Implement EKS Pod Identity to replace IRSA to remove OIDC dependency #22
Description
Introduction
EKS Pod Identity is now GA, a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. EKS Pod Identity has the following enhancements:
As a result, IAM roles no longer need to reference an OIDC provider
The aim of this solution is to allow:
- Least privilege - eliminates the need for third-party solutions.
- Credential isolation - A pod's containers can only retrieve credentials for the IAM role associated with the service account used by the container.
- Audibility - Access and event logging is available through AWS CloudTrail.
idea
AWS EKS reference architecture should leverage EKS Pod Identity, providing a simpler method than alternative solutions like IAM roles for service accounts.
Implementation
The removal of OIDC on provisioning of the cluster
eksctl create addon --cluster my-cluster --name eks-pod-identity-agent
With the release of
iam:
withOIDC: true
The implementation of EKS Pod Identities via addon or directly via eksctl or Terraform.
eksctl create addon --cluster xxxxx --name eks-pod-identity-agent
Provide Service accounts appropriate Roles with annotations
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNTID>:role/XXXXXXX
name: my-serviceaccount
namespace: default