terraform-aws-eks-blueprints-addons icon indicating copy to clipboard operation
terraform-aws-eks-blueprints-addons copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Switch to IRSAv2/pod identity

Open bryantbiggs opened this issue 1 year ago • 7 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

  • Switch permissions access from IRSA to pod identity (IRSAv2)

Describe the solution you would like

  • Switch permissions access from IRSA to pod identity (IRSAv2)

Describe alternatives you have considered

Additional context

  • The addons that use pod identity will need to use an AWS SDK version that support pod identity. Therefore, the scope of changes required for this request are:
  1. Change role assumption in addon module to trust pod identity service endpoint
  2. Remove IRSA annotation in the addon module
  3. Update addon module version used in this project to reflect version that captures changes from 1 and 2
  4. Update addon versions for those using pod identity to use a version that supports the MSV of the AWS SDK for pod identity
  5. Remove the annotation references for IRSA in the respective addons (reference)

The last step will be the association which will happen at the cluster level (associate the pod identity with the cluster)

bryantbiggs avatar Nov 01 '23 11:11 bryantbiggs

where can I read more on v2 changes?

FernandoMiguel avatar Nov 02 '23 18:11 FernandoMiguel

those are captured in the v2 milestone https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/milestone/1

bryantbiggs avatar Nov 02 '23 19:11 bryantbiggs

@bryantbiggs I think @FernandoMiguel was asking for v2 changes meaning "IRSAv2/pod identity" I haven't seen any blog post or announcement from AWS on this change and what it entails as replacement for current IRSA.

cdenneen avatar Nov 06 '23 16:11 cdenneen

That's because it's not released yet

bryantbiggs avatar Nov 06 '23 19:11 bryantbiggs

here is something along the lines of what it will look like - https://github.com/clowdhaus/terraform-aws-irsa-v2

bryantbiggs avatar Nov 08 '23 15:11 bryantbiggs

Any thoughts on the resource "aws_eks_cluster_role_association" having the namespace/service_account be hash? This way you can assign multiple namespace/service_account to same role?

cdenneen avatar Nov 08 '23 20:11 cdenneen

Any news on this?

LeoSpyke avatar Apr 22 '24 12:04 LeoSpyke