This configuration is an example of a SPIRE 0.9.0 deployment for Kubernetes on EKS. This example is based on the simple SAT, with minor modifications to make it work on EKS platform.
Compare the simple SAT server configuration with this EKS SAT server to see the differences, which consist of:
- Node attestation is done using the SAT node attestor with kubernetes token review validation enabled.
- As a consequence of the above, volume and volume mounts for validation key are removed.
- RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
In the same way, the differences between the simple SAT agent and EKS SAT server are:
- Workload attestation is done using the k8s workload attestor with the secure port configuration.
- RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
Both SPIRE agent and server run in the spire namespace, using service accounts of spire-server and spire-agent.
- Create an EKS cluster and set it as the current context for
kubectl
. No special configurations are required for the cluster creation.
Start the server StatefulSet:
$ kubectl apply -f spire-server.yaml
Start the agent DaemonSet:
$ kubectl apply -f spire-agent.yaml
The server log shows the attestation result:
$ kubectl -n spire logs -f spire-server-0
level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_sat" subsystem_name=node_api