-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AWS pod identity support #499
Add AWS pod identity support #499
Conversation
docs are here kedacore/keda-docs#56 |
'kiam' -> 'aws-kiam' 'eks' -> 'aws-eks'
I'm a bit puzzled by the proposed implementation. In an EKS-managed cluster, if the KEDA operator Pod is properly associated with a ServiceAccount, and the ServiceAccount has the proper In other words, there are usually no code changes needed if the manifest is correctly set up and you haven't messed with the default credential chain. (Unfortunately, it looks like in the existing code, the credential chain is being overridden for reasons that aren't clear to me yet; we probably need to think about that.) If I understand the proposal correctly (and I might not be!), this change would cause the KEDA operator to look at the annotations applied to the pod template of the target deployment and use that as a role name to assume. But I do not think this will work as designed. The IAM role is bound to the pod making the API calls -- only that pod can assume the IAM role. The annotation needs to be applied to the operator, not the target. Let me know if you think I'm confused. Also, out of curiosity, how did you test this change? |
You can run a single role and attach it to the operator that allows it to read the stats for all SQS queues. A more granular approach would be to craft a role for your application that only allows "roleAppA" to read SQS queue information for only the SQS queues of "AppA". The IAM role "roleAppA" would have to have a trust policy that allows the service account of KEDA to assume it.
I will investigate further into the eks implementation. I have not tested it fully. |
@zach-dunton-sf would it be possible to merge with master please? I presume you are still waiting on a review? Care to pick this up @ahmelsayed ? |
Sorry for the delay @zach-dunton-sf, I'm not too familiar with how pod identity works on AWS so was just keeping an eye on the conversation here. The change looks fine from my prospective. I will merge it once the build passes |
Is this solution expected to also work for kube2iam which uses similar techniques to kiam? |
Yes. kube2iam should work also.
…On Tue, Mar 10, 2020 at 5:11 PM Christian Rothe ***@***.***> wrote:
Is this solution expected to also work for kube2iam which uses similar
techniques to kiam?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#499?email_source=notifications&email_token=AEH7ZDOC4JAYOK7DIMMCBDDRGZRDDA5CNFSM4JV6P5O2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMCFEQ#issuecomment-597172882>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEH7ZDLF2JEGPJ6S3E4UJ3LRGZRDDANCNFSM4JV6P5OQ>
.
|
Tried it out and it does not seem to work for kube2iam (or I don't understand what I am supposed to do).
I do not understand that. Why would it try to assume the role of the thing it is supposed to be scaling? That thing might not even have access to the metrics. What is the right way to use aws-kiam? The docs are, unfortunately, rather sparse on this. |
You need to modify the role <ROLE_OF_THE_POD_TO_BE_SCALED> so it can be
assumed by <MY_KUBE2IAM_PROVIDED_READER_ROLE>. You can do that in the IAM
console, if you select the <ROLE_OF_THE_POD_TO_BE_SCALED> role, then click
on "Trust Relationships" then add the ARN for
<MY_KUBE2IAM_PROVIDED_READER_ROLE>
…On Mon, Mar 16, 2020 at 2:49 PM Christian Rothe ***@***.***> wrote:
Tried it out and it does not seem to work for kube2iam (or I don't
understand what I am supposed to do).
I have added a kube2iam role to the metrics-apiserver pod thus allowing
the metrics server to get the correct credentials to fetch metrics from
Cloudwatch. However, I am getting 403s. The following can be found in the
logs of the apiserver:
AccessDenied: User: <MY_KUBE2IAM_PROVIDED_READER_ROLE> is not authorized
to perform: sts:AssumeRole on resource: <ROLE_OF_THE_POD_TO_BE_SCALED>
I do not understand that. Why would it try to assume the role of the thing
it is supposed to be scaling? What is the right way to use aws-kiam? The
docs are, unfortunately, rather sparse on this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#499 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEH7ZDNDW6SBVECC4JHSAO3RHYU5NANCNFSM4JV6P5OQ>
.
|
I understand how to do the mechanical AWS parts, but I don't understand why I would want to set it up that way? ROLE_OF_THE_POD_TO_BE_SCALED is the role that pod needs to do it's work and that work has nothing to do with metrics. At most it might typically have some PutMetrics permissions, but I don't think it should, as a general rule, have GetMetrics permissions - that is not the task of the scaled pod and thus IMO it should not have the permission. |
(but thank you for clarifying your intention with the different roles) |
Briefly thinking out loud: What would the alternative be, though? I came in expecting to add the permissions to the apiserver, which I'm starting to realise would mean I need to add all relevant permissions for all possibly AWS-scaled things to that pod/role. Which I guess could be seen as excessive. OTOH, I really dislike having to assume the role of the pod-to-be-scaled. Can we maybe add an annotation to the ScaledObject or the TriggerAuthentication object instead and then make sure the role the apiserver runs with can assume that one? From a separation of concerns perspective that would be much cleaner IMO. |
It is possible to assign a separate more limited role using the
TriggerAuthentication, don't use podIdentity. You can specify a Role ARN in
the TriggerAuthentication.
…On Mon, Mar 16, 2020 at 3:18 PM Christian Rothe ***@***.***> wrote:
Briefly thinking out loud: What would the alternative be, though? I came
in expecting to add the permissions to the apiserver, which I'm starting to
realise would mean I need to add all relevant permissions for all possibly
AWS-scaled things to that pod/role. Which I guess could be seen as
excessive. OTOH, I really dislike having to assume the role of the
pod-to-be-scaled. Can we maybe add an annotation to the ScaledObject or the
TriggerAuthentication object instead and then make sure the role the
apiserver runs with can assume that one? From a separation of concerns
perspective that would be much cleaner IMO.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#499 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEH7ZDOLFSTFBXLOGI3BM3DRHYYMXANCNFSM4JV6P5OQ>
.
|
Hmm, ok. But if I understand correctly: If I want to use TriggerAuthentication (with or without roleARN), I will then need to hard-code AWS_ACCESS_KEY_ID etc. (which is a big no-no in our organization) or jump through some hoops to make dynamic secrets work with this possibly (which is what kube2iam and kiam were designed to avoid). |
No, you just need the role arn.
Christian Rothe <notifications@github.com> schrieb am Mo. 16. März 2020 um
15:36:
… Hmm, ok. But if I understand correctly: If I want to use
TriggerAuthentication (with or without roleARN), I will then need to
hard-code AWS_ACCESS_KEY_ID etc. (which is a big no-no in our organization)
or jump through some hoops to make dynamic secrets work with this possibly
(which is what kube2iam and kiam were designed to avoid).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#499 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEH7ZDI4C2AUIR3SBQVOGP3RHY2OJANCNFSM4JV6P5OQ>
.
|
Could you please point in the direction of a working example then?
Does result in errors like |
It's a bit weird because you have to go through a Secret. I do not think it is possible to set it directly on the TriggerAuthentication. https://github.com/kedacore/keda-docs/blob/master/content/scalers/aws-sqs.md
|
That did it! Thanks for the help, I got it running now. Looks like I completely misunderstood what podIdentity is about and plain kube2iam would've worked before. To recap in case someone runs into this ticket again:
|
TriggerAuthentication doesn't support hardcoded values indeed, for now. Was everything clear or do we need to update the docs? |
I think a full example with the awsRoleArn could be useful. It is not obvious that that can e.g. pull default AWS authenticators and that it needs to go into the secret. |
Tracking this in kedacore/samples#10 but happy to link to a sample if you have one |
Having problems setting the SQS scaler up on a kubernetes cluster using kube2iam. We are using v 1.3.0. Followed @ncrothe approach above...
Get the following error in the keda-operator... kube2iam provides the role for the pod(uses the annotation)...so session should be available inside pod? Any thoughts? Looking at the code...it seems to use a different technique to consume the kiam/kube2iam role compared to other tools eg externaldns externaldns. ...uses session.NewSessionWithOptions |
I think: To make the current version of this work, you need one more indirection. As the error implies, your pod is assuming the intended role via kube2iam, but then keda tries to assume the same role as that role. So either:
|
@ncrothe |
Would you be open to create a new issue for this to see what we need to fix and/or improve the docs? |
@tomkerkhove |
…dacore#499) Signed-off-by: Ratnadeep Debnath <rtnpro@gmail.com>
No description provided.