In 1.19, it is not necessary to specify the securityContext when using IRSA in non-root containers

[sotoiwa]

Describe the problem

• Run the application as a non-root user

According to the above topic, when using IRSA, non-root containers need to specify fsGroup in the securityContext and set the file permissions for the web identity token. In Kubernetes 1.19, this is no longer required, so it is a good idea to add this point.

This is documented in the EKS documentation.

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.19

You're no longer required to provide a security context for non-root containers that need to access the web identity token file for use with IAM roles for service accounts. For more information, see IAM roles for service accounts andproposal for file permission handling in projected service account volume on GitHub.

References
https://aws.github.io/aws-eks-best-practices/security/docs/iam/#run-the-application-as-a-non-root-user

[jicowan]

@sotoiwa That's a great idea. Thanks for the suggestion. Do you want to submit a PR for this or would you rather I incorporate the idea into the guide?

[jicowan]

Thanks for the suggestion. I updated the document.