Hey everyone! I'm currently tackling a project where we have about 20 Kubernetes clusters, each tied to our retail locations and running on Talos. Each cluster is connected to its local network with internet access. The challenge we're facing is securely providing AWS credentials during the Talos bootstrap process (using YAML files) so that the clusters can pull images from ECR and access SSM secrets. We want to avoid static access keys, and are looking into IAM Roles Anywhere. This will require an X.509 client certificate, along with the usual parameters—ARN profile, role, trust anchor, and certificate paraphrase.
If anyone has dealt with a similar situation, I'd love to know how you managed this. What's the best and most secure way to provision the necessary certificates or credentials to each Talos instance or cluster? We've also considered OIDC for authentication, but we currently lack it for machine-to-machine communications. Thanks for any insights!
3 Answers
Have you checked out AWS Roles Anywhere? It's a great alternative to static credentials. If you already have a CA infrastructure on-prem, like Hashicorp Vault, this could provide a pretty secure setup for your needs.
Consider using SSM to register your instances. This way, the instances can fetch role credentials easily. I’ve done this countless times on Flatcar, though I’m not exactly sure how it works on Talos. Just a heads up, there’s an extra cost involved for the Managed Instances that AWS charges for.
You might want to explore IoT Core with fleet provisioning by claim and Greengrass. It could provide a practical path for your situation.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures