Cloud Flight Simulator Part 4: Least Privileged Pods with Kubernetes Workloads

  • Thursday, 15 Feb 2024 10:00AM EST (15 Feb 2024 15:00 UTC)
  • Speaker: Eric Johnson

In the final part of the Cloud Security Flight Simulator series, join SEC540 lead author and instructor Eric Johnson to learn how to enable workload identity for AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS). 

Rather than issuing long-lived credentials to individual pods or inheriting excessive permissions from the node, Kubernetes service accounts can use an internal OpenID Connect (OIDC) provider to obtain a signed identity token (JWT). Then, cloud administrators can configure their identity services (IAM, Entra ID) to trust the Kubernetes cluster's OpenID Connect provider and grant the service account to obtain temporary, least privilege credentials.

Explore the rest of the Cloud Flight Simulator Series: