search

aws / amazon-eks-pod-identity-webhook

Amazon EKS Pod Identity Webhook
Apache License 2.0
619 stars 175 forks source link

1 : X Namespaces : X Clusters #125

Open vikaskoppineedi opened 3 years ago

vikaskoppineedi commented 3 years ago

What would you like to be added:

Would like to see if mapping a single IAM Role across Multiple Clusters.

Why is this needed: Today we have multiple clusters logically grouped to a single environment. Each cluster, we have multiple applications running across namespaces. Technically, we want all these pods to share the same IAM Role. But today with the IAM for Service Accounts, requires us to mention the service account name and the namespace name before hand, and with the DevOps flow, namespaces are created/maintained by developers, but under strict rbac. so whenever a new namespace and a new service accounts shows up , we need to add it to the IAM role trust relationship, which leads us to limits in policy document size.

So not sure if someone faced this issue, but if we had so many applications, you don't want to have to maintain multiple IAM roles per clusters per namespaces and having to track and map these changes to the specific application repos is very hard.

oshmyrko commented 2 years ago

It seems there are no easy and elegant solutions. You will probably need to create multiple statements in trust policy for each cluster:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1:sub": "system:serviceaccount:*:*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2:sub": "system:serviceaccount:*:*"
        }
      }
    }
  ]
}

Or use multiple providers in Federated but without Condition block (conditions do not allow to use wildcard in condition key):


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_1",
          "arn:aws:iam::111122223333:oidc-provider/oidc.us-west-2.eks.amazonaws.com/CLUSTER_ID_2"
        ]
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
    }
  ]
}
oshmyrko commented 2 years ago

@vikaskoppineedi, I would also rename this issue to something like "1 role for multiple namespaces and multiple clusters" to better understand the context.