containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[EKS] [request]: Open source EKS Pod Identity agent

Open georgejohnis opened this issue 1 year ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Amazon EKS recently launched EKS Pod Identity, a new feature that simplifies how IAM credentials can be granted to pods running on EKS clusters. See [1] and [2] to learn more about the feature. Pod Identity feature requires an agent (called EKS Pod Identity Agent) to be running on every worker node to help exchange JWT tokens for temporary IAM credentials. This agent is made available to customers today as an EKS Add-on. This request is to open source the agent source code so that users can bake the agent as part of the worker node AMI or use Helm to install the agent. Please vote and/or provide feedback if you have a use case/need for the agent to be open sourced.

[1] What's new post [2] EKS Docs

Which service(s) is this request for? EKS

georgejohnis avatar Dec 13 '23 19:12 georgejohnis

Can the agent run on the control plane?

csantanapr avatar Dec 13 '23 22:12 csantanapr

can you release helm chart for the agent?

infa-ddeore avatar Dec 14 '23 02:12 infa-ddeore

My organization (a large enterprise in the financial services sector) will be able to increase the applicable use cases for EKS substantially, probably doubling our usage of EKS, by switching to Pod Identity Agent from IRSA. To make the switch, we need to be able to deploy any services, including any add-ons like this one, matching our configuration requirements. This change would enable us to use the add-on and expand our covered use cases.

r5sec5cyl avatar Jan 26 '24 19:01 r5sec5cyl

Why The EKS Pod Identity Agent doesn't use the service-account-role-arn for IAM roles for service accounts and you must provide the EKS Pod Identity Agent with permissions in the node role?

rubroboletus avatar Mar 06 '24 08:03 rubroboletus

Hi @georgejohnis -- is there any chance of AWS releasing the helm chart that drives this addon so that users can choose to deploy it using their own tooling instead of being forced to use the EKS Addons API?

joshuabaird avatar Jun 10 '24 17:06 joshuabaird

Hi @georgejohnis -- is there any chance of AWS releasing the helm chart that drives this addon so that users can choose to deploy it using their own tooling instead of being forced to use the EKS Addons API

Thank you for the feedback. We will evaluate your request to make the agent available as a helm chart.

georgejohnis avatar Jun 10 '24 23:06 georgejohnis

fyi code is here now - https://github.com/aws/eks-pod-identity-agent 🙏🏾

dims avatar Jun 17 '24 21:06 dims

Resolving this issue since EKS open sourced Pod Identity agent on June 14th 2024. See launch announcement here.

georgejohnis avatar Jun 19 '24 20:06 georgejohnis