OSDOCS-1594 AWS IAM webhook for pod authentication

[codyhoag]

https://issues.redhat.com/browse/OSDOCS-1594

Preview: https://deploy-preview-40290--osdocs.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-authenticating-with-cloud-provider.html

[netlify]

✔️ Deploy Preview for osdocs ready!

🔨 Explore the source changes: ea1e625

🔍 Inspect the deploy log: https://app.netlify.com/sites/osdocs/deploys/61d5e95bbf37130008a7ef67

😎 Browse the preview: https://deploy-preview-40290--osdocs.netlify.app

[codyhoag]

@gregsheremeta this is a shot in the dark at providing docs for the Amazon EKS pod identity webhook. This is a bit tricky because a lot of the provided resources were Amazon-specific, but I attempted to extract the necessary information relevant for OCP. Please take a look and let me know if there are any holes in this draft doc (or tag someone better for this request). Thanks!

@sferich888 also wanted to pull you in early for this. This is mostly based on an Amazon README. There are no official Amazon docs that I'm aware of, and there is necessary information there that I linked to to avoid just recreating it in our docs repo. Please let me know your thoughts on this. Thanks!

[gregsheremeta]

I don't have the technical understanding to be able to review this accurately. I suggest asking for a review from @joelddiaz and @akhil-rane

[joelddiaz]

this does not appear to be correct. there should be no need to run anything releated to 'aws eks' using the AWS CLI.

[codyhoag]

@joelddiaz thanks for taking a look! The initial request, more or less, was to convert this README over to our docs. This PR is a reflection of that request. There is only one aws eks command in the new doc, so perhaps another OCP-specific instruction can be defined for that step? Or just remove that suggestion and only instruct to create an OIDC provider?

Please let me know if there are any better resources that can help get this doc moving in the right direction. Thanks!

[joelddiaz]

We (the hive team responsible for the AWS webhook) have a task to document this https://issues.redhat.com/browse/CCO-126 , but that work is not started nor complete. That doc work was intended to be the basis for writing the eventual docs that would end up on docs.openshift.com, but we clearly don't have anything written for you to work with yet.

[codyhoag]

Thanks for the context. I think holding off on this is probably best until CCO-126 is complete. If this PR is not accurate, then there's really nothing else to work with from the docs side; the resources we were given sound outdated or not in the right context for OCP.

@joelddiaz let me know if you disagree. I will hold for now.

cc @nermina-redhat @jeana-redhat

[openshift-ci]

@codyhoag: GitHub didn't allow me to request PR reviews from the following users: nermina-redhat.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Thanks for the context. I think holding off on this is probably best until CCO-126 is complete. If this PR is not accurate, then there's really nothing else to work with from the docs side; the resources we were given sound outdated or not in the right context for OCP.

@joelddiaz let me know if you disagree. I will hold for now.

/cc @nermina-redhat @jeana-redhat

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[joelddiaz]

It's not that far from being useful, but there are details that I feel we could put in there to make it super clear which objects need to be created and in what order.
I'd like to show a concrete example of:
here is an IAM Role that grants the ability to list S3 buckets
here is how you limit that Role to the k8s ServiceAccount named XYX in namespace ABC
here is an example Deployment and properly annotated ServiceAccount
here is how to verify that it is all working

[codyhoag]

Yes, I definitely agree the current doc is a very rough draft. Much to be added. Sounds good 👍

[nermina-redhat]

@codyhoag what's the status of this work? Do we need to involve another writer? Thanks!

[codyhoag]

@nermina-redhat the initial dev docs provided only partially covered the topic, so this requires more surrounding information. This information will likely come from the Hive team when there is bandwidth. So we're in "wait" mode until there is further resources provided.

[nermina-redhat]

Thanks for that update. I see that the related card is linked. I appreciate your quick response.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[kalexand-rh]

@jeana-redhat, will you PTAL?

[jeana-redhat]

@kalexand-rh I think we are in the same state as we were in January. CCO-126 hasn't been reassigned since Joel's departure.

[jeana-redhat]

I'm closing this PR since the folks doing the original work on it are no longer at Red Hat, and it is plausible that when the related card is finished, there may be substantial differences from what we have here. This PR is still linked to the dev card and can serve as reference for when work resumes on this effort.