amazon-eks-pod-identity-webhook
amazon-eks-pod-identity-webhook copied to clipboard
aws
Allow specifying baseArn to prepend to role names.
Description of changes:
This PR introduces the ability to specify a baseArn to prepend to role names when we detect that the arn passed to the eks.amazonaws.com/role-arn annotation is not fully qualified.
Our use case is that we have different clusters that run in different AWS accounts. This will allow us to use the same manifest to deploy to these different clusters and allow each pod to assume the correct IAM role local to their account.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
@jqmichael @josselin-c @micahhausler Any chance someone could take a look at this?
I'd love to see this merged; it's silly to require the role annotation to differ between AWS accounts. Splitting accounts by environment is pretty common practice, as is one cluster per account.
Fixes #56
@nckturner @wongma7 does this look like a worthwhile contribution to you? Please let me know and I will cleanup this PR
@jyotimahapatra would this approach help anyone running on EKS? I would expect some template like {{clusterAccount}} might be supported in EKS, but configuring a CLI option would only work for self-hosted installations
would this approach help anyone running on EKS? I would expect some template like {{clusterAccount}} might be supported in EKS, but configuring a CLI option would only work for self-hosted installations
Correct. This is right now relevant for self hosted installations.
How this would work on EKS is a problem for EKS. It is not particularly relevant for the amazon-eks-pod-identity-webhook project.
How this would work on EKS is a problem for EKS. It is not particularly relevant for the amazon-eks-pod-identity-webhook project.
Correct. Once this is implemented, EKS can make it work by default.