AWS eks documentation change
Summary
Updated documentation for EKS Pod Identities with clarifications on credential isolation when IMDS access is restricted, added note about hostNetwork Pods, and important security warning about containers not being a security boundary
Security assessment
The changes clarify security implications of IMDS access and credential isolation, but do not address a specific disclosed vulnerability. The updates provide security best practices documentation.
Diff
diff --git a/eks/latest/userguide/pod-identities.md b/eks/latest/userguide/pod-identities.md index 41017a4e4..46a98141e 100644 --- a//eks/latest/userguide/pod-identities.md +++ b//eks/latest/userguide/pod-identities.md @@ -1 +1 @@ -[](/pdfs/eks/latest/userguide/eks-ug.pdf#pod-identities "Open PDF")[](https://github.com/awsdocs/amazon-eks-user-guide/tree/mainline/latest/ug/aws-access/pod-identities.xml "Edit this page on GitHub") +[](/pdfs/eks/latest/userguide/eks-ug.pdf#pod-identities "Open PDF")[](https://github.com/awsdocs/amazon-eks-user-guide/tree/mainline/latest/ug/manage-access/aws-access/pod-identities.adoc "Edit this page on GitHub") @@ -27 +27,8 @@ EKS Pod Identities provide the following benefits: - * **Credential isolation** – A Pod’s containers can only retrieve credentials for the IAM role that’s associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. When using Pod Identities, the Pod’s containers also have the permissions assigned to the [Amazon EKS node IAM role](./create-node-role.html), unless you block Pod access to the [Amazon EC2 Instance Metadata Service (IMDS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html). For more information, see [Restrict access to the instance profile assigned to the worker node](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node). + * **Credential isolation** – When access to the [Amazon EC2 Instance Metadata Service (IMDS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) is restricted, a Pod’s containers can only retrieve credentials for the IAM role that’s associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. If IMDS is not restricted, the Pod’s containers also have access to the [Amazon EKS node IAM role](./create-node-role.html) and the containers may be able to gain access to credentials of IAM roles of other Pods on the same node. For more information, see [Restrict access to the instance profile assigned to the worker node](https://docs.aws.amazon.com/eks/latest/best-practices/identity-and-access-management.html#_identities_and_credentials_for_eks_pods_recommendations). + + + + +###### Note + +Pods configured with `hostNetwork: true` will always have IMDS access, but the AWS SDKs and CLI will use Pod Identity credentials when enabled. @@ -33,0 +41,4 @@ EKS Pod Identities provide the following benefits: +###### Important + +Containers are not a security boundary, and the use of Pod Identity does not change this. Pods assigned to the same node will share a kernel and potentially other resources depending on your Pod configuration. While Pods running on separate nodes will be isolated at the compute layer, there are node applications that have additional permissions in the Kubernetes API beyond the scope of an individual instance. Some examples are `kubelet`, `kube-proxy`, CSI storage drivers, or your own Kubernetes applications. +