Skip to content

Commit

Permalink
chore: Remove deprecated AAD-Pod-Identity and AWS-KIAM auths (kedacor…
Browse files Browse the repository at this point in the history 
…e#1388)

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: shubhusion <shubham27.sharma03@gmail.com>
  • Loading branch information
@JorTurFer @shubhusion
JorTurFer authored and shubhusion committed Jun 28, 2024
1 parent 82f8ba5 commit 3a8a773
Show file tree
Hide file tree
Showing 9 changed files with 17 additions and 161 deletions.
14 changes: 0 additions & 14 deletions content/docs/2.15/authentication-providers/aws-kiam.md
View file

This file was deleted.

19 changes: 0 additions & 19 deletions content/docs/2.15/authentication-providers/azure-ad-pod-identity.md
View file

This file was deleted.

37 changes: 3 additions & 34 deletions content/docs/2.15/concepts/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ metadata:
namespace: default # must be same namespace as the ScaledObject
spec:
podIdentity:
provider: none | azure | azure-workload | aws | aws-eks | aws-kiam | gcp # Optional. Default: none
provider: none | azure-workload | aws | aws-eks | gcp # Optional. Default: none
identityId: <identity-id> # Optional. Only used by azure & azure-workload providers.
roleArn: <role-arn> # Optional. Only used by aws provider.
identityOwner: keda|workload # Optional. Only used by aws provider.
Expand Down Expand Up @@ -332,30 +332,12 @@ Currently we support the following:

```yaml
podIdentity:
provider: none | azure | azure-workload | aws | aws-eks | aws-kiam # Optional. Default: none
provider: none | azure-workload | aws | aws-eks | gcp # Optional. Default: none
identityId: <identity-id> # Optional. Only used by azure & azure-workload providers.
roleArn: <role-arn> # Optional. Only used by aws provider.
identityOwner: keda|workload # Optional. Only used by aws provider.
```

#### Azure Pod Identity

> [DEPRECATED: This will be removed in KEDA v2.15](https://github.com/kedacore/keda/discussions/5362)

Azure Pod Identity is an implementation of [**Azure AD Pod Identity**](https://github.com/Azure/aad-pod-identity) which lets you bind an [**Azure Managed Identity**](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/) to a Pod in a Kubernetes cluster as delegated access - *Don't manage secrets, let Azure AD do the hard work*.

You can tell KEDA to use Azure AD Pod Identity via `podIdentity.provider`.

```yaml
podIdentity:
provider: azure # Optional. Default: none
identityId: <identity-id> # Optional. Default: Identity linked with the label set when installing KEDA.
```

Azure AD Pod Identity will give access to containers with a defined label for `aadpodidbinding`. You can set this label on the KEDA operator deployment. This can be done for you during deployment with Helm with `--set podIdentity.activeDirectory.identity={your-label-name}`.

You can override the identity that was assigned to KEDA during installation, by specifying an `identityId` parameter under the `podIdentity` field. This allows end-users to use different identities to access various resources which is more secure than using a single identity that has access to multiple resources.

#### Azure Workload Identity

[**Azure AD Workload Identity**](https://github.com/Azure/azure-workload-identity) is the newer version of [**Azure AD Pod Identity**](https://github.com/Azure/aad-pod-identity). It lets your Kubernetes workloads access Azure resources using an
Expand Down Expand Up @@ -443,17 +425,4 @@ You can tell KEDA to use EKS Pod Identity Webhook via `podIdentity.provider`.
```yaml
podIdentity:
provider: aws-eks # Optional. Default: none
```

#### AWS Kiam Pod Identity

> [DEPRECATED: This will be removed in KEDA v2.15](https://github.com/kedacore/keda/discussions/5342)

[**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.

You can tell KEDA to use Kiam via `podIdentity.provider`.

```yaml
podIdentity:
provider: aws-kiam # Optional. Default: none
```
```
4 changes: 2 additions & 2 deletions content/docs/2.15/scalers/aws-cloudwatch.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ triggers:
- `dimensionValue` - Supports specifying multiple dimension values by using ";" as a separator i.e. dimensionValue: queue1;queue2 (Optional, Required when `expression` is not specified)
- `expression` - Supports query with [expression](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-querylanguage.html) (Optional, Required when `dimensionName` & `dimensionValue` are not specified)

- `identityOwner` - Receive permissions for CloudWatch via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
- `identityOwner` - Receive permissions for CloudWatch via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` authentication)

> When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the CloudWatch. Additional Authentication Parameters are not required.

Expand All @@ -81,7 +81,7 @@ You can use `TriggerAuthentication` CRD to configure authentication by providing

**Role based authentication:**

- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated and only applies for `aws-eks` authentication, for `aws` is set in the auth)

**Credential based authentication:**

Expand Down
6 changes: 3 additions & 3 deletions content/docs/2.15/scalers/aws-dynamodb-streams.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ triggers:
- `tableName` - The target DynamoDB table to which the stream belongs.
- `shardCount` - The target value that a DynamoDB streams consumer can handle. (Default: `2`, Optional)
- `activationShardCount` - Target value for activating the scaler. Learn more about activation [here](./../concepts/scaling-deployments.md#activating-and-scaling-thresholds). (Default: `0`, Optional)
- `identityOwner` - Receive permissions on the DynamoDB and DynamoDB Streams via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
- `identityOwner` - Receive permissions on the DynamoDB and DynamoDB Streams via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` authentication)

> When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the DynamoDB and Dynamodb Streams. Additional Authentication Parameters are not required.

Expand All @@ -43,11 +43,11 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi

**Pod identity based authentication:**

- `podIdentity.provider` - Needs to be set to either `aws-kiam` or `aws-eks` on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.
- `podIdentity.provider` - Needs to be set on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.

**Role based authentication:**

- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated and only applies for `aws-eks` authentication, for `aws` is set in the auth)

**Credential based authentication:**

Expand Down
6 changes: 3 additions & 3 deletions content/docs/2.15/scalers/aws-dynamodb.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ triggers:
- `expressionAttributeNames` - one or more substitution tokens for attribute names in an expression. Defined as JSON.
- `keyConditionExpression` - the condition that specifies the key values for items to be retrieved by the Query action.
- `expressionAttributeValues` - one or more values that can be substituted in an expression. Defined as JSON.
- `identityOwner` - Receive permissions on the DynamoDB Table via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
- `identityOwner` - Receive permissions on the DynamoDB Table via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` authentication)

> When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the DynamoDB Table. Additional Authentication Parameters are not required.

Expand All @@ -55,11 +55,11 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi

**Pod identity based authentication:**

- `podIdentity.provider` - Needs to be set to either `aws-kiam` or `aws-eks` on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.
- `podIdentity.provider` - Needs to be set on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.

**Role based authentication:**

- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated and only applies for `aws-eks` authentication, for `aws` is set in the auth)

**Credential based authentication:**

Expand Down
4 changes: 2 additions & 2 deletions content/docs/2.15/scalers/aws-kinesis.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ triggers:
- `activationShardCount` - Target value for activating the scaler. Learn more about activation [here](./../concepts/scaling-deployments.md#activating-and-scaling-thresholds). (Default: `0`, Optional)
- `awsRegion` - AWS Region for the Kinesis Stream.
- `awsEndpoint` - Endpoint URL to override the default AWS endpoint. (Default: `""`, Optional)
- `identityOwner` - Receive permissions on the Kinesis Stream via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
- `identityOwner` - Receive permissions on the Kinesis Stream via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` authentication)

> When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the Kinesis Stream. Additional Authentication Parameters are not required.

Expand All @@ -45,7 +45,7 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi

**Role based authentication:**

- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated and only applies for `aws-eks` authentication, for `aws` is set in the auth)

**Credential based authentication:**

Expand Down
8 changes: 4 additions & 4 deletions content/docs/2.15/scalers/aws-sqs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ triggers:
- `scaleOfDelayed` - Indication of whether or not to include delayed messages when calculating the number of SQS messages. (default: false, Optional)
- `awsRegion` - AWS Region for the SQS Queue.
- `awsEndpoint` - Endpoint URL to override the default AWS endpoint. (Default: `""`, Optional)
- `identityOwner` - Receive permissions on the SQS Queue via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
- `identityOwner` - Receive permissions on the SQS Queue via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` authentication)

> When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the SQS queue. Additional Authentication Parameters are not required.

Expand All @@ -50,11 +50,11 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi

**Pod identity based authentication:**

- `podIdentity.provider` - Needs to be set to either `aws-kiam` or `aws-eks` on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.
- `podIdentity.provider` - Needs to be set on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.

**Role based authentication:**

- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated and only applies for `aws-eks` authentication, for `aws` is set in the auth)

**Credential based authentication:**

Expand All @@ -76,7 +76,7 @@ metadata:
namespace: keda-test
spec:
podIdentity:
provider: aws-kiam # or aws-eks when using IRSA
provider: aws
---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
Expand Down
Loading

0 comments on commit 3a8a773

Please sign in to comment.