How to allow connection from specific AWS EKS pods to AWS RDS?

3.4k views Asked by At

Let's say I have an EKS cluster with multiple pods hosting different applications. I want to allow connections from a specific application to an RDS instance without allowing all the pods in the EKS cluster to connect to the RDS. After some research, I found out that there's a networking approach to solve the issue, by creating security groups for pods. But I am trying to look for another approach.

I was expecting to have a simple setup where I can:

  • create IAM policy with read/write permissions to the DB
  • create an IAM role and attach that policy
  • create a service account (IAM and k8s service accounts) with that role
  • assign the service account to the pods I want to grant RDS access.

But it seems like the only way to have IAM authentication from pods to RDS, is by continuously generating a token each 15m. Is this the only way?

1

There are 1 answers

2
Marcin W. On

I would recommend this task to be divided into following parts:

  • making sure the security concept is sound
  • allowing network traffic from EC2 worker nodes to RDS
  • creating Egress network policy for the cluster to only allow RDS traffic for specific pods

making sure the security concept is sound

The question here is why would you want to select only specific pods to access RDS database? Is there a trust issue with parties deploying pods to the cluster or is it a matter of compliance (some departments can't access other department resources)? If it's trust, maybe the separation here is not enough, maybe you should not allow untrusted pods on your cluster (vulnerabilities with root gaining via docker)?

allowing network traffic from EC2 worker nodes to RDS

For this, the Security Group of worker EC2 nodes must be allowed on RDS side (Inbound rules), and just to be sure, SG of EKS cluster nodes should also allow connections to RDS. Without these generic rules, the traffic can't flow. You could be specific here - for example allow access on only specific RDS instances, not all. You can have more than one node group for your EKS cluster also (and run pods that require RDS access only on those nodes, with labels).

creating Egress network policy for the cluster

If you create a default deny-all Egress policy (which is highly recommended), than no pods can access RDS by default. You can then apply more granular Egress policies to access RDS database by namespace, label, pod name. More here: https://www.cncf.io/blog/2020/02/10/guide-to-kubernetes-egress-network-policies/

Clarification: in this scenario you store secrets to access database in kubernetes secrets, mount them into pod and login normally. If you want to just get connection without auth, my answer won't help you.