Decoupled CCM & CSI Add-ons
We’ve introduced a credential separation improvement for Kubernetes clusters using Exoscale SKS. The Cloud Controller Manager (CCM) and Container Storage Interface (CSI) add-ons now use independent IAM API keys and roles, improving security and lifecycle management, as well as allowing CSI to be deployed independently.
What's new?
When creating or updating an SKS cluster with add-ons enabled, separate IAM roles and API keys are now automatically created per add-on and per cluster.
These credentials follow a clear naming pattern: sks-<addon>-<cluster-id>
Credential lifecycles are fully managed by Exoscale: they’re created with the cluster and automatically removed when the cluster is deleted.
Why does this matter?
Improved Security: Credentials are isolated per add-on, minimizing permission exposure.
Granular Access Control: Fine-tune or audit CCM and CSI access independently.
Easier Auditing: Identify and monitor actions from each add-on individually.
Simplified Operations: In case of accidental deletion or suspected compromise, credentials can be rotated easily.
This change applies automatically to newly created or updated clusters. Existing clusters continue to work as-is and can adopt the new model by updating the cluster configuration or rotating the respective credentials.
