Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to IRSAv2/pod identity #289

Open
bryantbiggs opened this issue Nov 1, 2023 · 7 comments
Open

Switch to IRSAv2/pod identity #289

bryantbiggs opened this issue Nov 1, 2023 · 7 comments
Labels
BREAKING CHANGE enhancement New feature or request
Milestone
v2.0

Comments

@bryantbiggs
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

  • Switch permissions access from IRSA to pod identity (IRSAv2)

Describe the solution you would like

  • Switch permissions access from IRSA to pod identity (IRSAv2)

Describe alternatives you have considered

Additional context

  • The addons that use pod identity will need to use an AWS SDK version that support pod identity. Therefore, the scope of changes required for this request are:
  1. Change role assumption in addon module to trust pod identity service endpoint
  2. Remove IRSA annotation in the addon module
  3. Update addon module version used in this project to reflect version that captures changes from 1 and 2
  4. Update addon versions for those using pod identity to use a version that supports the MSV of the AWS SDK for pod identity
  5. Remove the annotation references for IRSA in the respective addons (reference)

The last step will be the association which will happen at the cluster level (associate the pod identity with the cluster)
@bryantbiggs bryantbiggs added this to the v2.0 milestone Nov 1, 2023
@FernandoMiguel
Copy link

where can I read more on v2 changes?

@bryantbiggs
Copy link
Contributor Author

those are captured in the v2 milestone https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/milestone/1

@cdenneen
Copy link

cdenneen commented Nov 6, 2023

@bryantbiggs I think @FernandoMiguel was asking for v2 changes meaning "IRSAv2/pod identity" I haven't seen any blog post or announcement from AWS on this change and what it entails as replacement for current IRSA.

@bryantbiggs
Copy link
Contributor Author

That's because it's not released yet

@bryantbiggs
Copy link
Contributor Author

here is something along the lines of what it will look like - https://github.com/clowdhaus/terraform-aws-irsa-v2

@cdenneen
Copy link

cdenneen commented Nov 8, 2023

Any thoughts on the resource "aws_eks_cluster_role_association" having the namespace/service_account be hash? This way you can assign multiple namespace/service_account to same role?

@github-actions github-actions bot added the stale label Dec 9, 2023
@aws-ia aws-ia deleted a comment from github-actions bot Dec 9, 2023
@bryantbiggs bryantbiggs removed the stale label Dec 9, 2023
@github-actions github-actions bot added the stale label Jan 8, 2024
@aws-ia aws-ia deleted a comment from github-actions bot Jan 8, 2024
@bryantbiggs bryantbiggs removed the stale label Jan 8, 2024
@github-actions github-actions bot added the stale label Feb 8, 2024
@aws-ia aws-ia deleted a comment from github-actions bot Feb 8, 2024
@askulkarni2 askulkarni2 added enhancement New feature or request and removed stale labels Feb 8, 2024
@danielloader danielloader mentioned this issue Mar 4, 2024
Open
@LeoSpyke
Copy link
Contributor

Any news on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BREAKING CHANGE enhancement New feature or request
Projects
None yet
Milestone
v2.0
Development

No branches or pull requests
5 participants
@FernandoMiguel @cdenneen @askulkarni2 @bryantbiggs @LeoSpyke