-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide support for Amazon EKS Pod Identity Webhook #457
Comments
Not sure how stable this is at the moment though. |
@zach-dunton-sf What is the status of that project? Is it considered stable or still experimental? If experimental, not sure if we should go there already imo. |
It’s still experimental, I’m going to put together a build in a couple
hours to test it out. The PR itself is pretty simple, 15-20 lines.
…On Thu 14. Nov 2019 at 13:02, Tom Kerkhove ***@***.***> wrote:
@zach-dunton-sf <https://github.com/zach-dunton-sf> What is the status of
that project? Is it considered stable or still experimental?
If experimental, not sure if we should go there already imo.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#457?email_source=notifications&email_token=AEH7ZDN2SPZ6GRHBZAHMKX3QTU45LA5CNFSM4JNJ5WWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEBTFXQ#issuecomment-553857758>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEH7ZDJPOPDNYI5SGKEEXGDQTU45LANCNFSM4JNJ5WWA>
.
|
That's fine for me but I don't know if we want to support this until it's a bit more stable. We'll have to support something that might cause issues on our side. What do you think @jeffhollan? |
I misread your question. I think the project from AWS is stable since recently. It's been an option in EKS since September 3, 2019. The PR I was working on also supports 3rd party solutions such as Kiam and kube2iam, which were the official "un-official" tools until this came out. https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html |
In that case I think we're good to go with the official support, not sure on Kiam though if I may be frank. All providers that we add are good, but also have to maintain them. In this case, I'd wait until there is customer demand for Kiam over AWS-based project and learn where it is lacking, but that's just my view |
We are currently using kiam, It's just grabbing an annotation from the PodSpecTemplate, it's even smaller than AWS official solution. I think that until support for non EKS clusters is better for the webhook that kiam should be supported, the helm chart is still in progress for the webhook. In both cases the PR just grabs the role name from the annotation and is using it to fill awsRoleArn in the trigger auth. |
What do you think @jeffhollan @ahmelsayed ? |
LGTM |
hi all, anyone do this? |
@zach-dunton-sf hi, for aws auth, I have a question, why should I set awsRoleArn? For mainstream solutions: kube2iam and EKS Pod Identity, it is not necessary. |
When this issue is closed, you will no longer need to set awsRoleArn. The PR to close this issue will read the annotation from the appropriate place and use that instead of awsRoleArn. I just got back from holiday, I will try and get this done today or tomorrow. |
Here is a PR for kiam and EKS webhook #499 |
Done via #499 |
Signed-off-by: GitHub <noreply@github.com>
Provide support for Amazon EKS Pod Identity Webhook that would simplify authentication with AWS.
The text was updated successfully, but these errors were encountered: