diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index 846f2ebcdc..b38a44f45b 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -51,8 +51,8 @@ func (t Template) controllersPolicyRoleAttachments() []string { return attachments } -func (t Template) controllersTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() +func (t Template) controllersTrustPolicy(eksEnabled bool) *iamv1.PolicyDocument { + policyDocument := ec2AssumeRolePolicy(eksEnabled) policyDocument.Statement = append(policyDocument.Statement, t.Spec.ClusterAPIControllers.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go b/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go index 06cdff6a55..15ee33fcaf 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go @@ -40,7 +40,7 @@ func (t Template) controlPlanePolicies() []cfn_iam.Role_Policy { } func (t Template) controlPlaneTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() + policyDocument := ec2AssumeRolePolicy(false) policyDocument.Statement = append(policyDocument.Statement, t.Spec.ControlPlane.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml index f237fee3d8..ecfa099474 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml @@ -419,6 +419,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -464,6 +465,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml index dcd7265768..4dd769bdb0 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml @@ -419,6 +419,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -436,6 +437,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml index 2b86661dc3..f4b855387e 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml @@ -432,6 +432,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -449,6 +450,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml index 51749bbbdb..b75c4c0871 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml @@ -424,6 +424,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -441,6 +442,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml index 04358c4c81..097979ab1e 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml @@ -427,6 +427,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -444,6 +445,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml index d274fc8aad..7945e1b43a 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml @@ -427,6 +427,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -444,6 +445,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml index 09e30c5f18..4d41f5ba77 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml @@ -419,6 +419,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -436,6 +437,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml index fc989c470c..13ea4e2639 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml @@ -439,6 +439,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -456,6 +457,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml index 2f731ead80..a9815a8f9c 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml @@ -419,6 +419,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -435,7 +436,8 @@ Resources: Effect: Allow Principal: Service: - - ec2.amazonaws.com + - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml index 31942853a2..7a3e9e9ed5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml @@ -418,7 +418,8 @@ Resources: AssumeRolePolicyDocument: Statement: - Action: - - sts:AssumeRole + - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -436,6 +437,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml index 35e1d6e91f..177623e3ca 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml @@ -427,6 +427,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -454,6 +455,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 Policies: - PolicyDocument: diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml index fb91d49841..368727895d 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml @@ -432,6 +432,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -449,6 +450,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml index 875d58b568..0d44f41b6c 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml @@ -419,6 +419,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -436,6 +437,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/node.go b/cmd/clusterawsadm/cloudformation/bootstrap/node.go index a17db15ad2..5e04f7bfa7 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/node.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/node.go @@ -39,7 +39,7 @@ func (t Template) nodePolicies() []cfn_iam.Role_Policy { } func (t Template) nodeTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() + policyDocument := ec2AssumeRolePolicy(false) policyDocument.Statement = append(policyDocument.Statement, t.Spec.Nodes.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go index 4ebffc73ef..ef1dbe91a2 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/template.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/template.go @@ -149,7 +149,7 @@ func (t Template) RenderCloudFormation() *cloudformation.Template { template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{ RoleName: t.NewManagedName("controllers"), Path: t.Spec.ControlPlane.Path, - AssumeRolePolicyDocument: t.controllersTrustPolicy(), + AssumeRolePolicyDocument: t.controllersTrustPolicy(!t.Spec.EKS.Disable), Policies: t.controllersRolePolicy(), PermissionsBoundary: t.Spec.ControlPlane.PermissionsBoundary, Tags: converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags), @@ -224,8 +224,12 @@ func (t Template) RenderCloudFormation() *cloudformation.Template { return template } -func ec2AssumeRolePolicy() *iamv1.PolicyDocument { - return AssumeRolePolicy(iamv1.PrincipalService, []string{"ec2.amazonaws.com"}) +func ec2AssumeRolePolicy(eksEnabled bool) *iamv1.PolicyDocument { + principalIDs := []string{"ec2.amazonaws.com"} + if eksEnabled { + principalIDs = append(principalIDs, "pods.eks.amazonaws.com") + } + return AssumeRolePolicy(iamv1.PrincipalService, principalIDs) } // AWSArnAssumeRolePolicy will assume Policies using PolicyArns. diff --git a/cmd/clusterawsadm/cmd/controller/controller.go b/cmd/clusterawsadm/cmd/controller/controller.go index db9b762e1b..d29b4308c9 100644 --- a/cmd/clusterawsadm/cmd/controller/controller.go +++ b/cmd/clusterawsadm/cmd/controller/controller.go @@ -44,6 +44,7 @@ func RootCmd() *cobra.Command { newCmd.AddCommand(credentials.UpdateCredentialsCmd()) newCmd.AddCommand(credentials.PrintCredentialsCmd()) newCmd.AddCommand(rollout.RolloutControllersCmd()) + newCmd.AddCommand(credentials.UseEKSPodIdentityCmd()) return newCmd } diff --git a/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go b/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go new file mode 100644 index 0000000000..c1af9f524f --- /dev/null +++ b/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go @@ -0,0 +1,169 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import ( + "context" + "fmt" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/eks" + "github.com/aws/aws-sdk-go-v2/service/eks/types" + "github.com/aws/aws-sdk-go-v2/service/iam" + "github.com/spf13/cobra" + "k8s.io/kubectl/pkg/util/templates" +) + +// UseEKSPodIdentityCmd is a CLI command that will enable using EKS pod identity for CAPA. +func UseEKSPodIdentityCmd() *cobra.Command { + clusterName := "" + region := "" + namespace := "" + serviceAccount := "" + roleName := "" + + newCmd := &cobra.Command{ + Use: "use-pod-identity", + Short: "Enable EKS pod identity with CAPA", + Long: templates.LongDesc(` + Updates CAPA running in an EKS cluster to use EKS pod identity + `), + Example: templates.Examples(` + clusterawsadm controller use-pod-identity --cluster-name cluster1 + `), + Args: cobra.NoArgs, + RunE: func(cmd *cobra.Command, args []string) error { + return usePodIdentity(cmd.Context(), region, clusterName, namespace, serviceAccount, roleName) + }, + } + + newCmd.Flags().StringVarP(®ion, "region", "r", "", "The AWS region containing the EKS cluster") + newCmd.Flags().StringVarP(&clusterName, "cluster-name", "n", "", "The name of the EKS management cluster") + newCmd.Flags().StringVar(&namespace, "namespace", "capa-system", "The namespace of CAPA controller") + newCmd.Flags().StringVar(&serviceAccount, "service-account", "capa-controller-manager", "The service account for the CAPA controller") + newCmd.Flags().StringVar(&roleName, "role-name", "controllers.cluster-api-provider-aws.sigs.k8s.io", "The name of the CAPA controller role. If you have used a prefix or suffix this will need to be changed.") + + newCmd.MarkFlagRequired("cluster-name") + + return newCmd +} + +func usePodIdentity(ctx context.Context, region, clusterName, namespace, serviceAccount, roleName string) error { + cfg, err := config.LoadDefaultConfig(ctx) + if err != nil { + return fmt.Errorf("unable to load SDK config: %w", err) + } + if region != "" { + cfg.Region = region + } + + roleArn, err := getRoleArn(ctx, &cfg, roleName) + if err != nil { + return err + } + + eksClient := eks.NewFromConfig(cfg) + + listInput := &eks.ListPodIdentityAssociationsInput{ + ClusterName: aws.String(clusterName), + Namespace: aws.String(namespace), + } + + listOutput, err := eksClient.ListPodIdentityAssociations(ctx, listInput) + if err != nil { + return fmt.Errorf("listing existing pod identity associations for cluster %s in namespace %s: %w", clusterName, namespace, err) + } + + for _, association := range listOutput.Associations { + if *association.ServiceAccount == serviceAccount { + needsUpdate, err := podIdentityNeedsUpdate(ctx, eksClient, &association, roleName) + if err != nil { + return err + } + if !needsUpdate { + fmt.Printf("EKS pod association for service account %s already exists, no action taken\n", serviceAccount) + } + + return updatePodIdentity(ctx, eksClient, &association, roleName) + } + } + + fmt.Printf("Creating pod association for service account %s.....\n", serviceAccount) + + createInput := &eks.CreatePodIdentityAssociationInput{ + ClusterName: &clusterName, + Namespace: &namespace, + RoleArn: &roleArn, + ServiceAccount: &serviceAccount, + } + + output, err := eksClient.CreatePodIdentityAssociation(ctx, createInput) + if err != nil { + return fmt.Errorf("failed to create pod identity association: %w", err) + } + + fmt.Printf("Created pod identity association (%s)\n", *output.Association.AssociationId) + + return nil +} + +func podIdentityNeedsUpdate(ctx context.Context, client *eks.Client, association *types.PodIdentityAssociationSummary, roleArn string) (bool, error) { + input := &eks.DescribePodIdentityAssociationInput{ + AssociationId: association.AssociationId, + ClusterName: association.ClusterName, + } + + output, err := client.DescribePodIdentityAssociation(ctx, input) + if err != nil { + return false, fmt.Errorf("failed describing pod identity association: %w", err) + } + + return *output.Association.RoleArn != roleArn, nil +} + +func updatePodIdentity(ctx context.Context, client *eks.Client, association *types.PodIdentityAssociationSummary, roleArn string) error { + input := &eks.UpdatePodIdentityAssociationInput{ + AssociationId: association.AssociationId, + ClusterName: association.ClusterName, + RoleArn: &roleArn, + } + + _, err := client.UpdatePodIdentityAssociation(ctx, input) + if err != nil { + return fmt.Errorf("failed updating pod identity association: %w", err) + } + + fmt.Printf("Updated pod identity to use role %s\n", roleArn) + + return nil +} + +func getRoleArn(ctx context.Context, cfg *aws.Config, roleName string) (string, error) { + client := iam.NewFromConfig(*cfg) + + input := &iam.GetRoleInput{ + RoleName: &roleName, + } + + output, err := client.GetRole(ctx, input) + if err != nil { + return "", fmt.Errorf("failed looking up role %s: %w", roleName, err) + } + + return *output.Role.Arn, nil +} diff --git a/devbox.lock b/devbox.lock index e537ec3f69..2cadbdd0eb 100644 --- a/devbox.lock +++ b/devbox.lock @@ -233,57 +233,54 @@ } } }, - "github:NixOS/nixpkgs/nixpkgs-unstable": { - "resolved": "github:NixOS/nixpkgs/3549532663732bfd89993204d40543e9edaec4f2?lastModified=1742272065&narHash=sha256-ud8vcSzJsZ%2FCK%2Br8%2Fv0lyf4yUntVmDq6Z0A41ODfWbE%3D" - }, "github:NixOS/nixpkgs/nixpkgs-unstable": { "resolved": "github:NixOS/nixpkgs/573c650e8a14b2faa0041645ab18aed7e60f0c9a?lastModified=1741865919&narHash=sha256-4thdbnP6dlbdq%2BqZWTsm4ffAwoS8Tiq1YResB%2BRP6WE%3D" }, - "go@1.22": { - "last_modified": "2024-12-23T21:10:33Z", - "resolved": "github:NixOS/nixpkgs/de1864217bfa9b5845f465e771e0ecb48b30e02d#go_1_22", + "go@latest": { + "last_modified": "2025-10-07T08:41:47Z", + "resolved": "github:NixOS/nixpkgs/bce5fe2bb998488d8e7e7856315f90496723793c#go", "source": "devbox-search", - "version": "1.22.10", + "version": "1.25.1", "systems": { "aarch64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/34qa7mwbc1ja7758q4d9sjwmgip72lj9-go-1.22.10", + "path": "/nix/store/mkdfnr1nkfj2kznxyag9pypbxp3wqqdv-go-1.25.1", "default": true } ], - "store_path": "/nix/store/34qa7mwbc1ja7758q4d9sjwmgip72lj9-go-1.22.10" + "store_path": "/nix/store/mkdfnr1nkfj2kznxyag9pypbxp3wqqdv-go-1.25.1" }, "aarch64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/gbidq6smzj09j6qmcdklrvrjgllxmr5j-go-1.22.10", + "path": "/nix/store/0jzj8p7k9wkr4l17sgrlg3z5di27sggf-go-1.25.1", "default": true } ], - "store_path": "/nix/store/gbidq6smzj09j6qmcdklrvrjgllxmr5j-go-1.22.10" + "store_path": "/nix/store/0jzj8p7k9wkr4l17sgrlg3z5di27sggf-go-1.25.1" }, "x86_64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/jgz3hrbqblw65v95npdnvlymlm991s0c-go-1.22.10", + "path": "/nix/store/q2xylk8h3kbfajhw2lpdmyzyyqgqx8fl-go-1.25.1", "default": true } ], - "store_path": "/nix/store/jgz3hrbqblw65v95npdnvlymlm991s0c-go-1.22.10" + "store_path": "/nix/store/q2xylk8h3kbfajhw2lpdmyzyyqgqx8fl-go-1.25.1" }, "x86_64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/1hd6kq7rssk14py6v8mrdq2pn5ciiw6y-go-1.22.10", + "path": "/nix/store/f01qkydd3c2jqwi4w6hkddkf3blp16kw-go-1.25.1", "default": true } ], - "store_path": "/nix/store/1hd6kq7rssk14py6v8mrdq2pn5ciiw6y-go-1.22.10" + "store_path": "/nix/store/f01qkydd3c2jqwi4w6hkddkf3blp16kw-go-1.25.1" } } }, @@ -499,51 +496,51 @@ } } }, - "kustomize@latest": { - "last_modified": "2025-03-11T17:52:14Z", - "resolved": "github:NixOS/nixpkgs/0d534853a55b5d02a4ababa1d71921ce8f0aee4c#kustomize", + "kustomize@5.5.0": { + "last_modified": "2024-12-23T21:10:33Z", + "resolved": "github:NixOS/nixpkgs/de1864217bfa9b5845f465e771e0ecb48b30e02d#kustomize", "source": "devbox-search", - "version": "5.6.0", + "version": "5.5.0", "systems": { "aarch64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/y85spf2nmlffzmq9lyzl8db7i0acdsqf-kustomize-5.6.0", + "path": "/nix/store/xpypw514kxv803li525a5by78g90ygyl-kustomize-5.5.0", "default": true } ], - "store_path": "/nix/store/y85spf2nmlffzmq9lyzl8db7i0acdsqf-kustomize-5.6.0" + "store_path": "/nix/store/xpypw514kxv803li525a5by78g90ygyl-kustomize-5.5.0" }, "aarch64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/pwnmchq4bafvkbb84m62m8vqp9dqgaz8-kustomize-5.6.0", + "path": "/nix/store/4v454dywxsyzcq9ypm7aa5v0mdlj9vqn-kustomize-5.5.0", "default": true } ], - "store_path": "/nix/store/pwnmchq4bafvkbb84m62m8vqp9dqgaz8-kustomize-5.6.0" + "store_path": "/nix/store/4v454dywxsyzcq9ypm7aa5v0mdlj9vqn-kustomize-5.5.0" }, "x86_64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/hrlykqw1jcl2ykzida4amf2s5sjhdsng-kustomize-5.6.0", + "path": "/nix/store/6g9p4i5r4qvfdygh157376fhzpp55bqk-kustomize-5.5.0", "default": true } ], - "store_path": "/nix/store/hrlykqw1jcl2ykzida4amf2s5sjhdsng-kustomize-5.6.0" + "store_path": "/nix/store/6g9p4i5r4qvfdygh157376fhzpp55bqk-kustomize-5.5.0" }, "x86_64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/cwclm6315x1cn2kswzfhfcqp13qf44b0-kustomize-5.6.0", + "path": "/nix/store/5z7yq6831fsrsxsvg2ic229146ymmjaq-kustomize-5.5.0", "default": true } ], - "store_path": "/nix/store/cwclm6315x1cn2kswzfhfcqp13qf44b0-kustomize-5.6.0" + "store_path": "/nix/store/5z7yq6831fsrsxsvg2ic229146ymmjaq-kustomize-5.5.0" } } }, diff --git a/docs/book/src/topics/eks/eks-pod-identity.md b/docs/book/src/topics/eks/eks-pod-identity.md new file mode 100644 index 0000000000..e0c342108a --- /dev/null +++ b/docs/book/src/topics/eks/eks-pod-identity.md @@ -0,0 +1,32 @@ +# Using EKS Pod Identity for CAPA Controller + +You can use [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to supply the credentials for the CAPA controller when the management is in EKS. This is an alternative to using the static boostrap credentials or IRSA. + +## Pre-requisites + +- Management cluster must be an EKS cluster +- AWS environment variables set for your account + +## Steps + +1. Install the **Amazon EKS Pod Identity Agent** EKS addon into the cluster. This can be done using the AWS console or using the AWS cli. + +> NOTE: If your management cluster is a "self-managed" CAPI cluster then its possible to install the addon via the **EKSManagedControlPlane**. + +2. Create an EKS pod identity association for CAPA by running the following (replacing **** with the name of your EKS cluster): + +```bash +clusterawsadm controller use-pod-identity --cluster-name +``` + +3. Ensure any credentials set for the controller are removed (a.k.a zeroed out): + +```bash +clusterawsadm controller zero-credentials --namespace=capa-system +``` + +4. Force CAPA to restart so that the AWS credentials are injected: + +```bash +clusterawsadm controller rollout-controller --kubeconfig=kubeconfig --namespace=capa-system +``` diff --git a/docs/book/src/topics/eks/index.md b/docs/book/src/topics/eks/index.md index 9312cc4eaa..e05099d112 100644 --- a/docs/book/src/topics/eks/index.md +++ b/docs/book/src/topics/eks/index.md @@ -29,11 +29,12 @@ And a number of new templates are available in the templates folder for creating ## SEE ALSO -* [Prerequisites](prerequisites.md) -* [Enabling EKS Support](enabling.md) -* [Disabling EKS Support](disabling.md) -* [Creating a cluster](creating-a-cluster.md) -* [Using EKS Console](eks-console.md) -* [Using EKS Addons](addons.md) -* [Enabling Encryption](encryption.md) -* [Cluster Upgrades](cluster-upgrades.md) \ No newline at end of file +- [Prerequisites](prerequisites.md) +- [Enabling EKS Support](enabling.md) +- [Disabling EKS Support](disabling.md) +- [Creating a cluster](creating-a-cluster.md) +- [Using EKS Console](eks-console.md) +- [Using EKS Addons](addons.md) +- [Enabling Encryption](encryption.md) +- [Cluster Upgrades](cluster-upgrades.md) +- [Using EKS Pod Identity for controller credentials](eks-pod-identity.md)