SELF_HOSTED_SETUP: What if service-account-* options already set?

aws / amazon-eks-pod-identity-webhook

Amazon EKS Pod Identity Webhook

Apache License 2.0

620 stars 175 forks source link

SELF_HOSTED_SETUP: What if service-account-* options already set? #197

Closed mimmus closed 11 months ago

mimmus commented 1 year ago

Hi, I'm trying to understand if I can install IRSA on a self-hosted Kubernetes cluster. Looking at my kube-apsiserver pods, I see that following flags:

        - '--service-account-issuer=https://kubernetes.default.svc.cluster.local'
        - '--service-account-key-file=/etc/kubernetes/pki/sa.pub'
        - '--service-account-signing-key-file=/etc/kubernetes/pki/sa.key'

are already set. What are the possibilities of installing IRSA?

prateekgogia commented 11 months ago

Please follow this guide and let us know if this doesn't help - https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md

mimmus commented 11 months ago

Guide suggest to set:

--service-account-key-file
--service-account-signing-key-file
--service-account-issuer

but these are already set in my cluster.

prateekgogia commented 10 months ago

Have you followed the other steps like S3 bucket creation, Create the OIDC discovery and keys documents, Provider creation and Deploying the webhook? Whats the error you are seeing?

mimmus commented 10 months ago

No, I’m still evaluating all steps. In particular, I’m wondering how I can safely add these options to an existing cluster having these already set, for another OIDC provider (Dex).

Thanks again