You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to the above topic, when using IRSA, non-root containers need to specify fsGroup in the securityContext and set the file permissions for the web identity token. In Kubernetes 1.19, this is no longer required, so it is a good idea to add this point.
You're no longer required to provide a security context for non-root containers that need to access the web identity token file for use with IAM roles for service accounts. For more information, see IAM roles for service accounts andproposal for file permission handling in projected service account volume on GitHub.
@sotoiwa That's a great idea. Thanks for the suggestion. Do you want to submit a PR for this or would you rather I incorporate the idea into the guide?
Describe the problem
According to the above topic, when using IRSA, non-root containers need to specify fsGroup in the securityContext and set the file permissions for the web identity token. In Kubernetes 1.19, this is no longer required, so it is a good idea to add this point.
This is documented in the EKS documentation.
https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.19
References
https://aws.github.io/aws-eks-best-practices/security/docs/iam/#run-the-application-as-a-non-root-user
The text was updated successfully, but these errors were encountered: