-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IRSA Support for Bare Metal #4361
Comments
We definitely have plans to build, support and probably use this, not sure what that is going to look like though |
I also don't know what bare metal changes might be needed if any to support this. |
currently using this workaround:
See IRSA docs here for a description of the kube-api server flags required. So far it seems to work, as long as the rest of the IRSA setup is correct. (you have a service role that's properly annotated and you've got correct keys in your OIDC provider bucket, etc) |
@evdevr |
I tried to update the
The only way I can start FYI: I'm running eksctl anywhere cluster in an EC2 instance One thing that seems to partially work is to update the |
@balusarakesh --service-account-issuer=<your $ISSUER_HOSTPATH value>
--service-account-issuer=<original cluster.local value> The important part is to make sure the new one you add is first in the list. The After updating the file, it looked like systemctl daemon-reload
systemctl restart kubelet
systemctl restart containerd |
@evdevr FYI: I can start Let me know if there is a way I can debug why it did not start
|
Resolved in #5249. Closing this. |
What would you like to be added: IRSA Support for Bare Metal clusters
Why is this needed: Users with Bare Metal clusters want to send metrics back to AWS using ADOT w/IRSA.
Today, if a user tries to add a serviceAccountIssuer in their cluster spec, it's not passed through to the kube-api config so the pod-identity-webhook does not work.
The text was updated successfully, but these errors were encountered: