Update kubernetes_standards.md #79
Conversation
There was a problem hiding this comment.
Agree, this is the MS strategy going forward so what we agreed in 2019 is replaced by this. Pod identity is defunct, long live Workload identity!
Now as a debate there wasn't an AWS equivalent in these docs. The equivalent answer for AWS is to use service accounts for IAM. That shouldn't change and should remain the Kubernetes standard in Defra IMO if targeting AWS.
ben-sagar
left a comment
ben-sagar
left a comment
There was a problem hiding this comment.
I think we should put this in as a change, but honestly I'm not 100% convinced it's that significant - happy to be convinced otherwise
|
|
||
| ### Secrets | ||
| Where possible, secrets should not be stored within an application or Kubernetes pod. Instead, when communicating with supported cloud infrastructure, clusters should use [AAD Pod Identity](https://github.com/Azure/aad-pod-identity) in Azure or [IAM role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) in AWS. | ||
| Where possible, secrets should not be stored within an application or Kubernetes pod. Instead, when communicating with supported cloud infrastructure, clusters should use [Entra ID Workload Identities](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet) in Azure or [IAM role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) in AWS. |
There was a problem hiding this comment.
I think this is all fine but as we're making this change, we could/should put in the additional status info and highlight the significant change, like with this one:
https://github.com/DEFRA/software-development-standards/blob/master/standards/common_coding_standards.md#status
There was a problem hiding this comment.
I have now added the significant change update to the readme in this PR
There was a problem hiding this comment.
@DaRoszko I didn't mean to make the changes on the common coding standards page, I meant to include a status section like the one on that page - sorry for the confusion
Clarify that workload ID should only be used now in AKS>