AWS eks documentation change
Summary
Added documentation about session tags and resource tagging differences in EKS Capability for ACK
Security assessment
The changes document security-adjacent features (session tags for auditing/access control and resource tagging), but don't address a specific security vulnerability. The content explains security-related implementations rather than fixing issues.
Diff
diff --git a/eks/latest/userguide/ack-comparison.md b/eks/latest/userguide/ack-comparison.md index 002e97354..c8db4e80e 100644 --- a//eks/latest/userguide/ack-comparison.md +++ b//eks/latest/userguide/ack-comparison.md @@ -20,0 +21,4 @@ The EKS Capability for ACK is based on upstream ACK controllers but differs in I +**Session tags** : The managed capability automatically sets session tags on all AWS API requests, enabling fine-grained access control and auditing. Tags include `eks:eks-capability-arn`, `eks:kubernetes-namespace`, and `eks:kubernetes-api-group`. This differs from self-managed ACK, which does not set these tags by default. See [Configure ACK permissions](./ack-permissions.html) for details on using session tags in IAM policies. + +**Resource tags** : The capability applies different default tags to AWS resources than self-managed ACK. The capability uses `eks:` prefixed tags (such as `eks:kubernetes-namespace`, `eks:eks-capability-arn`) instead of the `services.k8s.aws/` tags used by self-managed ACK. See [ACK considerations for EKS](./ack-considerations.html) for the complete list of default resource tags. +