- 
                Notifications
    You must be signed in to change notification settings 
- Fork 631
✨ Add EKS Pod Identities to AWSManagedControlPlane #4906
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
| Hi @stefanmcshane. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with  Once the patch is verified, the new status will be reflected by the  I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. | 
| /retest | 
| /retest-required | 
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | ||
| // +kubebuilder:validation:Required | ||
| ServiceAccountName string `json:"serviceAccountName"` | ||
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | ||
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:default=default | ||
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | ||
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | ||
| // +kubebuilder:validation:Required | ||
| RoleARN string `json:"serviceAccountRoleARN,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They're all called serviceAccountXXX which is an antipattern in Kubernetes manifests. I'd recommend moving these to .serviceAccount.{name,namespace,roleARN}.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The goal here was to be overtly explicit as I have found that our customers get confused on that sometimes. Nothing that docs cannot fix however
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In thinking more about this, I remembered that the kubernetes Pod spec switched from serviceAccount to serviceAccountName a few years back.
I do err on the side of clarity for maintainability's sake when it comes to naming, but would definitely not go against whatever is considered standard. Do you have a reference for the naming convention to help me decide?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In thinking about this more, whilst the medium is a CRD, the keys are in reference to an AWS object. I would expect a PodIdentityAssociation.Name to refer to the name of an AWS object when using the AWS API
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pod.spec.serviceAccountName is a singular field that won't change. It doesn't allow referring to another namespace on purpose.
The 3 fields you're adding will always be filled and none can be optional or defaulted (even the namespace), so a common prefix is unusual for newly-designed CRDs. See for example Ingress.spec.defaultBackend.service.{name,port} or Gateway API's Gateway.[...].listeners[*].{name,protocol,port}. Core APIs such as Pod aren't great examples since they can't be evolved without lots of breaking changes, and also a pod spec mostly only refers to names and doesn't provide many comparable examples here.
Therefore, here's my suggestion (dedenting roleARN as compared to my initial comment, since it's not referring to a service account):
  podIdentityAssociations:
    - serviceAccount:
        name: myserviceaccount
        namespace: default
      roleARN: arn:aws:iam::012345678901:role/capi-test-role
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is definitely a back and forth on the semantics on this. I personally dont see this as being a blocking change, and moreso a semantic preference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least the JSON field name and struct name should be aligned, since currently they're not lowercase-equal which could be confusing:
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | |
| // +kubebuilder:validation:Required | |
| ServiceAccountName string `json:"serviceAccountName"` | |
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | |
| // +kubebuilder:validation:Required | |
| // +kubebuilder:default=default | |
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | |
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | |
| // +kubebuilder:validation:Required | |
| RoleARN string `json:"serviceAccountRoleARN,omitempty"` | |
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | |
| // +kubebuilder:validation:Required | |
| ServiceAccountName string `json:"serviceAccountName"` | |
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | |
| // +kubebuilder:validation:Required | |
| // +kubebuilder:default=default | |
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | |
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | |
| // +kubebuilder:validation:Required | |
| ServiceAccountRoleARN string `json:"serviceAccountRoleARN,omitempty"` | 
Or the other way around (json:"roleARN") – doesn't matter.
Then the documented examples in docs/book/src/topics/eks/pod-identity-associations.md must be converted to the final naming choice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, the roleARN is an AWS resource, not a service account, so the naming shouldnt be consistent. The suggested shouldn't be committed imo
        
          
                pkg/eks/podidentities/procedures.go
              
                Outdated
          
        
      | if output.Association == nil { | ||
| return ErrNilPodIdentityAssociation | ||
| } | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this really happen? Or is there a specific reason why we want to check this field here, since we're not even reading it? I'd rather remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is a possibility for it in their SDK, I personally wouldnt rule it out. I'd personally rather catch the possibility of this error loudly with an error returned, than letting it silently continue. Ill follow your lead and remove it as the arn is not read/used at present
| Split out the AWS updates to reduce the size of this PR | 
836fbba    to
    121d8b1      
    Compare
  
    | // ServiceAccountName is the name of the kubernetes Service Account within the namespace | ||
| // +kubebuilder:validation:Required | ||
| ServiceAccountName string `json:"serviceAccountName"` | ||
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | ||
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:default=default | ||
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | ||
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | ||
| // +kubebuilder:validation:Required | ||
| RoleARN string `json:"serviceAccountRoleARN,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pod.spec.serviceAccountName is a singular field that won't change. It doesn't allow referring to another namespace on purpose.
The 3 fields you're adding will always be filled and none can be optional or defaulted (even the namespace), so a common prefix is unusual for newly-designed CRDs. See for example Ingress.spec.defaultBackend.service.{name,port} or Gateway API's Gateway.[...].listeners[*].{name,protocol,port}. Core APIs such as Pod aren't great examples since they can't be evolved without lots of breaking changes, and also a pod spec mostly only refers to names and doesn't provide many comparable examples here.
Therefore, here's my suggestion (dedenting roleARN as compared to my initial comment, since it's not referring to a service account):
  podIdentityAssociations:
    - serviceAccount:
        name: myserviceaccount
        namespace: default
      roleARN: arn:aws:iam::012345678901:role/capi-test-role
| @@ -0,0 +1,102 @@ | |||
| /* | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have a style or coding guide, I think. I did a regular code review and while reading, I found this to be a bit too complex for what it's doing, especially since one needs to read multiple functions. The source example pkg/eks/addons/plan.go is doing a bit more because of addon "states", and didn't have access to the nice slices module at the time. I don't think the code is very bad here. But maybe we can modernize rather than copy the existing idea as-is. It can be mostly a single function.
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | ||
| // +kubebuilder:validation:Required | ||
| ServiceAccountName string `json:"serviceAccountName"` | ||
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | ||
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:default=default | ||
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | ||
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | ||
| // +kubebuilder:validation:Required | ||
| RoleARN string `json:"serviceAccountRoleARN,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least the JSON field name and struct name should be aligned, since currently they're not lowercase-equal which could be confusing:
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | |
| // +kubebuilder:validation:Required | |
| ServiceAccountName string `json:"serviceAccountName"` | |
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | |
| // +kubebuilder:validation:Required | |
| // +kubebuilder:default=default | |
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | |
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | |
| // +kubebuilder:validation:Required | |
| RoleARN string `json:"serviceAccountRoleARN,omitempty"` | |
| // ServiceAccountName is the name of the kubernetes Service Account within the namespace | |
| // +kubebuilder:validation:Required | |
| ServiceAccountName string `json:"serviceAccountName"` | |
| // ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace. | |
| // +kubebuilder:validation:Required | |
| // +kubebuilder:default=default | |
| ServiceAccountNamespace string `json:"serviceAccountNamespace"` | |
| // RoleARN is the ARN of an IAM role which the Service Account can assume. | |
| // +kubebuilder:validation:Required | |
| ServiceAccountRoleARN string `json:"serviceAccountRoleARN,omitempty"` | 
Or the other way around (json:"roleARN") – doesn't matter.
Then the documented examples in docs/book/src/topics/eks/pod-identity-associations.md must be converted to the final naming choice.
        
          
                pkg/eks/podidentities/types.go
              
                Outdated
          
        
      | } | ||
|  | ||
| // IsEqual determines if 2 EKSPodIdentityAssociation are equal. | ||
| func (e *EKSPodIdentityAssociation) IsEqual(other *EKSPodIdentityAssociation) bool { | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this function maybe unused? I checked that make test still works without it.
| [APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. 
Needs approval from an approver in each of these files:
 Approvers can indicate their approval by writing  | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the small last changes to finish this up.
/lgtm
| New changes are detected. LGTM label has been removed. | 
| PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. | 
| /retest | 
| PR needs a rebase due to merge conflicts, please | 
| The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules: 
 You can: 
 Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale | 
| /remove-lifecycle stale | 
| Hey @stefanmcshane - pinging in case you want to follow up on this PR? If not, would you mind if I try to rebase it to get it merged? | 
| @stefanmcshane: The following tests failed, say  
 Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. | 
| The PR needs a rebase. Should we keep it open? | 
What type of PR is this?
/kind feature
What this PR does / why we need it:
Support using AWS EKS Pod Identity Associations for mapping pods to IAM roles without needing OIDC or IRSA
https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Relates: #4747
Special notes for your reviewer:
Docs available here, for a brief overview on setup
Checklist:
Release note: