You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current: AWS S3 helper works only with aws key id and secret credentials. There's not support in situations that the pod is configured to use AWS at the pod level. Required:
Introduction: In situations where tools like kube2iam and IRSA are involved and pods are configured by annotations, Kubeshark's S3 helper needs to work without providing secret key and key id credentials and assume the POD is already configured.
Request #1: Helper should run without credentials and assume the pod is already configured.
To test these situations without actually setting up all of the necessary steps to support IRSA, we can use aws config to configure the pod and then ensure the AWS S3 helper is capable of performing without credentials.
Request #2: We then need to enable users using the helper not to pass credentials or pass empty credentials.
Request #3: Enable user to annotate the kubeshark-service account from the configuration
Status is urgent as there's a user who can't use credentials and only kube2iam. User is waiting for resolution.
As an iteration that may resolve this: change helper behavior to support load default configuration incase one of the credentials is empty. There's no certainty that this will support the IRSA use-case as there's no clear correlation between AWS CLI behavior and GOLang SDK behavior.
Annotations will be supported in the next release as part of addressing this issue: #1371
Current: AWS S3 helper works only with aws key id and secret credentials. There's not support in situations that the pod is configured to use AWS at the pod level.
Required:
Introduction: In situations where tools like kube2iam and IRSA are involved and pods are configured by annotations, Kubeshark's S3 helper needs to work without providing secret key and key id credentials and assume the POD is already configured.
Request #1: Helper should run without credentials and assume the pod is already configured.
To test these situations without actually setting up all of the necessary steps to support IRSA, we can use
aws config
to configure the pod and then ensure the AWS S3 helper is capable of performing without credentials.Request #2: We then need to enable users using the helper not to pass credentials or pass empty credentials.
Request #3: Enable user to annotate the kubeshark-service account from the configuration
TL;DR
Some useful links:
https://rahullokurte.com/how-to-connect-to-s3-from-eks-using-the-iam-role-for-the-service-account
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
The text was updated successfully, but these errors were encountered: