containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[EKS]: allow EKS Pod Identity association to accept a glob for the service account name (my-sa-*)

Open jcooklin opened this issue 1 year ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build?

Enhance the EKS create-pod-identity-association API to accept a glob for the service account. There are cases where the service account is dynamically provided and will have the form my-sa-. I would like the ability to define the serviceAccount name in this case as "my-sa-*" in the create-pod-identity-association call.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? This will enable EKS pod identity to be used in cases where the service account name is being managed by another controller on the cluster.

Are you currently working around this issue? We can continue to use IRSA with a trust policy that includes a condition and StringLike operator and statement like "${ISSUER_HOSTPATH}:sub": "system:serviceaccount:default:my-sa-*"

jcooklin avatar Dec 07 '23 18:12 jcooklin

Please allow wildcards to be applied to namespaces as well.

ssup2 avatar Dec 11 '23 00:12 ssup2

The ability to use a glob for the namespace would allow us to fully migrate from IRSA to Pod Identities.

joshuabaird avatar Feb 12 '24 19:02 joshuabaird

Agreed with everything here, it would be super useful for us as well. We have more or less ephemeral namespaces that don't have predictable names where pod identity associations can be created in advance, so we're not able to leverage this unfortunately.

evandam avatar Feb 21 '24 22:02 evandam

It might be out of scope but since the controller is in cluster to do the evaluations...

Maybe an additional solution is optionally targeting all namespaces that have a label defined matching a value.

I don't know about the internals of the project to the viability of this model but a mixture of namespace by name, namespace with globbing, and namespace matching label(s) would be quite powerful for more on demand use.

danielloader avatar Feb 21 '24 22:02 danielloader

We need this too

rafilkmp3 avatar May 15 '24 18:05 rafilkmp3

fyi code is here now - https://github.com/aws/eks-pod-identity-agent 🙏🏾

dims avatar Jun 18 '24 11:06 dims