Open strawberrypie opened 4 years ago
akastav
commented
4 years ago We use this method https://aws.amazon.com/ru/about-aws/whats-new/2019/09/amazon-eks-adds-support-to-assign-iam-permissions-to-kubernetes-service-accounts/ . May be do it like this? https://github.com/provectus/swiss-army-kube/blob/master/modules/system/main.tf#L204 because it is not safe to store data in configs
strawberrypie
commented
4 years ago Sure! It is possible to select a service account which would be to run the pipeline (at least in the latest KFP, 1.0).
RustamGimadiev
commented
3 years ago Service Accounts are namespace-specific resources, so when you create your own Kubeflow namespace you create an additional service account default without any IRSA annotations, which used by default for pipeline runs. The one way to managing AWS access for those roles is modifying oidc_fully_qualified_subjects to match with the newly created namespace, for example, you created a new Kubeflow namespace testing with the default service account and you have an IAM role for use in pipelines.
module iam_assumable_role_admin {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> v2.6.0"
create_role = true
role_name = "${var.cluster_name}_pipeline_runner"
provider_url = replace(data.aws_eks_cluster.this.identity.0.oidc.0.issuer, "https://", "")
role_policy_arns = [aws_iam_policy.this.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:some-other-namespace:*","system:serviceaccount:testing:*"]
}
Kubeflow Pipelines allow certain components to be able to access AWS resources using a secret that is defined in K8s. We need to create this secret for Kubeflow deployments. Below is a example that we previously used.