kube2iam and IRSA support #1376
Assignees
Comments
|
As an iteration that may resolve this: change helper behavior to support load default configuration incase one of the credentials is empty. There's no certainty that this will support the IRSA use-case as there's no clear correlation between AWS CLI behavior and GOLang SDK behavior. Annotations will be supported in the next release as part of addressing this issue: #1371 |
|
FYI: This does not work with EKS when the release namespace is: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current: AWS S3 helper works only with aws key id and secret credentials. There's not support in situations that the pod is configured to use AWS at the pod level.
Required:
Introduction: In situations where tools like kube2iam and IRSA are involved and pods are configured by annotations, Kubeshark's S3 helper needs to work without providing secret key and key id credentials and assume the POD is already configured.
Request #1: Helper should run without credentials and assume the pod is already configured.
To test these situations without actually setting up all of the necessary steps to support IRSA, we can use
aws configto configure the pod and then ensure the AWS S3 helper is capable of performing without credentials.Request #2: We then need to enable users using the helper not to pass credentials or pass empty credentials.
Request #3: Enable user to annotate the kubeshark-service account from the configuration
TL;DR
Some useful links:
https://rahullokurte.com/how-to-connect-to-s3-from-eks-using-the-iam-role-for-the-service-account
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
The text was updated successfully, but these errors were encountered: