Add eks pod identities

Author: stefanmcshane

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2637,6 +2637,35 @@ spec:
                 description: Partition is the AWS security partition being used. Defaults
                   to "aws"
                 type: string
+              podIdentityAssociations:
+                description: |-
+                  PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+                  This requires using the AWS EKS Addon for Pod Identity.
+                items:
+                  description: PodIdentityAssociation represents an association between
+                    a Kubernetes Service Account in a namespace, and an AWS IAM role
+                    which allows the service principal `pods.eks.amazonaws.com` in
+                    its trust policy.
+                  properties:
+                    serviceAccountName:
+                      description: ServiceAccountName is the name of the kubernetes
+                        Service Account within the namespace
+                      type: string
+                    serviceAccountNamespace:
+                      default: default
+                      description: ServiceAccountNamespace is the kubernetes namespace,
+                        which the kubernetes Service Account resides in. Defaults
+                        to "default" namespace.
+                      type: string
+                    serviceAccountRoleARN:
+                      description: RoleARN is the ARN of an IAM role which the Service
+                        Account can assume.
+                      type: string
+                  required:
+                  - serviceAccountName
+                  - serviceAccountNamespace
+                  type: object
+                type: array
               region:
                 description: The AWS Region the cluster lives in.
                 type: string

controlplane/eks/api/v1beta1/conversion.go

@@ -40,6 +40,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	}
 	dst.Spec.VpcCni.Disable = r.Spec.DisableVPCCNI
 	dst.Spec.Partition = restored.Spec.Partition
+	dst.Spec.PodIdentityAssociations = restored.Spec.PodIdentityAssociations
 
 	return nil
 }

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -164,6 +164,11 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Addons *[]Addon `json:"addons,omitempty"`
 
+	// PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+	// This requires using the AWS EKS Addon for Pod Identity.
+	// +optional
+	PodIdentityAssociations []PodIdentityAssociation `json:"podIdentityAssociations,omitempty"`
+
 	// IdentityProviderconfig is used to specify the oidc provider config
 	// to be attached with this eks cluster
 	// +optional

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -24,6 +24,7 @@ import (
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog/v2"
@@ -63,8 +64,10 @@ func (r *AWSManagedControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
 // +kubebuilder:webhook:verbs=create;update,path=/validate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplane,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes,versions=v1beta2,name=validation.awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 // +kubebuilder:webhook:verbs=create;update,path=/mutate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplane,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes,versions=v1beta2,name=default.awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.Defaulter = &AWSManagedControlPlane{}
-var _ webhook.Validator = &AWSManagedControlPlane{}
+var (
+	_ webhook.Defaulter = &AWSManagedControlPlane{}
+	_ webhook.Validator = &AWSManagedControlPlane{}
+)
 
 func parseEKSVersion(raw string) (*version.Version, error) {
 	v, err := version.ParseGeneric(raw)
@@ -95,6 +98,7 @@ func (r *AWSManagedControlPlane) ValidateCreate() (admission.Warnings, error) {
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validateNetwork()...)
 	allErrs = append(allErrs, r.validatePrivateDNSHostnameTypeOnLaunch()...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -129,6 +133,7 @@ func (r *AWSManagedControlPlane) ValidateUpdate(old runtime.Object) (admission.W
 	allErrs = append(allErrs, r.validateKubeProxy()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validatePrivateDNSHostnameTypeOnLaunch()...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if r.Spec.Region != oldAWSManagedControlplane.Spec.Region {
 		allErrs = append(allErrs,
@@ -403,6 +408,28 @@ func (r *AWSManagedControlPlane) validatePrivateDNSHostnameTypeOnLaunch() field.
 	return allErrs
 }
 
+func (r *AWSManagedControlPlane) validServiceAccountName() field.ErrorList {
+	var allErrs field.ErrorList
+
+	if r.Spec.PodIdentityAssociations != nil {
+		for i, association := range r.Spec.PodIdentityAssociations {
+			associationPath := field.NewPath("spec", "podIdentityAssociations").Index(i)
+			if association.ServiceAccountName == "" {
+				allErrs = append(allErrs, field.Required(associationPath.Child("serviceAccountName"), "serviceAccountName is required"))
+			}
+
+			// kubernetes uses ValidateServiceAccountName internally, which maps to IsDNS1123Subdomain
+			// https://github.com/kubernetes/apimachinery/blob/d794766488ac2892197a7cc8d0b4b46b0edbda80/pkg/api/validation/generic.go#L68
+
+			if validationErrs := validation.IsDNS1123Subdomain(association.ServiceAccountName); len(validationErrs) > 0 {
+				allErrs = append(allErrs, field.Invalid(associationPath.Child("serviceAccountName"), association.ServiceAccountName, fmt.Sprintf("serviceAccountName is invalid: %v", validationErrs)))
+			}
+		}
+	}
+
+	return allErrs
+}
+
 func (r *AWSManagedControlPlane) validateNetwork() field.ErrorList {
 	var allErrs field.ErrorList
 

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

@@ -52,6 +52,13 @@ const (
 	EKSAddonsConfiguredFailedReason = "EKSAddonsConfiguredFailed"
 )
 
+const (
+	// EKSPodIdentityAssociationConfiguredCondition condition reports on the successful reconciliation of EKS pod identity associations.
+	EKSPodIdentityAssociationConfiguredCondition clusterv1.ConditionType = "EKSPodIdentityAssociationConfigured"
+	// EKSPodIdentityAssociationFailedReason is used to report failures while reconciling the EKS pod identity associations.
+	EKSPodIdentityAssociationFailedReason = "EKSPodIdentityAssociationConfigurationFailed"
+)
+
 const (
 	// EKSIdentityProviderConfiguredCondition condition reports on the successful association of identity provider config.
 	EKSIdentityProviderConfiguredCondition clusterv1.ConditionType = "EKSIdentityProviderConfigured"

controlplane/eks/api/v1beta2/conditions_consts.go

@@ -79,12 +79,10 @@ var (
 	EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli")
 )
 
-var (
-	// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
-	// if no other role is supplied in the spec and if iam role creation is not enabled. The default
-	// can be created using clusterawsadm or created manually.
-	DefaultEKSControlPlaneRole = fmt.Sprintf("eks-controlplane%s", iamv1.DefaultNameSuffix)
-)
+// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
+// if no other role is supplied in the spec and if iam role creation is not enabled. The default
+// can be created using clusterawsadm or created manually.
+var DefaultEKSControlPlaneRole = fmt.Sprintf("eks-controlplane%s", iamv1.DefaultNameSuffix)
 
 // IAMAuthenticatorConfig represents an aws-iam-authenticator configuration.
 type IAMAuthenticatorConfig struct {
@@ -279,3 +277,17 @@ type OIDCIdentityProviderConfig struct {
 	// +optional
 	Tags infrav1.Tags `json:"tags,omitempty"`
 }
+
+// PodIdentityAssociation represents an association between a Kubernetes Service Account in a namespace, and an AWS IAM role which allows the service principal `pods.eks.amazonaws.com` in its trust policy.
+type PodIdentityAssociation struct {
+	// ServiceAccountName is the name of the kubernetes Service Account within the namespace
+	// +kubebuilder:validation:Required
+	ServiceAccountName string `json:"serviceAccountName"`
+	// ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=default
+	ServiceAccountNamespace string `json:"serviceAccountNamespace"`
+	// RoleARN is the ARN of an IAM role which the Service Account can assume.
+	// +kubebuilder:validation:Required
+	RoleARN string `json:"serviceAccountRoleARN,omitempty"`
+}

controlplane/eks/api/v1beta2/types.go

@@ -409,7 +409,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("tag-key"),
 				Values: aws.StringSlice([]string{"sigs.k8s.io/cluster-api-provider-aws/cluster/test-cluster"}),
 			},
-		}})).Return(&ec2.DescribeRouteTablesOutput{
+		},
+	})).Return(&ec2.DescribeRouteTablesOutput{
 		RouteTables: []*ec2.RouteTable{
 			{
 				Routes: []*ec2.Route{
@@ -469,7 +470,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("state"),
 				Values: aws.StringSlice([]string{ec2.VpcStatePending, ec2.VpcStateAvailable}),
 			},
-		}}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
+		},
+	}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
 
 	ec2Rec.DescribeAddressesWithContext(context.TODO(), gomock.Eq(&ec2.DescribeAddressesInput{
 		Filters: []*ec2.Filter{
@@ -901,6 +903,12 @@ func mockedEKSCluster(g *WithT, eksRec *mock_eksiface.MockEKSAPIMockRecorder, ia
 		ClusterName: aws.String("test-cluster"),
 	}).Return(&eks.ListAddonsOutput{}, nil)
 
+	eksRec.ListPodIdentityAssociationsWithContext(context.TODO(), gomock.Eq(&eks.ListPodIdentityAssociationsInput{
+		ClusterName: aws.String("test-cluster"),
+	})).Return(&eks.ListPodIdentityAssociationsOutput{
+		Associations: []*eks.PodIdentityAssociationSummary{},
+	}, nil)
+
 	awsNodeRec.ReconcileCNI(gomock.Any()).Return(nil)
 	kubeProxyRec.ReconcileKubeProxy(gomock.Any()).Return(nil)
 	iamAuthenticatorRec.ReconcileIAMAuthenticator(gomock.Any()).Return(nil)

controlplane/eks/api/v1beta2/zz_generated.deepcopy.go

@@ -19,6 +19,7 @@
     - [Creating a cluster](./topics/eks/creating-a-cluster.md)
     - [Using EKS Console](./topics/eks/eks-console.md)
     - [Using EKS Addons](./topics/eks/addons.md)
+    - [Using EKS Pod Identity Associations](./topics/eks/pod-identity-associations.md)
     - [Enabling Encryption](./topics/eks/encryption.md)
     - [Cluster Upgrades](./topics/eks/cluster-upgrades.md)
   - [ROSA Support](./topics/rosa/index.md)