amazon-eks-pod-identity-webhook icon indicating copy to clipboard operation
amazon-eks-pod-identity-webhook copied to clipboard

1 : X Namespaces : X Clusters

Open vikaskoppineedi opened this issue 3 years ago • 2 comments

What would you like to be added:

Would like to see if mapping a single IAM Role across Multiple Clusters.

Why is this needed: Today we have multiple clusters logically grouped to a single environment. Each cluster, we have multiple applications running across namespaces. Technically, we want all these pods to share the same IAM Role. But today with the IAM for Service Accounts, requires us to mention the service account name and the namespace name before hand, and with the DevOps flow, namespaces are created/maintained by developers, but under strict rbac. so whenever a new namespace and a new service accounts shows up , we need to add it to the IAM role trust relationship, which leads us to limits in policy document size.

So not sure if someone faced this issue, but if we had so many applications, you don't want to have to maintain multiple IAM roles per clusters per namespaces and having to track and map these changes to the specific application repos is very hard.

vikaskoppineedi avatar Oct 14 '21 18:10 vikaskoppineedi

It seems there are no easy and elegant solutions. You will probably need to create multiple statements in trust policy for each cluster:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1:sub": "system:serviceaccount:*:*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2:sub": "system:serviceaccount:*:*"
        }
      }
    }
  ]
}

Or use multiple providers in Federated but without Condition block (conditions do not allow to use wildcard in condition key):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1",
          "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2"
        ]
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
    }
  ]
}

oshmyrko avatar Nov 23 '21 21:11 oshmyrko

@vikaskoppineedi, I would also rename this issue to something like "1 role for multiple namespaces and multiple clusters" to better understand the context.

oshmyrko avatar Nov 24 '21 10:11 oshmyrko