Moving from Kube2Iam to Kiam

Posted on
aws kubernetes news security

Moving from Kube2Iam to Kiam

At Ibotta, we chose kube2iam to assign AWS IAM Roles to containers running in our Kubernetes cluster. Lately, we’ve run into some issues with it—specifically when running a job that scores all of our service repos. This spins up a number of pods in parallel and has often failed to correctly access roles.

After further investigation, the future of the project seems to be uncertain and there are other issues logged around race conditions, etc. After some research, Kiam seems to be a valid alternative. The developers have written a post on their experience of Kube2iam and why they decided to write Kiam which goes into a lot of detail.

We tested Kiam by running the scorecard job in our staging environment first with kube2iam to verify we could reproduce the errors seen and then with kiam—with kiam, there were no pod failures over multiple runs which showed it was an improvement for this use case. There are several stages to replacing kube2iam with Kiam—these are outlined in the following section. Kiam uses a namespace annotation with a regular expression to define what roles are allowed for that namespace.

This gives you the capability to restrict roles to certain namespaces which is nice for security but you must specify a role annotation even if it’s all roles are allowed like this: