-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS] [request]: Set IRSA pod identity webhook to use regional STS by default #1599
Comments
You can annotate a service account with We are evaluating making the regional STS endpoint as the default in a future EKS version release. |
@mikestef9 is there more information somewhere on what “Just Shipped” means for this issue? |
Yes, the documentation link that @georgejohnis mentioned above has instructions https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html |
Actually, I'll re-open the issue, as the ask is to change default. |
Update: We are going to change the default to regional STS endpoint for all clusters, without a need to opt in with annotations on service accounts. This will be available for new clusters soon, and will be rolling out for existing clusters over next several weeks. |
would the STS principal endpoint address for EKS be receiving a similar update or no? Ref: terraform-aws-modules/terraform-aws-eks#1904 |
@mikestef9 Did this finish rolling out/would the way to check if you've got the new behavior be to check the pod env vars for the AWS_STS_REGIONAL_ENDPOINTS env var? |
It's still rolling out, almost done. It will be part of a new EKS platform version, and docs will be updated with the min platform version where this default change has been made. |
We have decided to roll this change out only starting from EKS version 1.22 clusters. |
Closing as EKS 1.22 is now released |
Community Note
Tell us about your request
EKS clusters should default to AWS_STS_REGIONAL_ENDPOINTS=regional instead of legacy for pods using IRSA. It is possible to define this via
--sts-regional-endpoint=true
on the pod-identity-webhook daemon, however this deployment is not exposed for configuration.Please set this value by default and/or provide a new EKS addon to support configuring this value.
This issue caused outages with pods using IRSA in us-east-2 during the downtime in us-east-1 which is an unacceptable default.
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Isolate EKS deployments using IRSA to their regional endpoints instead of relying on the "global" (legacy) STS endpoint when running workloads an AWS-hosted resource tied to a specific region.
Are you currently working around this issue?
Manually defining AWS_STS_REGIONAL_ENDPOINTS=regional environment variable in each pod config.
Additional context
The AWS CLI v2 switched the default to "regional" already. This indicates they felt changing a default was important enough for the community to do it already.
The docs for the webhook state that "regional" is what you want almost always - so why is it left at legacy?
The text was updated successfully, but these errors were encountered: