-
Notifications
You must be signed in to change notification settings - Fork 579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add IRSA to EKS workload clusters #2070
Conversation
Hi @MarcusNoble. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Maybe the iam stuff should be toggled? Those seem like pretty heavy hitting permissions. |
All of this functionality should be behind the EnableIAM flag as there is a risk of privilege escalation. |
/ok-to-test I think we need to get e2e tests in place before we add more features. |
Not too long until they are ready....got distracted by other work last week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looking good to me.
@randomvariable most of the code is behind the |
fbc419d
to
3dfbf0f
Compare
/assign @vincepri |
pkg/cloud/services/eks/oidc.go
Outdated
func (s *Service) buildOIDCTrustPolicy() string { | ||
providerARN := s.scope.ControlPlane.Status.OIDCProvider.ARN | ||
|
||
return fmt.Sprintf(`{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should probably change this from a embedded string to use the iam types we have:
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/master/cmd/clusterawsadm/api/iam/v1alpha1/types.go#L66
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@MarcusNoble - this is looking good to me. Would you be able to squash the commits so that it tells a story? |
/unhold We can bring this back to consideration |
/test ? |
@MarcusNoble: The following commands are available to trigger jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-cluster-api-provider-aws-e2e-eks |
@MarcusNoble - that failed quick :( Looks like there are some files have been removed from the |
Ah! I thought it was me not rebasing. Looks like it was removed here: 30d870e#diff-4f4d6d4dd9d639f8061109d558a575d7b2d69335cc9427579ad1bd8b01842406 |
Just created #2199 with an update to the script. I've just set the tests off on that PR |
/test pull-cluster-api-provider-aws-e2e-eks |
1 similar comment
/test pull-cluster-api-provider-aws-e2e-eks |
lgtm in principle squash that "clean up" commit perhaps. /assign @richardcase |
/test pull-cluster-api-provider-aws-e2e-eks |
/test pull-cluster-api-provider-aws-e2e-eks |
/lgtm |
The e2e tests passed so: /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
Creates an OIDC Identity Provider and associates it with the managed control plane so IAM Roles for Service Accounts can be used in the workload cluster.
An example boilerplate trust policy needed for IAM role to be usable by service accounts is provided as a ConfigMap in the default namespace of the workload cluster (envsubt compatible).
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #2054