Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting securityContext.fsGroup to workaround IRSA #109

Closed
yorinasub17 opened this issue Nov 8, 2021 · 1 comment
Closed

Allow setting securityContext.fsGroup to workaround IRSA #109

yorinasub17 opened this issue Nov 8, 2021 · 1 comment
Labels
bug Something isn't working

Comments

@yorinasub17
Copy link
Contributor

Describe the bug

IAM Role for Service Accounts has a bug where non-root Docker containers are not able to read the kubernetes token when it is projected due to file permissions. To work around this, you need to be able to configure the fsGroup property. See aws/amazon-eks-pod-identity-webhook#8 for more information.

To Reproduce
Use k8s-service helm chart with IAM Role for Service Accounts using Kubernetes version <1.19, and a docker container that does not run as root.

Expected behavior
The container can assume the bound IAM Role.

Actual behavior
The container is not able to assume the bound IAM Role.
@yorinasub17 yorinasub17 added the bug Something isn't working label Nov 8, 2021
@yorinasub17
Copy link
Contributor Author

Ah this is actually already supported

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yorinasub17