Outdated pod-identity-webhook version includes a bug that disallows injection of AWS_STS_REGIONAL_ENDPOINTS=regional #1686
matveidner
started this conversation in
General
Replies: 1 comment 2 replies
-
Is it part of OKD payload or installed as additional operator from community OperatorHub? |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
It is default, as part of the cloud-credential ClusterOperator |
Beta Was this translation helpful? Give feedback.
-
|
OKD uses the same cloud-credential operator as OCP. So this issue should be reported as OCP bug, fixed there, backported to 4.13 - and it would land in OKD 4.13 stable |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Describe the bug
VPCE requires SetRegion and SetEndpoint parameters explicitly defined to be automatically used over the global (default) STS endpoint. The AWS-Pod-Identity-Webhook operator on OKD is still the initial version (v0.1.0) which currently cannot set these parameters, because of a bug. Regionality should be either set true by default or the operator should be updated to a version that allows env injection w/ sa annotation.
Our requirement is to be able to restrict cross-account IRSA conditionally and utilize an interface endpoint for regional sts.
Version
4.13.0-0.okd-2023-05-22-052007
How reproducible
Annotation
eks.amazonaws.com/sts-regional-endpoints: "true"injects envAWS_STS_REGIONAL_ENDPOINTS=regionalinto the IRSA pod.Log bundle
N/A
Beta Was this translation helpful? Give feedback.
All reactions