| auth: true | |
| cassandra: |
| Feature | EKS Pod Identity | IRSA |
|---|---|---|
| Role Extensibility | No need to update the role's trust policy for each new cluster. | Need to update role's trust policy with new EKS cluster OIDC provider endpoint. |
| Cluster Scalability | No need to setup IAM OIDC provider. | Need to setup IAM OIDC provider. Default global limit of 100 OIDC providers for AWS account applies. |
| Role Scalability | No need to define trust relationship between IAM role and service account in the trust policy. | Need to define trust relationship between IAM role and service account in the trust policy. Max of 8 trust relationships within a single trust policy applies due to limit on trust policy size. |
| Role Reusability | AWS STS temporary credentials supplied by EKS Pod Identity include role session tags, such as cluster name, namespace, service account name. | AWS STS session tags are not supported. You can reuse a role between clusters but every pod receives all of the permissions of the role. |
seifrajhi
/ devcontainer.json
Last active
October 15, 2024 14:29
devcontainer config file that determines how your dev container gets built and started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
| // For format details, see https://aka.ms/devcontainer.json. For config options, see the | |
| // README at: https://github.com/devcontainers/templates/tree/main/src/python | |
| { | |
| "name": "Python 3", | |
| // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile | |
| "image": "mcr.microsoft.com/devcontainers/python:0-3.11", | |
| // Features to add to the dev container. More info: https://containers.dev/features. | |
| // "features": {}, |
seifrajhi
/ exit-codes.md
Created
February 10, 2024 09:29
The most common exit codes used by containers
| CODE # | NAME | WHAT IT MEANS |
|---|---|---|
| 0 | Purposely stopped | Used by developers to indicate that the container was automatically stopped |
| 1 | Application error | Container was stopped due to application error or incorrect reference in the image spec |
| 125 | Container failed to run error | The docker run command did not execute successfully |
| 126 | Command invoke error | A command specified in the image specification could not be invoked |
| 127 | File or directory not found | File or directory specified in the image specification was not found |
| 128 |
seifrajhi
/ extension-providers.yaml
Created
January 24, 2024 06:30
Istio extension provider specifics
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| meshConfig: | |
| extensionProviders: | |
| - name: oauth2-proxy | |
| envoyExtAuthzHttp: | |
| service: oauth2-proxy.oauth2-proxy.svc.cluster.local | |
| port: 4180 | |
| headersToDownstreamOnDeny: | |
| - content-type | |
| - set-cookie | |
| headersToUpstreamOnAllow: |
seifrajhi
/ oauth2-proxy-values.yaml
Created
January 24, 2024 06:15
Helm values we will use for the deployment of oauth2-proxy.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config: | |
| clientID: xx | |
| clientSecret: xx | |
| cookieSecret: xx | |
| configFile: false | |
| extraArgs: | |
| provider: oidc | |
| cookie-secure: true | |
| cookie-samesite: lax |
NewerOlder