-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow projected volumes / Allow certain volumes - Support Azure Workload Identity #1078
Comments
@brokenpip3 I would like to contribute here. I think I could implement the "hotfix" approach analog to the kube-api-access hotfix. |
Hi Ben, thanks for offering your help. The best way that I have in my mind to do it is to add for envs, volumes, annotations, and labels a list of "ignored" resources that will be ignored during the reconciliation. To do so we need:
Another options is to decide the most used one (aks, eks, isto, etc) and put them there hardcoded and each time create a PR to add a new one, but this is way more ugly than the user lists I mention before. Make sense to you? |
I wonder, if it might be sufficient to ignore projected volumes with "serviceAccountToken" in sources in general? But if we have to touch it anyhow, maybe it's time to change the hardcoding to something configurable like you describe. Another idea I had was to use whitelisting for the things we need to ensure and ignore the rest. |
we can start with this, but for sure we also need to give to the users an optional list of annotations that needs to be ignored like other operators flow like the zalando pg operator |
I first thought about putting it as a configuration on the operator, but if #706 comes to the conclusion that it's one operator and multiple Jenkins controllers (instances), this would be too limiting. I'd see Added here would be something like:
I'd prefer this solution to the hardcoding after having thought about it. |
yup like I said initially this is will be the most clean and easy to maintain solution for this issue, thanks for speeding time trying to understand the best approach here :) |
any update on this? we are also blocked https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html |
I won't find time to do this in the coming few months. If you want to take a shot at it, feel free to do so. |
anybody can work on this or other issues (maybe you can pair 🙂 ). |
Describe the solution you'd like
I would like to be able to use the operator in AKS with workload identity enabled. This requires that additional volumes can be added on the fly to the pod definition.
I think this is a special case of #586.
Background
I am running an AKS cluster with workload identity enabled. This allows pods to use an annotated service account that can be used to access protected Azure resources.
The pod get s this label:
azure.workload.identity/use: "true"
The service-account get's this annotation:
azure.workload.identity/client-id: "<USER_ASSIGNED_CLIENT_ID
This requires that the pod gets a new volume, which looks like this:
Due to some checks, the pod is being restarted as the operator determines that the volumes are different.
This hinders me to use Azure Workload Identity as authentication method e.g. in the
azure-vm-agents
plugin.Describe alternatives you've considered
I would like to either
kube-api-access-<random-suffix>
as volume name, orAdditional context
The text was updated successfully, but these errors were encountered: