In Kubernetes, service accounts and associated RBAC policies provide a way to secure access to API services. However, they are cumbersome to configure, and don’t scale well for high-traffic, multi-cluster environments increasingly used in large organizations such as eBay.

In this session, Vinay will outline the use case for cross-cluster APIserver access, and introduce a new IAM architecture for securing access to the Kubernetes API and services via short-lived tokens. He will walk through the design illustrating how bootstrap token (OAuth 2.0 Code Grant) is injected into the pod, and how it is leveraged to obtain access tokens and inject them via light-weight envoy proxy filter, and how tokens are validated to secure access to cross-cluster APIservers and services. Jonathan will go over performance metrics, discuss implementation aspects that make this design scale for high traffic loads with low latency, and conclude with a demo.