Closed Trozz closed 3 years ago
Can you describe what should be changed in the yaml templates?
at the moment not sure, I am still trying to debug why Jenkins is attempting to use the instance profile instead of the service account
@Trozz Have you figured this out? I think it is related to fsGroup, reference:
But whenever I set fsGroup
to anything but 1000
the container crashes because it runs with USER 1000
.
Any idea ?
That sounds like a possibility, could you try using this fsGroup: 65534
I'll try this evening when I am able to get online properly
~No, using fsGroup
only isn't working, the pod still uses the node's instance profile~
I was using curl http://169.254.169.254/latest/meta-data/iam/info
to check the Pod's effective profile which was wrong.
@Trozz
Using the correct fsGroup
the access token was mounted and accessible successfully. and AWS CLI v2, and Plugins using the recent AWS SDK has successfully used the IRSA role. 👍🏻
@sherifabdlnaby Which fsGroup
did you use at the end?
Describe the bug After upgrading from chart version 2.13.1 to 3.1.9 Jenkins no longer utilises IRSA
User: arn:aws:sts::XXXX:assumed-role/cluster-XXXX/i-XXXX
is being used instead of the role defined via the Service Account annotation.Helm Version:
Kubernetes Version:
Which version of the chart: 3.1.9
What happened: Jenkins is not using the Service Account Role for interacting with AWS
What you expected to happen: Jenkins to use the Service Account Role for interacting with AWS
How to reproduce it (as minimally and precisely as possible): Deploy Helm chart to EKS
values.yaml
Anything else we need to know: