mikestef9
commented
2 months ago We will look into this. Can you elaborate on where Pod Identity is not meeting your needs currently?
Open hobti01 opened 2 months ago
mikestef9
commented
2 months ago We will look into this. Can you elaborate on where Pod Identity is not meeting your needs currently?
hobti01
commented
2 months ago We have cases where we want to use a wildcard for the service account, but wildcards are not permitted with the Pod Identity Association https://docs.aws.amazon.com/eks/latest/APIReference/API_CreatePodIdentityAssociation.html
Community Note
Tell us about your request
We've been informed that OIDC tokens issued by the EKS IDP expire after 1 hour while the pod-identity-webhook is configuring an expiration of 24 hours. We see that AWS clients are then attempting to use expired tokens because the tokens are not correctly rotated, nor refreshed by the client (the client could not write a refreshed token to the readonly file in any case).
Instead of adding annotation
eks.amazonaws.com/token-expiration: "3600"to all uses of IRSA, we kindly request that the default expiration of pod-identity-webhook is synchronized with the OIDC IDP setting of 1 hour with the use of argument--token-expiration 3600Which service(s) is this request for? EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Adjusting many (10s/100s?) of annotations is measurably harder than changing one default setting. The OIDC token expiration is managed by AWS, not users, and we feel that the pod-identity-webhook (also managed by AWS) that directly and only uses the AWS-managed OIDC IDP should have corresponding configuration to ensure that tokens are rotated on the required schedule.
Are you currently working around this issue? We will update all IRSA annotations to additionally set
eks.amazonaws.com/token-expiration: "3600"because EKS Pod Identity does not meet our current use cases.Additional context https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master