Skip to content

Improve ADOT and IRSA docs: automate RBAC, dedicated ServiceAccounts #10414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
snarkychef wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve ADOT and IRSA docs: automate RBAC, dedicated ServiceAccounts #10414

snarkychef wants to merge 1 commit into from
+371 −254

Conversation

@snarkychef
Copy link
Member

@snarkychef snarkychef commented Nov 26, 2025
edited
Loading

Issue #, if available:
Fixes https://github.com/aws/eks-anywhere-internal/issues/3712
Fixes https://github.com/aws/eks-anywhere-internal/issues/3536

Description of changes:

- Replaces inappropriate `pod-identity-webhook` ServiceAccount reuse with dedicated ServiceAccount per package
- Eliminates manual ClusterRole/ClusterRoleBinding creation via automated helm chart features (presets or explicit rules)
- Adds both simplified (preset-based) and advanced (explicit rules) configuration examples
- Updates IRSA guidance to reference dedicated ServiceAccounts

Changes align with official AWS EKS ADOT addon best practices and match existing E2E test implementations. RBAC resources are now managed as part of the package lifecycle, eliminating orphaned resources and manual maintenance overhead.

Testing (if applicable):

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@eks-distro-bot
Copy link
Collaborator

eks-distro-bot commented Nov 26, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from snarkychef. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@eks-distro-bot eks-distro-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 26, 2025
@codecov
Copy link

codecov bot commented Nov 26, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.56%. Comparing base (7c47a0b) to head (54df845).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #10414   +/-   ##
=======================================
  Coverage   69.56%   69.56%           
=======================================
  Files         670      670           
  Lines       40676    40676           
=======================================
  Hits        28297    28297           
  Misses      10670    10670           
  Partials     1709     1709

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@snarkychef snarkychef force-pushed the adot-docs branch 2 times, most recently from 3914411 to 2cab8f9 Compare December 1, 2025 17:24
@eks-distro-bot eks-distro-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 1, 2025
@snarkychef snarkychef force-pushed the adot-docs branch 4 times, most recently from a1a8471 to 06c1399 Compare December 29, 2025 05:25
@snarkychef snarkychef changed the title Fix complicated and insecure adot installation docs Improve ADOT and IRSA docs: automate RBAC, dedicated ServiceAccounts Dec 29, 2025
@snarkychef
Improve ADOT and IRSA docs: automate RBAC, dedicated ServiceAccounts
54df845 
- Automate RBAC lifecycle management via presets and clusterRole.create
- Use dedicated ServiceAccounts per workload (security improvement)
- Reorder IRSA sections for infrastructure-first flow
- Simplify configuration examples and remove manual kubectl steps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/docs Documentation documentation size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snarkychef @eks-distro-bot