✨ feat: eks pod identity support for controllers #5713
Conversation
This adds support for using EKS pod identity for the CAPA controller when the management cluster is an EKS cluster Signed-off-by: Richard Case <[email protected]>
k8s-ci-robot
added
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@richardcase: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| Principal: | ||
| Service: | ||
| - ec2.amazonaws.com | ||
| - ec2.amazonaws.com |
There was a problem hiding this comment.
Hmm there's a trailing space added here for some reason
| @@ -0,0 +1,32 @@ | |||
| # Using EKS Pod Identity for CAPA Controller | |||
|
|
|||
| You can use [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to supply the credentials for the CAPA controller when the management is in EKS. This is an alternative to using the static boostrap credentials or IRSA. | |||
There was a problem hiding this comment.
| You can use [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to supply the credentials for the CAPA controller when the management is in EKS. This is an alternative to using the static boostrap credentials or IRSA. | |
| You can use [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to supply the credentials for the CAPA controller when the management cluster is in EKS. This is an alternative to using static bootstrap credentials or IRSA. |
| ## Pre-requisites | ||
|
|
||
| - Management cluster must be an EKS cluster | ||
| - AWS environment variables set for your account |
There was a problem hiding this comment.
| - AWS environment variables set for your account | |
| - If using aws-cli, AWS [environment variables set](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html) to target your account |
|
|
||
| 1. Install the **Amazon EKS Pod Identity Agent** EKS addon into the cluster. This can be done using the AWS console or using the AWS cli. | ||
|
|
||
| > NOTE: If your management cluster is a "self-managed" CAPI cluster then its possible to install the addon via the **EKSManagedControlPlane**. |
There was a problem hiding this comment.
| > NOTE: If your management cluster is a "self-managed" CAPI cluster then its possible to install the addon via the **EKSManagedControlPlane**. | |
| > NOTE: If your management cluster is managed by CAPI, it's possible to install the addon via the **EKSManagedControlPlane**. |
| 2. Create an EKS pod identity association for CAPA by running the following (replacing **<clustername>** with the name of your EKS cluster): | ||
|
|
||
| ```bash | ||
| clusterawsadm controller use-pod-identity --cluster-name <clustername> |
There was a problem hiding this comment.
| 2. Create an EKS pod identity association for CAPA by running the following (replacing **<clustername>** with the name of your EKS cluster): | |
| ```bash | |
| clusterawsadm controller use-pod-identity --cluster-name <clustername> | |
| 2. Create an EKS pod identity association for CAPA by running the following (replacing `mycluster` with the name of your EKS cluster): | |
| ```bash | |
| clusterawsadm controller use-pod-identity --cluster-name mycluster |
(minor; just for consistency with other documentation pages)
| clusterawsadm controller use-pod-identity --cluster-name <clustername> | ||
| ``` | ||
|
|
||
| 3. Ensure any credentials set for the controller are removed (a.k.a zeroed out): |
There was a problem hiding this comment.
| 3. Ensure any credentials set for the controller are removed (a.k.a zeroed out): | |
| 3. Ensure any credentials set for the controller are removed (zeroed out): |
("a.k.a." probably isn't a well-known term for non-natives)
| 3. Ensure any credentials set for the controller are removed (a.k.a zeroed out): | ||
|
|
||
| ```bash | ||
| clusterawsadm controller zero-credentials --namespace=capa-system |
There was a problem hiding this comment.
Is this only needed when migrating away from static credentials? Then we should make it clear how to migrate vs. create this setup from scratch (completely new management cluster).
| } | ||
| ], | ||
| "store_path": "/nix/store/pl9krbxnhawd4n5kxsm6m5i5mjhbw48q-git-2.48.1" | ||
| } |
| newCmd.Flags().StringVar(&serviceAccount, "service-account", "capa-controller-manager", "The service account for the CAPA controller") | ||
| newCmd.Flags().StringVar(&roleName, "role-name", "controllers.cluster-api-provider-aws.sigs.k8s.io", "The name of the CAPA controller role. If you have used a prefix or suffix this will need to be changed.") | ||
|
|
||
| newCmd.MarkFlagRequired("cluster-name") |
There was a problem hiding this comment.
| newCmd.MarkFlagRequired("cluster-name") | |
| newCmd.MarkFlagRequired("cluster-name") //nolint: errcheck |
Copied from other CAPA code, fixes the lint
3 participants
What type of PR is this?
/kind feature
What this PR does / why we need it:
This adds support for using EKS pod identity for the CAPA controller when the management cluster is an EKS cluster.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
This is in addition to #4906 .
Checklist:
Release note: