Switch to IRSAv2/pod identity

[bryantbiggs]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

• Switch permissions access from IRSA to pod identity (IRSAv2)

Describe the solution you would like

• Switch permissions access from IRSA to pod identity (IRSAv2)

Describe alternatives you have considered

Additional context

• The addons that use pod identity will need to use an AWS SDK version that support pod identity. Therefore, the scope of changes required for this request are:
  1. Change role assumption in addon module to trust pod identity service endpoint
  2. Remove IRSA annotation in the addon module
  3. Update addon module version used in this project to reflect version that captures changes from 1 and 2
  4. Update addon versions for those using pod identity to use a version that supports the MSV of the AWS SDK for pod identity
  5. Remove the annotation references for IRSA in the respective addons (reference)

The last step will be the association which will happen at the cluster level (associate the pod identity with the cluster)

[FernandoMiguel]

where can I read more on v2 changes?

[bryantbiggs]

those are captured in the v2 milestone https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/milestone/1

[cdenneen]

@bryantbiggs I think @FernandoMiguel was asking for v2 changes meaning "IRSAv2/pod identity" I haven't seen any blog post or announcement from AWS on this change and what it entails as replacement for current IRSA.

[bryantbiggs]

That's because it's not released yet

[bryantbiggs]

here is something along the lines of what it will look like - https://github.com/clowdhaus/terraform-aws-irsa-v2

[cdenneen]

Any thoughts on the resource "aws_eks_cluster_role_association" having the namespace/service_account be hash? This way you can assign multiple namespace/service_account to same role?

[LeoSpyke]

Any news on this?