pulumi-eks icon indicating copy to clipboard operation
pulumi-eks copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Allow using an IAM role for the VPC CNI service account

Open nhinds opened this issue 5 years ago • 1 comments
trafficstars

Problem description

AWS has documentation for how to use IAM Roles for Service Accounts (IRSA) with the VPC CNI: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-cni-walkthrough.html

The walkthrough requires updating the aws-node ServiceAccount with the eks.amazonaws.com/role-arn annotation, but this module is already managing that ServiceAccount: https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/cni/aws-k8s-cni.yaml#L25-L30

It also looks like the VPC CNI is version 1.6.0, and the guide recommends 1.6.1, although I don't believe that's a hard requirement for using IRSA.

Suggestions for a fix

Could the VpcCniOptions be extended to allow passing in the IAM role annotation to the ServiceAccount? Or perhaps the Cluster component could have a parameter to create the IAM role with the correct OIDC trust policy itself, and pass that role on to the VPC CNI?

nhinds avatar May 24 '20 23:05 nhinds

any update on this? This is the recommended practice, surprising that Pulumi EKS isn't supporting this configuration.

irl-segfault avatar Jun 28 '21 04:06 irl-segfault