Skip to content

EKS Pod Identity support for driver level credentials#451

Merged
unexge merged 14 commits into
mainfrom
eks-pod-identity-support-driver-level
May 6, 2025
Merged

EKS Pod Identity support for driver level credentials#451
unexge merged 14 commits into
mainfrom
eks-pod-identity-support-driver-level

Conversation

@renanmagagnin
Copy link
Copy Markdown
Contributor

@renanmagagnin renanmagagnin commented May 2, 2025
edited
Loading

This PR is a follow-up to #449 because we need the E2E tests to run with the newly added cluster-name parameter. This is not possible in a PR created from a fork.

Description of changes: With this change, we will support the configuration of driver level credentials with EKS Pod Identity. In EKS clusters, this is an alternative to IRSA with an easier configuration process.

Key Changes:

  • Credential Provider

    • In provider_driver.go the container credentials used for EKS Pod Identity are fetched from the driver pod and forwarded to the Mountpoint process. This is done similarly to STS Web Identity credentials used for IRSA.
    • Added unit tests covering different credential setup scenarios (including combinations)

  • Testing

    • Added cluster name as parameter for E2E tests
    • Added E2e tests covering EKS Pod Identity setup scenarios with IAM roles of varying levels of S3 access
    • Manual testing performed on personal EKS cluster

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@renanmagagnin renanmagagnin self-assigned this May 2, 2025
@renanmagagnin renanmagagnin requested a review from a team as a code owner May 2, 2025 14:35
@renanmagagnin renanmagagnin changed the title Eks pod identity support driver level EKS Pod Identity support for driver level credentials May 2, 2025
@renanmagagnin
Create unit tests for container credentials
7e37656 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Create provideCtx utility function
f0088f0 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Create integration tests for container credentials
1e7a426 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Fix retrier in waitUntilRoleIsAssumableEKS
449c2a6 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Implement deletePodIdentityAssociations in cleanClusterWideResources
3362dab 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Remove unnecessary comments
aeb1b57 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Incorporate feedback from review
1d9236a 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Add cluster-name parameter to e2e-kubernetes run script
718865b 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin
Implement handling of PodMounter flag
7da2c1f 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
@renanmagagnin renanmagagnin force-pushed the eks-pod-identity-support-driver-level branch from 9c9535f to 7da2c1f Compare May 6, 2025 09:53
@renanmagagnin renanmagagnin mentioned this pull request May 6, 2025
Closed
unexge
unexge previously approved these changes May 6, 2025
View reviewed changes
Comment thread tests/e2e-kubernetes/testsuites/credentials.go Outdated
Comment thread tests/e2e-kubernetes/testsuites/credentials.go Outdated
@renanmagagnin
Fix redeclaration of IsPodMounter
58109a7 
Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@unexge unexge unexge approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@renanmagagnin renanmagagnin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renanmagagnin @unexge