Allow specifying baseArn to prepend to role names.

[danp60]

Description of changes:
This PR introduces the ability to specify a baseArn to prepend to role names when we detect that the arn passed to the eks.amazonaws.com/role-arn annotation is not fully qualified.

Our use case is that we have different clusters that run in different AWS accounts. This will allow us to use the same manifest to deploy to these different clusters and allow each pod to assume the correct IAM role local to their account.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[danp60]

Any feedback or comments @aws/eks-contributors?

[danp60]

@jqmichael @josselin-c @micahhausler Any chance someone could take a look at this?

[danopia]

I'd love to see this merged; it's silly to require the role annotation to differ between AWS accounts. Splitting accounts by environment is pretty common practice, as is one cluster per account.

Fixes #56

[danp60]

@nckturner @wongma7 does this look like a worthwhile contribution to you? Please let me know and I will cleanup this PR

[jyotimahapatra]

I have few thoughts on this:
1- This mechanism allows usage only when the user has access to change the parameters. Non cluster admins would not be able to use this functionality. wdyt about making this extensible by adding an new annotations on service accounts?
2- rollout and rollback(if needed) of this might become tricky due to using the same rolearn annotation. wdyt about using entirely different parameters for annotation like eks.amazonaws.com/role and eks.amazonaws.com/role-prefix that clarifies the intent of the fields explicitly
3. Can we add a feature flag for this functionality (set to alpha first and disabled by default) so that only interested users can flip this on.

[johngmyers]

The prefix is always going to be specific to the cluster. It will be arn:aws:iam::, followed by the ID of the account the cluster is in, followed by :role/, followed by the name of the cluster, followed by some fixed separator (I use _).

So one possibility would be to make this not configurable, simply prepending unqualified values with the prefix described above.

[danp60]

Thanks for the comments. I did not forget about this PR, and I'll try and make some time to work on it soon.

[danp60]

1- This mechanism allows usage only when the user has access to change the parameters. Non cluster admins would not be able to use this functionality. wdyt about making this extensible by adding an new annotations on service accounts?

One of the main purposes of this feature is to hide the details of the environment (ie the AWS account ID) from the end user. If the end user had to add an annotation with the base ARN that included the account ID, then they could just write the fully qualified ARN and not use this feature at all, so I'm not sure if it would be that useful.

2- rollout and rollback(if needed) of this might become tricky due to using the same rolearn annotation. wdyt about using entirely different parameters for annotation like eks.amazonaws.com/role and eks.amazonaws.com/role-prefix that clarifies the intent of the fields explicitly

I can do this. If an end user sets both, the most reasonable (and backwards compatible) behavior to me seems to be to take the original annotation eks.amazonaws.com/role verbatim and not make any changes.

3. Can we add a feature flag for this functionality (set to alpha first and disabled by default) so that only interested users can flip this on.

Do you think this is required if we do 2. and make the new annotation only a fallback if the original one doesn't exist?

The prefix is always going to be specific to the cluster. It will be arn:aws:iam::, followed by the ID of the account the cluster is in, followed by :role/, followed by the name of the cluster, followed by some fixed separator (I use _).

So one possibility would be to make this not configurable, simply prepending unqualified values with the prefix described above.
This seems reasonable to me too. I can add a flag for --aws-default-account-id similar to how we have flags for other AWS environment like region.

WDYT?

[seh]

Is anyone still working on this patch?

[chlunde]

@jyotimahapatra would this approach help anyone running on EKS? I would expect some template like {{clusterAccount}} might be supported in EKS, but configuring a CLI option would only work for self-hosted installations

[jyotimahapatra]

would this approach help anyone running on EKS? I would expect some template like {{clusterAccount}} might be supported in EKS, but configuring a CLI option would only work for self-hosted installations

Correct. This is right now relevant for self hosted installations.

[johngmyers]

How this would work on EKS is a problem for EKS. It is not particularly relevant for the amazon-eks-pod-identity-webhook project.

[jyotimahapatra]

How this would work on EKS is a problem for EKS. It is not particularly relevant for the amazon-eks-pod-identity-webhook project.

Correct. Once this is implemented, EKS can make it work by default.

[seh]

Suggested change

	--base-arn string The base arn to use if a non fully qualified role is detected
	--role-base-arn string The base ARN to use as a prefix for completing role ARNs that are not fully qualified

[seh]

Suggested change

	baseArn := flag.String("base-arn", "", "The base arn to use if a non fully qualified role is detected")
	roleBaseARN := flag.String("role-base-arn", "", "The base ARN to use as a prefix for completing role ARNs that are not fully qualified")

[seh]

Suggested change

	handler.WithBaseArn(*baseArn),
	handler.WithRoleBaseARN(*roleBaseARN),

[seh]

Suggested change

	// WithBaseArn sets the baseArn to use if we detect role name is not fully qualified
	func WithBaseArn(baseArn string) ModifierOpt {
	// WithRoleBaseARN sets the base ARN to use as a prefix for completing role ARNs that are not fully qualified
	func WithRoleBaseARN(baseARN string) ModifierOpt {

[seh]

Suggested change

	return func(m *Modifier) { m.BaseArn = baseArn }
	return func(m *Modifier) { m.RoleBaseARN = baseARN }

[seh]

Suggested change

	changed = m.addEnvToContainer(&container, tokenFilePath, fullRoleArn, updateSettings)
	changed = m.addEnvToContainer(&container, tokenFilePath, fullRoleARN, updateSettings)

[seh]

Suggested change

	changed = m.addEnvToContainer(&container, tokenFilePath, fullRoleArn, updateSettings)
	changed = m.addEnvToContainer(&container, tokenFilePath, fullRoleARN, updateSettings)

[seh]

Suggested change

	handlerBaseArnAnnotation = "testing.eks.amazonaws.com/handler/baseArn"
	handlerBaseARNAnnotation = "testing.eks.amazonaws.com/handler/baseARN"

[seh]

Suggested change

	if baseArnAnnotation, ok := pod.Annotations[handlerBaseArnAnnotation]; ok {
	modifiers = append(modifiers, WithBaseArn(baseArnAnnotation))
	if baseARNAnnotation, ok := pod.Annotations[handlerBaseARNAnnotation]; ok {
	modifiers = append(modifiers, WithBaseARN(baseARNAnnotation))

[seh]

Suggested change

	testing.eks.amazonaws.com/handler/baseArn: 'arn:aws:iam::111122223333:role/'
	testing.eks.amazonaws.com/handler/baseARN: 'arn:aws:iam::111122223333:role/'