Connect ServiceAccounts and AWS IAM roles

[mikkeloscar]

Currently the controller expects the AWS IAM roles to be created separately and available when pods are created. It would be nice to connect the AWS IAM role with a Kubernetes serviceAccounts and use the native service accounts as the only identity needed to be specified by a pod.

The way it would work is that users would specify a serviceAccount like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-application
  annotations:
    iam.amazonaws.com/role-policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "route53:*",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }

The iam.amazonaws.com/role-policy would include an AWS IAM role policy for which the controller would automatically provision a AWS IAM role and provide it to the pod who specified the given serviceAccount in the pod spec.

This would not only keep the AWS identity and the Kubernetes identity connected it would also make things simpler for the user, e.g. they would not need to specify a trust relationship on the AWS IAM roles they are creating, as it would be done transparently.

In cases where an AWS IAM role already exists, it could just connect it to a serviceAccount like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-application
  annotations:
    iam.amazonaws.com/role: my-role-name

[mikkeloscar]

This idea is superseded by #13 because it's difficult to implement the serviceAccount solution in a non-racy.

#13 also adds other benefits over a serviceAccount approach, like better status reporting for users.

[mikkeloscar]

Closing this in favor of #13