This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
[stable/spinnaker] Support for custom ServiceAccounts for Spinnaker Pods #20885
Labels
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Comments
4 tasks
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
Still waiting on #21060 |
stale
bot
removed
the
lifecycle/stale
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
This issue is being automatically closed due to inactivity. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
TL;DR - Is it possible to update the ServiceAccount used by Spinnaker pods to be custom / modified / specific to the created Spinnaker pods, rather than the
defaultServiceAccount?We wish to add IAM annotations to the ServiceAccount used by Spinnaker services, but do not want to give any pod using the
defaultServiceAccount the same permissions in AWS as SpinnakerCurrently a custom ServiceAccount can be used for the Halyard pod, but not the created Spinnaker pods (CloudDriver and Front50)
There is a note in the RBAC section that CloudDriver does not allow personal ServiceAccounts, but this was written 2 years ago
(more context below)
Describe the solution you'd like
defaultdefaultaccount)I am happy to do a PR for this myself - creating the issue for visibility.
I am really just not sure if the RBAC note I mentioned above is still true - I was hoping someone from Spinnaker maintainers might have some insight
Describe alternatives you've considered
We currently use kube2IAM, but we would like to migrate away from this
Additional context
AWS have released IAM Roles for ServiceAccounts (IRSA) as a replacement / alternative for solutions like kube2IAM and others (in Sept 2019)
This allows IAM roles to be attached to specific ServiceAccounts, rather than as pod annotations - as the authentication is now on the pod itself, rather than the worker node having the permissions of all the pods in the cluster, this ties in with the principle of least privilege
There is also no race conditions etc as it is a webhook triggered on pod-creation.
Many Helm charts allow the passing of custom ServiceAccount names for the pods, or extra annotations to the created ServiceAccounts, allowing the rollout of IRSA: externalDNS; ALBIngressController
In our clusters we have updated all our Helm services to use IRSA - apart from Spinnaker.
(EDIT 1 & 2: Formatting)
The text was updated successfully, but these errors were encountered: