Add eks pod identities

Author: stefanmcshane

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -3083,6 +3083,35 @@ spec:
                 description: Partition is the AWS security partition being used. Defaults
                   to "aws"
                 type: string
+              podIdentityAssociations:
+                description: |-
+                  PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+                  This requires using the AWS EKS Addon for Pod Identity.
+                items:
+                  description: PodIdentityAssociation represents an association between
+                    a Kubernetes Service Account in a namespace, and an AWS IAM role
+                    which allows the service principal `pods.eks.amazonaws.com` in
+                    its trust policy.
+                  properties:
+                    serviceAccountName:
+                      description: ServiceAccountName is the name of the kubernetes
+                        Service Account within the namespace
+                      type: string
+                    serviceAccountNamespace:
+                      default: default
+                      description: ServiceAccountNamespace is the kubernetes namespace,
+                        which the kubernetes Service Account resides in. Defaults
+                        to "default" namespace.
+                      type: string
+                    serviceAccountRoleARN:
+                      description: RoleARN is the ARN of an IAM role which the Service
+                        Account can assume.
+                      type: string
+                  required:
+                  - serviceAccountName
+                  - serviceAccountNamespace
+                  type: object
+                type: array
               region:
                 description: The AWS Region the cluster lives in.
                 type: string

controlplane/eks/api/v1beta1/conversion.go

@@ -46,6 +46,8 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
+	dst.Spec.PodIdentityAssociations = restored.Spec.PodIdentityAssociations
+
 	return nil
 }
 

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -188,6 +188,11 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Addons *[]Addon `json:"addons,omitempty"`
 
+	// PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+	// This requires using the AWS EKS Addon for Pod Identity.
+	// +optional
+	PodIdentityAssociations []PodIdentityAssociation `json:"podIdentityAssociations,omitempty"`
+
 	// IdentityProviderconfig is used to specify the oidc provider config
 	// to be attached with this eks cluster
 	// +optional

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -25,6 +25,7 @@ import (
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog/v2"
@@ -107,6 +108,7 @@ func (*awsManagedControlPlaneWebhook) ValidateCreate(_ context.Context, obj runt
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validateNetwork()...)
 	allErrs = append(allErrs, r.validatePrivateDNSHostnameTypeOnLaunch()...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -148,6 +150,7 @@ func (*awsManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, oldObj
 	allErrs = append(allErrs, r.validateKubeProxy()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validatePrivateDNSHostnameTypeOnLaunch()...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if r.Spec.Region != oldAWSManagedControlplane.Spec.Region {
 		allErrs = append(allErrs,
@@ -436,6 +439,28 @@ func (r *AWSManagedControlPlane) validatePrivateDNSHostnameTypeOnLaunch() field.
 	return allErrs
 }
 
+func (r *AWSManagedControlPlane) validServiceAccountName() field.ErrorList {
+	var allErrs field.ErrorList
+
+	if r.Spec.PodIdentityAssociations != nil {
+		for i, association := range r.Spec.PodIdentityAssociations {
+			associationPath := field.NewPath("spec", "podIdentityAssociations").Index(i)
+			if association.ServiceAccountName == "" {
+				allErrs = append(allErrs, field.Required(associationPath.Child("serviceAccountName"), "serviceAccountName is required"))
+			}
+
+			// kubernetes uses ValidateServiceAccountName internally, which maps to IsDNS1123Subdomain
+			// https://github.com/kubernetes/apimachinery/blob/d794766488ac2892197a7cc8d0b4b46b0edbda80/pkg/api/validation/generic.go#L68
+
+			if validationErrs := validation.IsDNS1123Subdomain(association.ServiceAccountName); len(validationErrs) > 0 {
+				allErrs = append(allErrs, field.Invalid(associationPath.Child("serviceAccountName"), association.ServiceAccountName, fmt.Sprintf("serviceAccountName is invalid: %v", validationErrs)))
+			}
+		}
+	}
+
+	return allErrs
+}
+
 func (r *AWSManagedControlPlane) validateNetwork() field.ErrorList {
 	var allErrs field.ErrorList
 

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

@@ -52,6 +52,13 @@ const (
 	EKSAddonsConfiguredFailedReason = "EKSAddonsConfiguredFailed"
 )
 
+const (
+	// EKSPodIdentityAssociationConfiguredCondition condition reports on the successful reconciliation of EKS pod identity associations.
+	EKSPodIdentityAssociationConfiguredCondition clusterv1.ConditionType = "EKSPodIdentityAssociationConfigured"
+	// EKSPodIdentityAssociationFailedReason is used to report failures while reconciling the EKS pod identity associations.
+	EKSPodIdentityAssociationFailedReason = "EKSPodIdentityAssociationConfigurationFailed"
+)
+
 const (
 	// EKSIdentityProviderConfiguredCondition condition reports on the successful association of identity provider config.
 	EKSIdentityProviderConfiguredCondition clusterv1.ConditionType = "EKSIdentityProviderConfigured"

controlplane/eks/api/v1beta2/conditions_consts.go

@@ -79,12 +79,10 @@ var (
 	EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli")
 )
 
-var (
-	// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
-	// if no other role is supplied in the spec and if iam role creation is not enabled. The default
-	// can be created using clusterawsadm or created manually.
-	DefaultEKSControlPlaneRole = fmt.Sprintf("eks-controlplane%s", iamv1.DefaultNameSuffix)
-)
+// DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane
+// if no other role is supplied in the spec and if iam role creation is not enabled. The default
+// can be created using clusterawsadm or created manually.
+var DefaultEKSControlPlaneRole = fmt.Sprintf("eks-controlplane%s", iamv1.DefaultNameSuffix)
 
 // IAMAuthenticatorConfig represents an aws-iam-authenticator configuration.
 type IAMAuthenticatorConfig struct {
@@ -279,3 +277,17 @@ type OIDCIdentityProviderConfig struct {
 	// +optional
 	Tags infrav1.Tags `json:"tags,omitempty"`
 }
+
+// PodIdentityAssociation represents an association between a Kubernetes Service Account in a namespace, and an AWS IAM role which allows the service principal `pods.eks.amazonaws.com` in its trust policy.
+type PodIdentityAssociation struct {
+	// ServiceAccountName is the name of the kubernetes Service Account within the namespace
+	// +kubebuilder:validation:Required
+	ServiceAccountName string `json:"serviceAccountName"`
+	// ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=default
+	ServiceAccountNamespace string `json:"serviceAccountNamespace"`
+	// RoleARN is the ARN of an IAM role which the Service Account can assume.
+	// +kubebuilder:validation:Required
+	RoleARN string `json:"serviceAccountRoleARN,omitempty"`
+}

controlplane/eks/api/v1beta2/types.go

@@ -454,7 +454,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("tag-key"),
 				Values: aws.StringSlice([]string{"sigs.k8s.io/cluster-api-provider-aws/cluster/test-cluster"}),
 			},
-		}})).Return(&ec2.DescribeRouteTablesOutput{
+		},
+	})).Return(&ec2.DescribeRouteTablesOutput{
 		RouteTables: []*ec2.RouteTable{
 			{
 				Routes: []*ec2.Route{
@@ -514,7 +515,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("state"),
 				Values: aws.StringSlice([]string{ec2.VpcStatePending, ec2.VpcStateAvailable}),
 			},
-		}}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
+		},
+	}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
 
 	ec2Rec.DescribeAddressesWithContext(context.TODO(), gomock.Eq(&ec2.DescribeAddressesInput{
 		Filters: []*ec2.Filter{
@@ -949,6 +951,11 @@ func mockedEKSCluster(ctx context.Context, g *WithT, eksRec *mock_eksiface.MockE
 	}).Return(&eks.ListAddonsOutput{}, nil)
 
 	eksRec.UpdateClusterConfig(ctx, gomock.AssignableToTypeOf(&eks.UpdateClusterConfigInput{})).After(waitUntilClusterActiveCall).Return(&eks.UpdateClusterConfigOutput{}, nil)
+	eksRec.ListPodIdentityAssociationsWqithContext(context.TODO(), gomock.Eq(&eks.ListPodIdentityAssociationsInput{
+		ClusterName: aws.String("test-cluster"),
+	})).Return(&eks.ListPodIdentityAssociationsOutput{
+		Associations: []*eks.PodIdentityAssociationSummary{},
+	}, nil)
 
 	awsNodeRec.ReconcileCNI(gomock.Any()).Return(nil)
 	kubeProxyRec.ReconcileKubeProxy(gomock.Any()).Return(nil)

controlplane/eks/api/v1beta2/zz_generated.deepcopy.go

@@ -20,6 +20,7 @@
     - [Creating a cluster](./topics/eks/creating-a-cluster.md)
     - [Using EKS Console](./topics/eks/eks-console.md)
     - [Using EKS Addons](./topics/eks/addons.md)
+    - [Using EKS Pod Identity Associations](./topics/eks/pod-identity-associations.md)
     - [Enabling Encryption](./topics/eks/encryption.md)
     - [Cluster Upgrades](./topics/eks/cluster-upgrades.md)
   - [ROSA Support](./topics/rosa/index.md)