Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(eks): eks pod identities #30576

Merged
merged 22 commits into from
Jun 27, 2024
Merged

feat(eks): eks pod identities #30576

merged 22 commits into from
Jun 27, 2024

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Jun 17, 2024

This PR introduces EKS Pod Identities support.

Amazon EKS introduced IRSA in 2019 for fine grained iam roles service accounts support. In aws-eks, we have ServiceAccount construct that implements IRSA under the hood and creates OpenIdConnectProvider for the cluster. In 2023, Amazon EKS introduced EKS Pod Identities as a new way for applications on EKS to obtain IAM credentials.

This PR introduces a new identityType prop for ServiceAccount to allow users to opt in the EKS Pod Identities. When you opt in POD_IDENTITY:

  1. ServiceAccount would NOT create any OpenIdConnectProvider.
  2. An IAM role with trust policy for pods.eks.amazonaws.com service principal would be created.
  3. EKS Pod Identity Agent for the cluster would be provisioned as an Addon if not exist.
  4. CfnPodIdentityAssociation would be created for the role and service account.

Sample

declare const cluster: eks.Cluster;

new eks.ServiceAccount(this, 'ServiceAccount', {
  cluster,
  name: 'test-sa',
  namespace: 'default',
  identityType: eks.IdentityType.POD_IDENTITY,
});

// deploy a sample pod
const pod = cluster.addManifest('demopod', {
  apiVersion: 'v1',
  kind: 'Pod',
  metadata: { name: 'demo' },
  spec: {
    serviceAccountName: sa.serviceAccountName,
    containers: [
      {
        name: 'demo',
        image: 'public.ecr.aws/amazonlinux/amazonlinux:2023',
        command: ['/bin/bash', '-c', 'yum update -y && yum install -y awscli && aws sts get-caller-identity'],
      },
    ],
  },
});
pod.node.addDependency(sa);

Todo Checklist

  • Addon L2 construct
  • Update ServiceAccount construct
  • unit tests
  • integ test(s)
  • update README

Callout

  1. According to the doc, the assume role policy of the role is having both sts:AssumeRole and sts:TagSession but the iam.Role construct only allows sts:AssumeRole assumeRoleAction and no way to customize it on Role creation.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

As a workaround, this PR assumeRolePolicy.addStatements() to create a new statement for the assumeRolePolicy. Definitely should improve this if we have a better solution.

role.assumeRolePolicy!.addStatements(new PolicyStatement({
        actions: ['sts:AssumeRole', 'sts:TagSession'],
        principals: [new ServicePrincipal('pods.eks.amazonaws.com')],
      }));
  1. We should scope down the trust policy with conditions for sts:TagSession but it's not clear to me what is the recommended conditions for that. Need to discuss with EKS team. Per doc describes:

EKS Pod Identity uses TagSession to include session tags in the requests to AWS STS.
You can use these tags in the condition keys in the trust policy to restrict which service accounts, namespaces, and clusters can use this role.
For a list of Amazon EKS condition keys, see Conditions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference. To learn which actions and resources you can use a condition key with, see Actions defined by Amazon Elastic Kubernetes Service.

Issue # (if applicable)

Closes #30519

Reason for this change

Allow users to opt in EKS Pod Identities.

Description of changes

Description of how you validated changes

Unit tests and integ test.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team June 17, 2024 22:25
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 labels Jun 17, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 17, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@pahud pahud changed the title feat(eks): EKS Pod Identities feat(eks): eks pod Identities Jun 17, 2024
@pahud pahud changed the title feat(eks): eks pod Identities feat(eks): eks pod identities Jun 17, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review June 17, 2024 23:27

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@pahud
Copy link
Contributor Author

pahud commented Jun 18, 2024

@Mergifyio refresh

Copy link
Contributor

mergify bot commented Jun 18, 2024

refresh

✅ Pull request refreshed

@pahud pahud marked this pull request as ready for review June 18, 2024 17:02
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jun 19, 2024
@nnmin-aws
Copy link

/lgtm

Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one minor comment before approving

packages/aws-cdk-lib/aws-eks/lib/addon.ts Show resolved Hide resolved
packages/aws-cdk-lib/aws-eks/lib/addon.ts Outdated Show resolved Hide resolved
Co-authored-by: GZ <hz351086153@gmail.com>
@pahud
Copy link
Contributor Author

pahud commented Jun 26, 2024

Will update my tests to include addonVersion

Copy link
Contributor

mergify bot commented Jun 27, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jun 27, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 65f99dc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 9437b4d into aws:main Jun 27, 2024
12 checks passed
Copy link
Contributor

mergify bot commented Jun 27, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

mergify bot pushed a commit that referenced this pull request Jul 17, 2024
### Issue # (if applicable)

None

### Reason for this change

Addon L2 construct is added by #30576 but there is no documentation about it in the README.md.

### Description of changes

Add Add-ons documentation to README.md

### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

eks: EKS Pod Identities
6 participants