k8s service accounts for k8s task runner pods

[KrisF-Midnight]

Feature description

We’d like to use IRSA, so what we’re looking for the ability to set the service account on the k8s task runner pod spec.

[anna-geller]

Hey, this should already work. IRSA is normally created for a given namespace in a given EKS cluster. This means that once you create your IRSA and you use the same namespace in a kestra task runner, it should work out of the box.

Please give it a try and LMK if you see any errors this way.

[SurrealTiggi]

Hi @anna-geller , thanks for the quick feedback. I stand to be corrected but that would only work if we attached our IAM role to the default serviceaccount in whatever namespace we're in.

The general practice is to add an EKS annotation to the serviceaccount a pod intends to use, which then injects the necessary auth mechanisms directly into the pod. There's no way (that I'm aware of at least), to ensure any pod in a namespace inherits this service account, unless you use the default serviceaccount (as every pod receives that if not explicitly set). This isn't ideal though, since we don't necessarily want every pod in a namespace to have an IAM role, so ideally we'd like the ability to set it directly via that pod spec attribute.

[anna-geller]

@loicmathieu can we add serviceAccountName property to the K8s task runner's pod spec? This would allow us to attach IAM Roles for Service Accounts (IRSA) to a pod:

apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  namespace: <namespace>
spec:
  serviceAccountName: <service_account_name> # ❌ not possible atm
  containers:
    - name: <container_name>
      image: <image>
      # other container specs

[loicmathieu]

Yes, I'll add it.