Skip to content

[FEATURE] Use EKS Pod Identity for granting IAM permissions (AWS Load Balancer Controller) #94

Open
Open
[FEATURE] Use EKS Pod Identity for granting IAM permissions (AWS Load Balancer Controller)#94
@iamahgoub

Description

@iamahgoub
iamahgoub
opened on May 20, 2024

So far, the implementation has been using IRSA for granting IAM permissions needed to tools/workloads. This issue is for migrating to EKS Pod Identity (where applicable). The scope of this issue is limited to AWS LBC.

Changes:

  1. Install EKS Pod Identity Agent add-on. provider-aws-eks has MR for managing EKS add-ons; see https://marketplace.upbound.io/providers/upbound/provider-aws-eks/v1.4.0/resources/eks.aws.upbound.io/Addon/v1beta1.
  2. Change trust policy of the IAM role located at repos/gitops-system/tools-config/aws-load-balancer-controller-iam/.
  3. Remove the ServiceAccount annotation at repos/gitops-system/tools-config/sa.yaml.
  4. Add manifests for ServiceAccount and IAM role association; provider-aws-eks has MR for managing that; see https://marketplace.upbound.io/providers/upbound/provider-aws-eks/v1.4.0/resources/eks.aws.upbound.io/PodIdentityAssociation/v1beta1.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions