Cloud Flight Simulator Part 4: Least Privileged Pods with Kubernetes Workloads

In the final part of the Cloud Security Flight Simulator series, join SEC540 lead author and instructor Eric Johnson to learn how to enable workload identity for AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS). 

Rather than issuing long-lived credentials to individual pods or inheriting excessive permissions from the node, Kubernetes service accounts can use an internal OpenID Connect (OIDC) provider to obtain a signed identity token (JWT). Then, cloud administrators can configure their identity services (IAM, Entra ID) to trust the Kubernetes cluster's OpenID Connect provider and grant the service account to obtain temporary, least privilege credentials.

Explore the rest of the Cloud Flight Simulator Series:

• Part 1: GitLab CI, Workflows, and Secrets
• Part 2: Protecting Kubernetes Clusters with Admission
• Part 3: Safeguarding the Software Supply Chain