amazon-eks-pod-identity-webhook
amazon-eks-pod-identity-webhook copied to clipboard
aws
Amazon EKS Pod Identity Webhook
**What happened**: M running a pod with a service account(annotated with a role). Inside the pods these environment variables are mounted : AWS_WEB_IDENTITY_TOKEN_FILE AWS_REGION AWS_ROLE_ARN inside the pod, when m...
**What would you like to be added**: Documentation should: 1. Call out use of WebIdentityTokenCredentialProvider in the default CrentialProvider chain. 2. Dockerfile must explicitly specify the non-root `USER` directive This...
**What would you like to be added**: I'd like to decouple the IAM roles' trust policy from kubernetes cluster details, while maintaining the service account level access controls. The condition...
HI Im seeing the below issue when bringing up the new pods Almost all the pods in namespace have this issue..I checked all teh resources oidc role policy etc..everything looks...
I am running this amazon-eks-pod-identity-webhook in several self-hosted k8s in aws. We were on k8s 1.17.x now while upgrading to k8s 1.20.x, we noticed that kubeadm spits out: Default k8s...
**What would you like to be added**: It would be nice to have [a readiness gate](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-readiness-gate) that checks if the AWS role defined in the service account was successfully picked...
**What happened**: I have added below annotation as mentioned in document but still AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environmental variable is getting added to the ignored contaIners. ``` apiVersion: v1 kind: Pod...
**What happened**: A few days ago, we noticed that some operations that used to succeed on AWS from our pods started to receive 403s. After a lot of investigation, we...
**What would you like to be added**: Annotations (say `eks.amazonaws.com/include-containers`, `eks.amazonaws.com/exclude-containers`,`eks.amazonaws.com/include-init-containers`, `eks.amazonaws.com/exclude-init-containers`) to whitelist/blacklist containers/init containers from having access to the injected projected ServiceAccount token **Why is this needed**: Currently...
CVE-2021-3121 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121 ) covers an issue in GoGo Protobuf. It is fixed with version 1.3.2. Update the vendoring of gogo/protobuf appropriately. `go get -u github.com/gogo/protobuf ; go mod tidy...
