containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard
verified publisher icon aws

[EKS] [eks-pod-identity]: Allow Namespace wildcards in Pod Identity Associations

Open tdekeizer opened this issue 1 year ago • 5 comments

Hi Team,

We are keen to utilise pod identities but a significant road block for our application is the need to create a pod identity association per namespace.

We have the same deployment per tenant but use a seprate namespace per tenant as per general security recommendations. The Service Account and Role used by the application is the same for each tenants deployment but given namespace needs to be specified exactly in the pod identity association, we require a pod identity association per tenant as well.

As our tenant namespaces can be easily represented by a simple regular expression it would be simpler to be able to add a single pod identity association using a namespace specified using a regular expression.

Look forward to your feedback and responses on this request. :-)

Tony

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build?

Which service(s) is this request for? This could be Fargate, ECS, EKS, ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Are you currently working around this issue? How are you currently solving this problem?

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

tdekeizer avatar Jul 22 '24 23:07 tdekeizer

I'd like to have preview environments in my staging EKS cluster; each preview would have its own namespace; but I'm blocked by the fact I can't make my staging IAM roles available for service account inside wildcarded namespaces :(

Would be amazing to have this flexibility.

ps: i'm working around with IRSA that supports wildcard on trust relationship conditions.

7onn avatar Jul 14 '25 10:07 7onn

Agreed. This feature would provide greater flexibility in managing permissions for ephemeral environments, such as feature environments. In the meantime, our workaround involves using an infrastructure Helm chart to provision IAM roles and policies via Crossplane, which introduces a drift compared to the deployment approach used for persistent environments like production.

PierreRAFFA avatar Aug 03 '25 18:08 PierreRAFFA

+1 to this - I'm blocked on migrating to pod-identity from IRSA due to needing dynamic namespaces for our ephemeral/adhoc environments.

chris-codaio avatar Sep 29 '25 21:09 chris-codaio

We've just been migrating to Pod Identity and have the same issue. However it looks like AWS Controllers for Kubernetes (ACK) might be a good solution to this, with resources for it deployed alongside any ephemeral environments. https://aws-controllers-k8s.github.io/community/reference/eks/v1alpha1/podidentityassociation/

cablespaghetti avatar Oct 03 '25 16:10 cablespaghetti

This is a blocker, please fix this.

MrNocTV avatar Dec 05 '25 04:12 MrNocTV