-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS Pod Identity Docs #18
base: main
Are you sure you want to change the base?
Conversation
|
||
Follow these steps: | ||
|
||
1. Domino Service Accounts can be created based on the following [docs](https://docs.dominodatalab.com/en/latest/admin_guide/6921e5/domino-service-accounts/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do ServiceAccount
objects get created (either in platform or compute) whenever someone creates a Domino Service Account?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Domino Service Accounts are actually user accounts in Mongo and Keycloak. They just don't have a pwd or any ways to login via the UI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I left a comment in the description
This documentation is created just for FINRA. They wanted a way to attach Domino Service Accounts to IAM roles. They cannot use IRSA because every time they do a Blue/Green deployment they have to update IAM Trust Policies and the EKS team does not own IAM
For workloads started by `svc-user-3` the K8s service account will be a dynamic one. | ||
|
||
4. Configure [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) by following the AWS docs | ||
5. Map the Domino Service Accounts `svc-user-1 ` and `svc-user-2` to custom IAM Roles |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change this to kubernetes service account, since svc-user-1/2 mapping is done for k8s.
In general, maybe we should change the naming in the mappings here to clarify which is the domino user/sa name, and which is k8s
This documentation is created just for FINRA. They wanted a way to attach Domino Service Accounts to IAM roles. They cannot use IRSA because every time they do a Blue/Green deployment they have to update IAM Trust Policies and the EKS team does not own IAM