containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[EKS] [request]: Set IRSA pod identity webhook to use same default expiration as OIDC endpoint

Open hobti01 opened this issue 1 year ago • 2 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

We've been informed that OIDC tokens issued by the EKS IDP expire after 1 hour while the pod-identity-webhook is configuring an expiration of 24 hours. We see that AWS clients are then attempting to use expired tokens because the tokens are not correctly rotated, nor refreshed by the client (the client could not write a refreshed token to the readonly file in any case).

Instead of adding annotation eks.amazonaws.com/token-expiration: "3600" to all uses of IRSA, we kindly request that the default expiration of pod-identity-webhook is synchronized with the OIDC IDP setting of 1 hour with the use of argument --token-expiration 3600

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

Adjusting many (10s/100s?) of annotations is measurably harder than changing one default setting. The OIDC token expiration is managed by AWS, not users, and we feel that the pod-identity-webhook (also managed by AWS) that directly and only uses the AWS-managed OIDC IDP should have corresponding configuration to ensure that tokens are rotated on the required schedule.

Are you currently working around this issue? We will update all IRSA annotations to additionally set eks.amazonaws.com/token-expiration: "3600" because EKS Pod Identity does not meet our current use cases.

Additional context https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master

hobti01 avatar Sep 05 '24 13:09 hobti01

We will look into this. Can you elaborate on where Pod Identity is not meeting your needs currently?

mikestef9 avatar Sep 05 '24 15:09 mikestef9

We have cases where we want to use a wildcard for the service account, but wildcards are not permitted with the Pod Identity Association https://docs.aws.amazon.com/eks/latest/APIReference/API_CreatePodIdentityAssociation.html

hobti01 avatar Sep 05 '24 16:09 hobti01