Open iamahgoub opened 8 months ago
dlakhaws
commented
8 months ago Thank you for the feature request. Since we currently run the driver using systemd rather than as it's own native container, the process for adding pod-level permissions isn't as straightforward. There is a plan to potentially move to native sidecars in the future (more details in this issue) but for now we will have to investigate how and if this is possible given the current design of the driver.
muddyfish
commented
1 month ago As compared to volume-level identity in https://github.com/awslabs/mountpoint-s3-csi-driver/issues/136, what are the use cases for pod level?
Is it accurate to say that a pod level solution is closer to what is normal for the k8s ecosystem, and that more control by pod operators is useful?
Are there any other things that are gained by this approach over https://github.com/awslabs/mountpoint-s3-csi-driver/issues/136?
phmcder
commented
3 weeks ago Is there any more update on this discussion? I'm interested in Pod Identity support
unexge
commented
3 weeks ago Hey @phmcder, we're working on pod-level identity support, but we don't have any timelines yet.
/feature
Allow for accessing S3 using pod-level IAM permissions granted through IRSA or recently launched EKS pod identities. Right now, the interaction with S3 is happening through the controller, and the S3 permissions are granted to it rather than the application pod accessing data.
Is your feature request related to a problem? Please describe. When using the mountpoint for S3 CSI driver, the IAM permissions are granted to the IAM role associated with the driver rather than the pod accessing S3; this means that we cannot do fine-grained access control where each pod is only allowed access to the buckets/objects it needs.
Describe the solution you'd like in detail Allow for using the pod-level IAM permissions when accessing the S3 through mountpoint S3 CSI driver.
Describe alternatives you've considered
Related issues: