AWS Service Operator for Kubernetes Now Available (opens in new tab)

https://github.com/jtblin/kube2iam is probably what you're looking for, it uses iptables to allow/disallow pods requests to the ec2 metadata service based on kubernetes annotations

in fact, if you check out the source (located here: https://github.com/awslabs/aws-service-operator) it's recommended to use kube2iam

edit: haven't fully read the article yet but if the operator supports managing IAM roles thru a CRD you could potentially create the role and attach it via annotation in one go.

double edit: looks like IAM roles aren't directly supported yet, the following is what appears to be supported:

- cloudformation templates

- dynamodb

- s3

- sns subscriptions and topics

- sqs queues

- ecr repos

We've been using kube2iam for this for a couple of years.

You just create a role give it an assume role policy that allows the node to assume it. Then annotate your pod w/ the role arn. When they make a call to get their instance profile you get the role instead.

It's a little annoying in that your pod code thinks its making a metadata call (which is super super fast), but what is actually happening is kube2iam intercepted that and will make a sts:assumerole call... which takes forever. So people just need to set their timeout a little higher than normal.

https://github.com/jtblin/kube2iam

This is something we’ve heard a lot and are working together with the Kubernetes community on. We’ll have more to announce on this one soon

Full disclosure: I work on EKS at AWS

AWS always launches services half-baked - I actually kinda love them for it. It's not always polished, but it's usually good enough to help me get stuff done.

I'm sure we'll see much tighter integration over time.

I bet you could register the containers as on-prem instances with the Systems Manager agent, though it's kind of a pain. It gives you a shim into IAM from non-AWS machines.

(I work at AWS SSM, but not directly on the on-prem featureset.)

> My humble view is that whoever starts a RedHat-like service (with support, and SLAs, and enterprise services) on top of Kubernetes, might get the upper hand.

Does Red Hat count as Red Hat-like? Because they've had OpenShift Origin for several years now.

As far as I know the container fights are done Kubernetes won even AWS admits it, now it's all about serverless technologies.

Do you mean OpenShift?

https://www.openshift.com

I think that is heptio

Are there any good docker compose or helm files out there right now that would work for a nice production ready MySQL or PostgreSQL dB?

It seems like k8s has everything you would need to have the redundant data sources, failover, and point in time recovery options that cloudsql or auroradb have.

What's wrong with them ? Three is enough competition.

Take a look at the zsh/fish themes

Looks like oh-my-zsh default

GCP has service catalog[1] that can interface to various GCP services (Spanner, cloud sql, pub sub, etc.).

Service catalog is based on the open service broker spec.

[1] https://cloud.google.com/kubernetes-engine/docs/how-to/add-o...

Great question, it's a little more complicated than one might think at first. In trying to build a "batteries included" experience I'd need to have per-view into your cluster and what VPC, Subnet and AZ you are running in I don't want to make this a configuration option so I need to build out a way to collect this information dynamically so that I can make sure we create DB subnets for the RDS to provision into. Then I need to configure depending on the engine (pg, mysql etc) the port and security group configuration. All in all the CFT and is more complicated and with the way the resources are code generated it requires heavy customization. All that being said it is well up on the top of my list to implement. Also always interested in letting other folks come and contribute if they feel inclined. :)

Does this work benefit those who are not using AWS?