-
Notifications
You must be signed in to change notification settings - Fork 807
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Allow to set automountServiceAccountToken in ServiceAccount #1619
Conversation
Welcome @kahirokunn! |
Hi @kahirokunn. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs testing with IRSA:
If this breaks IRSA, it should default on
If this doesn't break IRSA, I think we should consider just setting it to false directly, rather than exposing an option (as the option should never matter)
Otherwise lgtm, I'll test and report back on IRSA interactions
@ConnorJC3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, upon further reflection, I think this is fine as is. There are usecases where we need the creds, such as the node untainting feature, so this config should be left up to the user.
lgtm, cc @torredil for review
/retest Hey there, thanks for your contribution. Just one quick thing from me:
Some general feedback: Suggest providing more context in the PR description. We mention that we're allowing users to configure the parameter and link to the relevant docs -- which is very helpful -- but it would be excellent to explain why a user might want to configure this setting and the implications for doing so. I've had some success in situations like this in the past by spending a few extra minutes providing clarity which might help reviewers get your changes merged in a timely manner 👍 |
/ok-to-test |
@torredil Okay. How about now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @kahirokunn /lgtm
@torredil https://github.com/aws/eks-charts/blob/620e0169ec96d79086f004235d7b1764a60dbc40/stable/aws-load-balancer-controller/values.yaml#L25 |
Since there are other environments than the EKS environment, default false may be acceptable. |
Either is fine. |
/hold @kahirokunn yeah, I think we should set this to default Once the default is changed (don't forget to regenerate the |
@ConnorJC3 thx. done. 👍 |
4ff7a8c
to
9a30a54
Compare
@kahirokunn: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes Signed-off-by: kahirokunn <okinakahiro@gmail.com>
I went ahead and manually cleaned the commit message to make the bot happy. /remove-hold |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ConnorJC3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This is not accurate, kubernetes 1.24 still mounts tokens as it did before. Those tokens are no longer stored in Secret API objects, but are still mounted by default. |
@@ -29,7 +29,8 @@ For more information, review ["Creating the Amazon EBS CSI driver IAM role for s | |||
|
|||
There are several methods to grant the driver IAM permissions: | |||
* Using IAM [instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) - attach the policy to the instance profile IAM role and turn on access to [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for the instance(s) on which the driver Deployment will run | |||
* EKS only: Using [IAM roles for ServiceAccounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value `controller.serviceAccount.name`, `ebs-csi-controller-sa` by default | |||
* EKS only: Using [IAM roles for ServiceAccounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - create an IAM role, attach the policy to it, then follow the IRSA documentation to associate the IAM role with the driver Deployment service account, which if you are installing via Helm is determined by value `controller.serviceAccount.name`, `ebs-csi-controller-sa` by default. If you are using k8s 1.24 or higher, the ServiceAccountToken is not mounted because the `LegacyServiceAccountTokenNoAutoGeneration` feature gate is enabled. | |||
Therefore, if you are using k8s 1.24 or higher, you need to set `true` to `controller.serviceAccount.autoMountServiceAccountToken`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if you don't install using HELM, what's the way to set this automountServiceAccountToken? For example, people might install through aws eks create-addon --addon-name aws-ebs-csi-driver
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to know too.
Is this a bug fix or adding new feature?
new feature
What is this PR about? / Why do we need it?
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
Since k8s 1.24, TOKEN is not mounted automatically.
If you want to access with IRSA, you need to use a token.
Allow to set automountServiceAccountToken in ServiceAccount
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
What testing is done?
done.