Allow for wildcard of the namespace in the IAM condition for namespaces with a pattern #193
Comments
|
Up for this functionality also |
|
+1 We have a similar scenario where we launch ephemeral envs with unique namespaces. |
|
Just want to add that we also tried |
|
we also have a use case for this +1 |
|
I could also really use this functionality. Not being able to use wildcard patterns in the namespace has completely prevented my organization from moving forward with transition to this feature from the standard IRSA method. With multiple teams deploying to the cluster, often to feature branches that live in their own namespaces, expecting them to first update their EKS Pod Identities with the new namespace first is a massive inconvenience. |
|
Would be nice have this to support ephemeral envs |
|
We need that either. +1! |
|
Needs this feature for ephemeral environments |
What would you like to be added:
Reference to this issue: #58
We'd like to have wildcard implemented for incomplete namespaces, for example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::xxx:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/xxx" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.ap-southeast-1.amazonaws.com/id/xxx:aud": "sts.amazonaws.com" }, "StringLike": { "oidc.eks.ap-southeast-1.amazonaws.com/id/xxx:sub": [ "system:serviceaccount:some-namespace-*:my-sa" ] } } } ] }In the current state of things, implementing it the way shown above will result in a failure to assume the role, with an error message "An unknown error occurred" reported via Cloudtrails.
Why is this needed:
Our namespace model follows a pattern with which such a feature would allow us to specifically grant permissions on SAs in namespaces following this pattern.
The text was updated successfully, but these errors were encountered: