This repository has been archived by the owner on Nov 11, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Another mechanism for IAM Roles for Service Account creation in EKS #17
Closed
gazal-k opened this issue
Mar 28, 2020
· 0 comments
· Fixed by jenkins-x-labs/jenkins-x-versions#41 · May be fixed by jenkins-x-labs/jenkins-x-versions#49
Closed
Another mechanism for IAM Roles for Service Account creation in EKS #17
gazal-k opened this issue
Mar 28, 2020
· 0 comments
· Fixed by jenkins-x-labs/jenkins-x-versions#41 · May be fixed by jenkins-x-labs/jenkins-x-versions#49
Comments
gazal-k
added a commit
to gazal-k/jenkins-x-versions
that referenced
this issue
Mar 30, 2020
2 tasks
gazal-k
added a commit
to gazal-k/jenkins-x-versions
that referenced
this issue
Mar 31, 2020
2 tasks
gazal-k
added a commit
to gazal-k/jxl
that referenced
this issue
Mar 31, 2020
- if `jxRequirements.cluster.aws.useIRSAAnnotations` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>` - otherwise: don't create SA fix jenkins-x-labs/issues#17
gazal-k
added a commit
to gazal-k/jxl
that referenced
this issue
Apr 1, 2020
- if `jxRequirements.cluster.aws.helmSa` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>` - otherwise: don't create SA fix jenkins-x-labs/issues#17
gazal-k
added a commit
to gazal-k/jenkins-x-versions
that referenced
this issue
Apr 7, 2020
- if `jxRequirements.cluster.aws.helmSa` is true: create SA with annotations to bind to the IAM Role with convention: `arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>` - otherwise: don't create SA fix jenkins-x-labs/issues#17
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is a proposed solution to handle IRSA in EKS.
Instead of creating both the IAM Role and Service Account using the cloud tooling before
jxl boot run
, we can probably just create IAM Roles using a convention:<clustername>-<namespace>-<saName>
Then the ARN of the IAM Role becomes easier to template in
ServiceAccount
creation:arn:aws:iam::<accountId>:role/<clustername>-<namespace>-<saName>
To make this easier, we can perhaps even set the aws
accountId
(which I assume is pretty similar to.Values.jxRequirements.cluster.project
for GKE) injx-requirements.yml
duringjxl boot create
We can also provide fallbacks to specify the ARN of each of the necessary SAs in
jx-requirements.yml
This will be more inline with how IRSA or workload identity is managed in GKE.
The text was updated successfully, but these errors were encountered: