Skip to content

gravitational/eks-pod-identity-agent

 
 

Repository files navigation

Amazon EKS Pod Identity agent

An agent required by the EKS Pod Identity feature.

Amazon EKS Pod Identity agent

EKS Pod Identity is a feature of Amazon EKS that simplifies the process for cluster administrators to configure Kubernetes applications with AWS IAM permissions. A prerequisite for using the Pod Identity feature is running the Pod Identity agent on the worker nodes. AWS recommends you install the Pod Identity Agent as an EKS Add-on. Alternatively, you can self manage the add-on using the open source code in this repo, bake the agent as part of the worker node AMI or use Helm to install the agent.

You can use AWS SDKs to receive temporary IAM permissions required to access various AWS services from your applications running on the EKS cluster. All AWS SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain. For more information about the Credential provider chain, refer to the AWS SDKs and Tools Reference Guide.

EKS Pod Identity has been added to the Container credential provider, which is searched as a step in the default credential provider chain. If your workloads currently use credentials that are earlier in the chain, then those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way, you can safely migrate from other types of credentials by creating the association first, before removing the old credentials.

The container credentials provider provides temporary credentials from an agent that runs on each worker node. In Amazon EKS, the agent is the EKS Pod Identity Agent and on Amazon Elastic Container Service (ECS) the agent is the amazon-ecs-agent. AWS SDKs use environment variables to locate the agent to connect to.

Visit EKS user guide to learn more about the Pod Identity feature.

Note

This fork has extended capability to Chain-AssumeRole before passing it to the requester. See pkg/extensions/chainrole for details

Building

  • make build builds the Linux binaries.
  • make dev runs pod identity agent locally.
  • test, test-verbose, format,lint and vet provide ways to run the respective tests/tools and should be run before submitting a PR.
  • make docker will build an image using docker buildx.
  • make push gives an example push the image to an aws ecr.

Installation

Helm Install

Refer README.md in charts for Helm installation.

Kubectl Install

Update below Env in hack/dev/ds.yaml:

  • EKS_CLUSTER_NAME
  • AWS_REGION_NAME

Run kubectl apply -f hack/dev/ds.yaml

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Packages

No packages published

Languages

  • Go 93.4%
  • Makefile 2.9%
  • Shell 1.6%
  • Smarty 1.6%
  • Dockerfile 0.5%