Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS Pod Identity Docs #18

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

EKS Pod Identity Docs #18

wants to merge 2 commits into from

Conversation

ddl-wadkars
Copy link
Collaborator

@ddl-wadkars ddl-wadkars commented Jun 6, 2024
edited
Loading

This documentation is created just for FINRA. They wanted a way to attach Domino Service Accounts to IAM roles. They cannot use IRSA because every time they do a Blue/Green deployment they have to update IAM Trust Policies and the EKS team does not own IAM

ddl-marc-doan
ddl-marc-doan reviewed Jun 6, 2024
View reviewed changes
pod-identity/README.md

Follow these steps:

1. Domino Service Accounts can be created based on the following [docs](https://docs.dominodatalab.com/en/latest/admin_guide/6921e5/domino-service-accounts/).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do ServiceAccount objects get created (either in platform or compute) whenever someone creates a Domino Service Account?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Domino Service Accounts are actually user accounts in Mongo and Keycloak. They just don't have a pwd or any ways to login via the UI.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I left a comment in the description
This documentation is created just for FINRA. They wanted a way to attach Domino Service Accounts to IAM roles. They cannot use IRSA because every time they do a Blue/Green deployment they have to update IAM Trust Policies and the EKS team does not own IAM

vaibhav-dhawan
vaibhav-dhawan requested changes Jun 7, 2024
View reviewed changes
pod-identity/README.md
For workloads started by `svc-user-3` the K8s service account will be a dynamic one.

4. Configure [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) by following the AWS docs
5. Map the Domino Service Accounts `svc-user-1 ` and `svc-user-2` to custom IAM Roles
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would change this to kubernetes service account, since svc-user-1/2 mapping is done for k8s.
In general, maybe we should change the naming in the mappings here to clarify which is the domino user/sa name, and which is k8s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ddl-marc-doan ddl-marc-doan ddl-marc-doan left review comments

@vaibhav-dhawan vaibhav-dhawan vaibhav-dhawan requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddl-wadkars @vaibhav-dhawan @ddl-marc-doan