-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(eks): eks pod identities #30576
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
@Mergifyio refresh |
✅ Pull request refreshed |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, one minor comment before approving
Co-authored-by: GZ <hz351086153@gmail.com>
Will update my tests to include |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
### Issue # (if applicable) None ### Reason for this change Addon L2 construct is added by #30576 but there is no documentation about it in the README.md. ### Description of changes Add Add-ons documentation to README.md ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
This PR introduces EKS Pod Identities support.
Amazon EKS introduced IRSA in 2019 for fine grained iam roles service accounts support. In aws-eks, we have ServiceAccount construct that implements IRSA under the hood and creates OpenIdConnectProvider for the cluster. In 2023, Amazon EKS introduced EKS Pod Identities as a new way for applications on EKS to obtain IAM credentials.
This PR introduces a new
identityType
prop for ServiceAccount to allow users to opt in the EKS Pod Identities. When you opt inPOD_IDENTITY
:ServiceAccount
would NOT create any OpenIdConnectProvider.pods.eks.amazonaws.com
service principal would be created.Addon
if not exist.CfnPodIdentityAssociation
would be created for the role and service account.Sample
Todo Checklist
Callout
sts:AssumeRole
andsts:TagSession
but the iam.Role construct only allowssts:AssumeRole
assumeRoleAction and no way to customize it on Role creation.As a workaround, this PR
assumeRolePolicy.addStatements()
to create a new statement for the assumeRolePolicy. Definitely should improve this if we have a better solution.sts:TagSession
but it's not clear to me what is the recommended conditions for that. Need to discuss with EKS team. Per doc describes:Issue # (if applicable)
Closes #30519
Reason for this change
Allow users to opt in EKS Pod Identities.
Description of changes
Description of how you validated changes
Unit tests and integ test.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license