Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EKS] [eks-pod-identity]: How to confirm whether the pod identity associations are ready using the API #2507

Open
mounisan opened this issue Dec 24, 2024 · 1 comment
Open

[EKS] [eks-pod-identity]: How to confirm whether the pod identity associations are ready using the API #2507

mounisan opened this issue Dec 24, 2024 · 1 comment
Labels
EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue

Comments

@mounisan
Copy link

Tell us about your request.
EKS Pod Identity associations only apply to newly created pods and do not automatically update existing pods; to grant access to existing pods, you need to re-deploy them with the associated service account to leverage the new IAM role permissions provided by the Pod Identity association.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
When we add an association to our pods, the association shows that it is created, and the pod rolls to get the pod identity environment variables; however, they come up without the credentials and remain in CrashLoopBackOff, requiring us to roll them again to get the pod identity environment variables. We can't see a way to tell whether the pod identity associations are ready using the API and want to know if there is a way to confirm that they are ready through the API. We followed the exact steps mentioned in the documentation, https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html.

Are you currently working around this issue?

The pod identity association works once the pod is restarted. It will enter CrashLoopBackOff and not have the environment variables on first start. I would like to give the command the proper time to bring the association fully up before rolling the pods to get the new credentials from the agent. How can I assure this happens? Are there settings I can utilize with the agent to make sure the variables get there, or are there commands I can issue through the CLI? There aren't any useful attributes output. I can see that the CLI returns:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/describe-pod-identity-association.html#output

Let's say we create the pod association and then immediately roll the pods; the EKS pod identity association create command will return as successful, and the pods will start to be re-rolled. The issue is the command finishes, and it seems that the association isn't fully created, because when the pods roll, the environment variables aren't there. If I were to come back and roll the pods manually, the proper environment variables would be there, and it would work, but I need to know when the association is fully done creating.

Additional context
amazon-eks-pod-identity-webhook is installed.
@mounisan mounisan added the Proposed Community submitted issue label Dec 24, 2024
@mikestef9 mikestef9 added the EKS Amazon Elastic Kubernetes Service label Dec 24, 2024
@dims
Copy link
Member

dims commented Dec 24, 2024

FYI we also have this repo - https://github.com/aws/eks-pod-identity-agent for issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dims @mikestef9 @mounisan