Recently a new EKS addons introduced an addon feature Pod Identities. Basically if the pod want to communicate with other AWS services it will happen through the IAM Roles for service account (IRSA) where the IAM role will be configured as service account and attached to pods and a switch happens between EKS and IAM. Now with Pod Identity addons we can provide granular permissions for the pods.
You can install the addons and verify if it is added to the cluster
aws eks --region ap-south-1 list-addons --cluster-name demo
{
"addons": [
"coredns",
"eks-pod-identity-agent",
"kube-proxy",
"vpc-cni"
]
}
You can verify the addons running as daemonset in the cluster
kubectl get daemonset -A
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-system aws-node 2 2 2 2 2 <none> 51m
kube-system eks-pod-identity-agent 2 2 2 2 2 <none> 48m
kube-system kube-proxy 2 2 2 2 2 <none> 51m
Let us break down and see how exactly it works, we will try to access S3 bucket from the pod using pod identity.
Step 1. Create test S3 bucket name test-884.
Step 2. Create an IAM role pod-identity-s3-demo choose trusted entity EKS and EKS pod identity.
Step 4. Click next and create the role.
Step 5. After creating a role we can add inline policy with the bucket name specified as below
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-884/*",
"Sid": "PodIdentity"
}
]
}
Step 6. Now associate the IAM role with the EKS pod by using the Pod Identity association, navigate to the eks cluster and access tab and click on
Step 7. You can specify the existing namespace and service account as below
step7: Finally create a pod with the service account and the pod get the temporary access to S3 bucket
Top comments (1)
wowww