Dependency on KIAM

[bensussman]

My understanding of this system is that it depends on KIAM being set up correctly, such that the alb-ingress-controller deployment can give the following annotation:

        annotations = {
          # Annotation to be used by KIAM
          "iam.amazonaws.com/role" = aws_iam_role.this.arn
        }

(seen here https://github.com/iplabs/terraform-kubernetes-alb-ingress-controller/blob/master/main.tf#L286).

However this project does not declare a dependency on KIAM. Is that a bug, or would you expect this to work out of the box for a terraform created EKS cluster?

In addition, it seems like EKS has a new mechanism for allowing pods to take on IAM roles https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html However my Terraform created EKS cluster does not have it enabled. Perhaps this project could be updated to use the new EKS OIDC mechanism for role assumption instead of KIAM, ideally with some instructions about how to create an EKS cluster with OIDC enabled such that it works with this package?

[headcr4sh]

You are right. Neither "kiam", nor "kube2iam" are needed anymore if using IAM roles for Service accounts in a AWS-managed Kubernetes/EKS environment.

We are already using the new mechanism internally for our ALB Ingress Controller instances, but -- unfortunately -- without the help of this terraform module. I'll see if I can backport the configuration...

[headcr4sh]

I am about to push a new release of this module (v3.0.0). Integration into EKS/IAM should now work out of the box if the variable k8s_cluster_type is set to eks.

[bensussman]

@headcr4sh can you include some documentation on how to set up an EKS cluster with OIDC enabled such that this module works? I am currently attempting to get this working via our own main.tf + explicit kube yaml in our kustomizations. However OIDC is not enabled. We can verify this by running

aws eks describe-cluster --name <cluster_name> --query "cluster.identity.oidc.issuer" --output text

and seeing that it returns None. There is a new input in the terraform eks module enable_irsa (see here https://github.com/terraform-aws-modules/terraform-aws-eks#inputs ) however enabling it and running a terraform apply on an already existing eks cluster does not seem to update the cluster as desired. I am currently doing a terraform destroy to start from scratch and see if a brand new eks cluster from terraform with enable_irsa = true correctly enables OIDC.

If you have a way to get this working, some documentation would be much appreciated!

[dannyrandall]

@bensussman I created the same resources found here and it seemed to work for me. I did have to use a script to get the thumbprint_list - there is an open issue on the terraform AWS provider for that.

[bensussman]

I tried for a week to get this to work, and ultimately went with a IAM User instead of a Role and passed the User Key/Secret into ALB Ingress Controller via env variables, and it worked. I am hoping to write up a full issue / stack overflow post with my minimal terraform code showing how it doesn't work, and if I can get it working write a blog post / documentation explaining it. I am specifically using the terraform AWS provider https://github.com/terraform-aws-modules/terraform-aws-eks and the enable_irsa argument. Perhaps you are not using this same module @dannyrandall ?

[dannyrandall]

I'm not using an EKS module, just the official AWS provider and the Kubernetes provider. I wonder if the issue is with the EKS module that you are using?