Added support for IRSA, fixes - #86 #169
Conversation
|
|
|
Hi @tvoran , Thanks |
|
Hi @infa-mhadiman, apologies for the delay, I should be able to try this out this week. |
There was a problem hiding this comment.
Good stuff here! I think it could be really useful, especially now that #213 has been merged.
I left some suggestions, mostly around style. And in general I think the AWS-specific items like this should only be triggered if AuthType=="aws" if possible. Let me know what you think!
|
Agreed, I'll make the suggested changes. thanks for the review. |
|
Hey @tvoran, Thanks |
|
This should be good now, can you please review again ? @tvoran |
|
Hi @infa-mhadiman, I was experimenting with IRSA on EKS, and I don't know if something changed recently there, but it looks like the IRSA env vars and token are being added to the vault-agent init and sidecar containers without any special handling required by vault-k8s. I'm wondering if you're still seeing the need for this PR? If so, can you detail your setup/use case? |
|
hmm, interesting. @tvoran, what is the EKS version ur testing on ? The pod identity webhook will inject the IRSA env vars and token for all the available containers in a POD. so, wondering how this is possible if the agent injector webhook hasn't mutated the object yet. During my testing, I observed the mutating webooks invocation to be in the order they exist (k get mutatingwebhookconfigurations.admissionregistration.k8s.io), the pod identity webhook is being invoked even before, vault injector webhook. So, do you've a vault injector webhook configuration with a different name ? such that it's being invoked before pod identity webhook ? |
|
Coming to our setup. |
|
@infa-mhadiman @tvoran If it helps at my company, we were recently testing with EKS 1.18 & 1.19 and Vault v1.6.1 (hosted on ec2 utilising IAM auth) with the latest version of the Vault sidecar agent to get it up and running with the the web identity IAM service account integration, and we were only seeing the EKS node IAM being used by the Vault sidecar instead of the web identity token. So I think this is definitely still needed. Our setup makes use of the OIDC IAM provider that maps an IAM role through to the pods service account, which is able to be used fine on the actual pod app container to access AWS resources etc. However we weren't able to authenticate on the vault agent with this same auth as it fell back to the node IAM role. |
|
@infa-mhadiman Yeah, I'm just testing with new EKS clusters, so they're on 1.18, and it certainly wouldn't surprise me if this behavior changed between EKS versions. Nothing special with naming the injector webhook, just the defaults for the chart. I do see that the |
|
@tvoran |
|
Thanks for your patience with this one. We'll get it in to the next release! |
* fix failing tests * removed check for length of envmap * perform strict compare for env names
Adding support for IAM roles for service accounts (IRSA) on EKS. This PR takes care of injecting the volume mounts and env variables when a deployment & SA is configured to use pod identity (IRSA).
Looks up an app container for aws-iam-token volume mount and if found, uses the same and mounts it to vault init & sidecar containers.
**Fixes - #86 **