FieldExport

[FernandoMiguel]

Describe the bug trying to use FieldExport to output IAM Role ARN into a configmap, shows no updates to the CM

Steps to reproduce

---
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: role
spec:
  name: role
  assumeRolePolicyDocument: |
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "ExplicitSelfRoleAssumption",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "ArnLike": {
                        "aws:PrincipalArn": "arn:aws:iam::123456789:role/role
                    }
                }
            },
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::123456789:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/1234567890
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "oidc.eks.us-east-1.amazonaws.com/id/123456789:sub": "system:serviceaccount:default:sa",
                        "oidc.eks.us-east-1.amazonaws.com/id/123456789:aud": "sts.amazonaws.com"
                    }
                }
            }
        ]
    }
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ack-iam
data: {}
---
apiVersion: services.k8s.aws/v1alpha1
kind: FieldExport
metadata:
  name: export-role-arn
spec:
  to:
    name: ack-iam
    kind: configmap
  from:
    path: ".status.ackResourceMetadata.arn"
    resource:
      group: iam.services.k8s.aws
      kind: Role
      name: role

ACK IAM deployment:

Chart.yaml

apiVersion: v1
name: iam-chart
description: A Helm chart for the ACK service controller for AWS Identity & Access Management (IAM)
version: 1.2.6
appVersion: 1.2.6
home: https://github.com/aws-controllers-k8s/iam-controller
icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
sources:
  - https://github.com/aws-controllers-k8s/iam-controller
maintainers:
  - name: ACK Admins
    url: https://github.com/orgs/aws-controllers-k8s/teams/ack-admin
  - name: IAM Admins
    url: https://github.com/orgs/aws-controllers-k8s/teams/iam-maintainer
keywords:
  - aws
  - kubernetes
  - iam

values.yaml

x-anchors:
  clustername: &clustername beta-12
  awsRegion: &awsRegion us-east-1
  irsaSre: &irsaSre arn:aws:iam::123456789:role/ack-iam-controller-sts-2023100317470100990000000d

argo:
  clustername:
    - *clustername

sre-ack-iam-controller:
  aws:
    region: *awsRegion

  deployment:
    nodeSelector:
      kubernetes.io/arch: amd64
    tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
        effect: "NoSchedule"
    priorityClassName: system-cluster-critical
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/port: "metricsport"
    ## disabled due to https://github.com/aws-controllers-k8s/community/issues/1926
    # labels:
    #   prometheus.io/scrape: "true"
    #   prometheus.io/port: "metricsport"

  metrics:
    service:
      # Set to true to automatically create a Kubernetes Service resource for the
      # Prometheus metrics server endpoint in controller
      create: true

  resources:
    requests:
      memory: "64Mi"
      cpu: "50m"
    limits:
      memory: "128Mi"
      cpu: "100m"

  # log level for the controller
  log:
    enable_development_logging: false
    level: info

  # # Set to "namespace" to install the controller in a namespaced scope, will only
  # # watch for object creation in the namespace. By default installScope is
  # # cluster wide.
  # installScope: cluster

  # # Set the value of the "namespace" to be watched by the controller
  # # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart.
  # watchNamespace: ""

  # controller reconciliation configurations
  reconcile:
    # The default duration, in seconds, to wait before resyncing desired state of custom resources.
    defaultResyncPeriod: 0
    # An object representing the reconcile resync configuration for each specific resource.
    resourceResyncPeriods: {}

  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # The name of the service account to use.
    name: ack-iam-controller
    annotations:
      eks.amazonaws.com/role-arn: *irsaSre

Expected outcome for the configmap ack-iam to be updated by FieldExport with the data of ".status.ackResourceMetadata.arn" instead, the configmap, never gets any updates.

Environment

• Kubernetes version 1.27
• Using EKS (yes/no), if so version? yes eks.5
• AWS service targeted (S3, RDS, etc.) iam

docs: https://github.com/aws-controllers-k8s/iam-controller/blob/main/helm/crds/services.k8s.aws_fieldexports.yaml https://aws-controllers-k8s.github.io/community/docs/user-docs/field-export/ https://aws-controllers-k8s.github.io/community/reference/common/v1alpha1/fieldexport/ https://www.eksworkshop.com/docs/automation/controlplanes/ack/configure-application/

[gecube]

@FernandoMiguel Good day! Probably a stupid question, but did the Role get into Ready condition? I faced several times that Roles are not going to Ready, so all refs to it and FieldExport were not working. So I was forced to leave it as is, and paste the role arn manually... omg.

[FernandoMiguel]

@gecube hi. Thanks for confirming. And yes, the status has all the data, the role is created, and the pod is able to assume it.

[ack-bot]

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[gecube]

/remove-lifecycle stale