Cloud Identity & Secrets
IRSA (AWS), Workload Identity (GCP), Managed Identity (Azure), External Secrets Operator, Vault patterns
1What is the main advantage of using IRSA (IAM Roles for Service Accounts) in an EKS cluster rather than static AWS access keys?
What is the main advantage of using IRSA (IAM Roles for Service Accounts) in an EKS cluster rather than static AWS access keys?
답변
IRSA allows Kubernetes pods to assume temporary IAM roles via OIDC, eliminating the need to store static credentials in Secrets. Permissions are scoped per ServiceAccount, following the principle of least privilege. Credentials are automatically rotated by AWS STS (Security Token Service), reducing the attack surface if a pod is compromised.
2In GCP, how does Workload Identity Federation allow a GKE pod to access Google Cloud resources?
In GCP, how does Workload Identity Federation allow a GKE pod to access Google Cloud resources?
답변
Workload Identity binds a Kubernetes ServiceAccount to a Google Service Account via an annotation. The pod obtains an OIDC token from the Kubernetes API server, which is exchanged for a GCP token via the metadata server. This avoids storing static service account JSON keys in the cluster, following the zero-trust model and enabling automatic credential rotation.
3What is the main difference between Azure Managed Identity and traditional service principals?
What is the main difference between Azure Managed Identity and traditional service principals?
답변
Managed Identity eliminates the need to manually manage credentials (client secret, certificate). Azure automatically handles the credential lifecycle, including rotation. Managed Identities can be system-assigned (tied to a resource's lifecycle) or user-assigned (independent). This reduces the risk of secret leakage compared to service principals where secrets must be stored and manually rotated.
How does External Secrets Operator synchronize secrets from an external provider (AWS Secrets Manager, Vault) to Kubernetes?
What is the role of the mutating admission webhook controller in automatic secret injection via Vault Agent Injector?
+19 면접 질문