S3 Evidence Vault
Configure S3 storage for scheduled artifact uploads. All evidence is organized by date, type, and source for easy retrieval and compliance auditing.
Authentication Methods
Three options for S3 authentication, in order of preference:
IAM Role (recommended)
Attach an IAM role to the node instance profile. No credentials to manage.
IRSA (EKS)
Use IAM Roles for Service Accounts on EKS for pod-level credentials.
Kubernetes Secret
Create a secret with AWS credentials:
kubectl create secret generic aws-credentials \
--from-literal=AWS_ACCESS_KEY_ID=AKIA... \
--from-literal=AWS_SECRET_ACCESS_KEY=... \
-n production
Annotation Configuration
Configure S3 settings via pod or namespace annotations:
| Annotation | Description |
|---|---|
| reel.io/s3-bucket | S3 bucket name |
| reel.io/s3-region | AWS region |
| reel.io/s3-secret | Name of Kubernetes secret with AWS credentials |
Pod annotations take priority over namespace annotations.
Complete Example
# Namespace-level S3 config (applies to all pods)
apiVersion: v1
kind: Namespace
metadata:
name: production
annotations:
reel.io/s3-bucket: "compliance-evidence"
reel.io/s3-region: "us-east-1"
reel.io/s3-secret: "aws-credentials"
reel.io/schedule: |
0 6 * * * | export sbom --scanners vuln
next | export cbom
S3 Key Pattern
Artifacts are organized in S3 with the following key structure:
{date}/{type}/{cluster}_{node}_{namespace}_{pod}_{container}_{timestamp}.{ext}
| Type | Extension |
|---|---|
| sbom, cbom, volatile, metadata, malware | .json |
| checkpoint, layer, frame, memory | .tar.zst or .core.zst |
Configuration Priority
S3 settings resolve in this order: CLI flags > pod annotations > namespace annotations.