Skip to content

[RFC-0010] Remove EKS Pod Identity from the proposal #5309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2025
Merged

[RFC-0010] Remove EKS Pod Identity from the proposal #5309

merged 1 commit into from
Apr 29, 2025

Conversation

matheuscscp
Copy link
Member

@matheuscscp matheuscscp commented Apr 17, 2025
edited
Loading

While testing the RFC implementation I got blocked by the fact that we try to create the ServiceAccount token bound to a pod in order to support EKS Pod Identity, which has this requirement. The only pod we can be sure exists is the controller pod itself, so we use the os.Getenv("HOSTNAME") environment variable. However, the Kubernetes API does not accept issuing a ServiceAccount token bound to a pod that does not use that ServiceAccount.

Conclusion: It's impossible to support EKS Pod Identity for multi-tenant workload identity, it works only for the single-tenant version. We can only support IRSA for multi-tenant workload identity.

@matheuscscp matheuscscp merged commit a6b5013 into main Apr 29, 2025
5 checks passed
@matheuscscp matheuscscp deleted the update-rfc-0010 branch April 29, 2025 16:29
@matheuscscp matheuscscp mentioned this pull request May 15, 2025
Open
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matheuscscp @stefanprodan