Merge pull request #13338 from olemarkus/update-irsa-docs

Add webhook notes + some docs changes
kubernetes · Mar 5, 2022 · 437c234 · 437c234
2 parents 22a1bf2 + 9b934ea
commit 437c234
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 19 deletions.
diff --git a/docs/addons.md b/docs/addons.md
@@ -224,6 +224,28 @@ spec:
     memoryRequest: 32Mi
     cpuRequest: 10m
 ```
+
+#### Pod Identity Webhook
+
+{{ kops_feature_table(kops_added_default='1.23') }}
+
+When using [IAM roles for Service Accounts](/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa) (IRSA), Pods require an additinal token to authenticate with the AWS API. In addition, the SDK requires specific environment variables set to make use of these tokens. This addon will mutate Pods configured to use IRSA so that users do not need to do this themselves.
+
+All ServiceAccounts configured with AWS privileges in the Cluster spec will automatically be mutated to assume the configured role.
+
+
+```yaml
+spec:
+  certManager:
+    enabled: true
+  podIdentityWebhook:
+    enabled: true
+```
+
+The EKS annotations on ServiceAccounts are typically not necessary as kOps will configure the webhook with all ServiceAccount to role mapping configured in the Cluster spec. But if you need specific configuration, you may annotate the ServiceAccount, overriding the kOps configuration.
+
+Read more about Pod Identity Webhook in the [official documentation](https://github.com/aws/amazon-eks-pod-identity-webhook).
+
 #### Snapshot controller
 
 {{ kops_feature_table(kops_added_default='1.21', k8s_min='1.20') }}
@@ -247,23 +269,6 @@ spec:
       enabled: true
 ```
 
-#### EKS Pod Identity Webhook
-
-{{ kops_feature_table(kops_added_default='1.24') }}
-
-kOps can install EKS Pod Identity Webhook for IAM Role for Service Accounts.
-You need to enable cert-manager to use this feature.
-
-```yaml
-spec:
-  certManager:
-    enabled: true
-  podIdentityWebhook:
-    enabled: true
-```
-
-Read more about EKS Pod Identity Webhook in the [official documentation](https://github.com/aws/amazon-eks-pod-identity-webhook).
-
 ## Custom addons
 
 The command `kops create cluster` does not support specifying addons to be added to the cluster when it is created. Instead they can be added after cluster creation using kubectl. Alternatively when creating a cluster from a yaml manifest, addons can be specified using `spec.addons`.

diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md
@@ -1458,3 +1458,5 @@ spec:
               }
             ]
 ```
+
+To configure Pods to assume the given IAM roles, enable the [Pod Identity Webhook](/addons/#pod-identity-webhook). Without this webhook, you need to modify your Pod specs yourself for your Pod to assume the defined roles.
diff --git a/docs/releases/1.23-NOTES.md b/docs/releases/1.23-NOTES.md
@@ -6,14 +6,14 @@ This is a document to gather the release notes prior to the release.
 
 # Significant changes
 
-## Other significant changes
-
 * If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
 being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
 managed subnets will be configured to launch instances with Resource Based Names.
 
 * Support for [ShutdownGracePeriod and ShutdownGracePeriodCriticalPods](https://kubernetes.io/blog/2021/04/21/graceful-node-shutdown-beta/). By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.
 
+* By enabling the [pod identity webhook](https://kops.sigs.k8s.io/addons/#pod-identity-webhook), you no longer need to modify your Pod specs to assume IAM roles.
+
 # Breaking changes
 
 * Support for Kubernetes version 1.17 has been removed.