Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EKS Pod Identity #416

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add support for EKS Pod Identity #416

wants to merge 2 commits into from
+414 −100

Conversation

tongshen-stephanie
Copy link

@tongshen-stephanie tongshen-stephanie commented Jan 8, 2025
edited by simonmarty
Loading

Issue #, if available: Closes #300

Description of changes:
Introduce an optional parameter usePodIdentity to support EKS Pod Identity

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tongshen-stephanie tongshen-stephanie requested a review from a team as a code owner January 8, 2025 17:53
@tongshen-stephanie tongshen-stephanie changed the title Add support for Pod Idenity Add support for EKS Pod Identity Jan 8, 2025
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 73.39450% with 29 lines in your changes missing coverage. Please review.

Project coverage is 51.74%. Comparing base (be94dd0) to head (a34275e).

Files with missing lines Patch % Lines
auth/auth.go 71.42% 20 Missing and 6 partials ⚠️
server/server.go 83.33% 1 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #416      +/-   ##
==========================================
+ Coverage   49.67%   51.74%   +2.06%     
==========================================
  Files           9        9              
  Lines         781      862      +81     
==========================================
+ Hits          388      446      +58     
- Misses        383      398      +15     
- Partials       10       18       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

simonmarty
simonmarty requested changes Jan 8, 2025
View reviewed changes
README.md
*Note: EKS Pod Identity option is only supported for EKS in the Cloud. It's not supported for [Amazon EKS Anywhere](https://aws.amazon.com/eks/eks-anywhere/), [Red Hat Openshift Service on AWS (ROSA)](https://aws.amazon.com/rosa/) and self-managed Kubernetes clusters on Amazon Elastic Compute Cloud (Amazon EC2) instances.*
1. Install Amazon EKS Pod Identity Agent Add-on on the cluster.
```shell
eksctl create addon --name eks-pod-identity-agent --cluster "$CLUSTERNAME" --version v1.0.0-eksbuild.1 --region="$REGION"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version flag is optional. let's remove it or set it to latest otherwise we'll have to bump it in this README.

https://eksctl.io/usage/addons/#setting-the-addons-version

auth/auth.go
irsaAudience = "sts.amazonaws.com"
podIdentityAudience = "pods.eks.amazonaws.com"
ProviderName = "secrets-store-csi-driver-provider-aws"
defaultPodIdentityAgentEndpoint = "http://169.254.170.23/v1/credentials"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default pod identity agent IPV6 address is fd00:ec2::23, can we support IPV6 as long as the customer hasn't disabled IPV6 in their cluster?

https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html#pod-id-considerations

auth/auth.go

fetcher := &authTokenFetcher{p.nameSpace, p.svcAcc, p.podName, p.k8sClient, p.usePodIdentity}

if p.usePodIdentity {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of doing this, you could write an interface for providing credentials and have two implementations of that interface, one for PIA and one for IRSA.

@simonmarty simonmarty mentioned this pull request Jan 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonmarty simonmarty simonmarty requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pod Identity Association support
3 participants
@tongshen-stephanie @codecov-commenter @simonmarty