Amazon Confidential AWS Identity and Access Management (IAM) 身份验证 Kubectl 3) Authorizes AWS identity with RBAC K8s API 1) Passes AWS identity 2) Verifies AWS identity 4) K8s action allowed/denied

shouldn’t have access, e.g., CEO ○ Stored in public storage buckets Secret management requirements Identity Require strong identities and least privilege Auditing Verify the use of individual secrets kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - identity: {} - aesgcm: keys: - name: key1 secret: c2VjcmV0IGlzIHNlY3VyZQ== Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 KMS plugin Auditing Encryption Rotation

Kubectl • Design goal • kubconfig transparent to kubectl users • kubeconfig credentials binding w/ identity • kubeconfig only in memory • TEE as an option • Solution • Get kubeconfig • Relay server mode

8之 前， spec.selector 字段被默认为省略。 在1.8及更⾼版本中，如未指定匹配的Pod Selector将会导致在StatefulSet创 建过程中验证错误。 Pod Identity（Pod身份） StatefulSet Pod有唯⼀的身份，包括序数（ordinal）、稳定的⽹络标识和稳定的存储。 身份会绑定到Pod（具有粘 性），不管Pod被调度到哪个Node上。