EKS: Add AutoscaleRole to worker. #66
Conversation
|
Thanks for the issue and the PR. I am not convinced adding the role to all nodes is the best approach though. I think it would be preferable if the role was only available to the autoscaler itself. While getting this right is more complex, this is something I will have to do as part of #63 anyway, so that the pipeline can be run using Tekton inside the cluster. Current plan is to do this via Kiam so that not all the nodes have admin roles required to configure the cluster and its AWS resources. In the meantime, your approach is an ok workaround of course. |
|
I agree that it isn't ideal putting it on every node and is just a workaround. Kiam definitely looks like the best way to go. |
|
Getting back to this it seems AWS finally came around with a viable solution similar to the GKE workload identity. https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ I will try this for #63 and when it works, will apply the same for autoscaling here aswell. |
|
IAM roles for service account are supported for a couple of releases and can be used to map a K8s service account to a IAM role. That K8s service account can be configured for the pod the autoscaler runs in. Therefor allowing to limit access only to the autoscaler and no other workload that happens to be scheduled onto the node. |
Fixes #65
Without this policy, the cluster-autoscaler does not work.