Skip to content
This repository has been archived by the owner on Nov 11, 2020. It is now read-only.

Another mechanism for IAM Roles for Service Account creation in EKS #17

Closed
gazal-k opened this issue Mar 28, 2020 · 0 comments · Fixed by jenkins-x-labs/jenkins-x-versions#41 · May be fixed by jenkins-x-labs/jenkins-x-versions#49
Closed

Another mechanism for IAM Roles for Service Account creation in EKS #17

gazal-k opened this issue Mar 28, 2020 · 0 comments · Fixed by jenkins-x-labs/jenkins-x-versions#41 · May be fixed by jenkins-x-labs/jenkins-x-versions#49

Comments

@gazal-k
Copy link

gazal-k commented Mar 28, 2020

This is a proposed solution to handle IRSA in EKS.

Instead of creating both the IAM Role and Service Account using the cloud tooling before jxl boot run, we can probably just create IAM Roles using a convention: <clustername>-<namespace>-<saName>

Then the ARN of the IAM Role becomes easier to template in ServiceAccount creation: arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>

To make this easier, we can perhaps even set the aws accountId (which I assume is pretty similar to .Values.jxRequirements.cluster.project for GKE) in jx-requirements.yml during jxl boot create

We can also provide fallbacks to specify the ARN of each of the necessary SAs in jx-requirements.yml

This will be more inline with how IRSA or workload identity is managed in GKE.
@gazal-k gazal-k mentioned this issue Mar 28, 2020
Merged
gazal-k added a commit to gazal-k/jenkins-x-versions that referenced this issue Mar 30, 2020
@gazal-k
fix: create SA using helm and use SA annotation for EKS
8c35b95 
fix jenkins-x-labs/issues#17
@gazal-k gazal-k mentioned this issue Mar 31, 2020
Closed
2 tasks
gazal-k added a commit to gazal-k/jenkins-x-versions that referenced this issue Mar 31, 2020
@gazal-k
fix: create SA using helm and use SA annotation for EKS
b91a2ac 
fix jenkins-x-labs/issues#17
@gazal-k gazal-k mentioned this issue Mar 31, 2020
Closed
2 tasks
@gazal-k gazal-k mentioned this issue Mar 31, 2020
Open
gazal-k added a commit to gazal-k/jxl that referenced this issue Mar 31, 2020
@gazal-k
feat: create SA in EKS based on aws.useIRSAAnnotations
d1e7d21 
- if `jxRequirements.cluster.aws.useIRSAAnnotations` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>`
- otherwise: don't create SA

fix jenkins-x-labs/issues#17
@gazal-k gazal-k mentioned this issue Mar 31, 2020
Closed
gazal-k added a commit to gazal-k/jxl that referenced this issue Apr 1, 2020
@gazal-k
feat: create SA in EKS based on aws.helmSa
f428b42 
- if `jxRequirements.cluster.aws.helmSa` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>`
- otherwise: don't create SA

fix jenkins-x-labs/issues#17
gazal-k added a commit to gazal-k/jenkins-x-versions that referenced this issue Apr 7, 2020
@gazal-k
feat: create SA in EKS based on aws.helmSa
0d0e2c3 
- if `jxRequirements.cluster.aws.helmSa` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>`
- otherwise: don't create SA

fix jenkins-x-labs/issues#17
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@gazal-k