An agent required by the EKS Pod Identity feature.
EKS Pod Identity is a feature of Amazon EKS that simplifies the process for cluster administrators to configure Kubernetes applications with AWS IAM permissions. A prerequisite for using the Pod Identity feature is running the Pod Identity agent on the worker nodes. AWS recommends you install the Pod Identity Agent as an EKS Add-on. Alternatively, you can self manage the add-on using the open source code in this repo, bake the agent as part of the worker node AMI or use Helm to install the agent.
You can use AWS SDKs to receive temporary IAM permissions required to access various AWS services from your applications running on the EKS cluster. All AWS SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain. For more information about the Credential provider chain, refer to the AWS SDKs and Tools Reference Guide.
EKS Pod Identity has been added to the Container credential provider, which is searched as a step in the default credential provider chain. If your workloads currently use credentials that are earlier in the chain, then those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way, you can safely migrate from other types of credentials by creating the association first, before removing the old credentials.
The container credentials provider provides temporary credentials from an agent that runs on each worker node. In Amazon EKS, the agent is the EKS Pod Identity Agent and on Amazon Elastic Container Service (ECS) the agent is the amazon-ecs-agent. AWS SDKs use environment variables to locate the agent to connect to.
Visit EKS user guide to learn more about the Pod Identity feature.
Note
This fork has extended capability to Chain-AssumeRole before passing it to the requester. See pkg/extensions/chainrole for details
make buildbuilds the Linux binaries.make devruns pod identity agent locally.test,test-verbose,format,lintandvetprovide ways to run the respective tests/tools and should be run before submitting a PR.make dockerwill build an image usingdocker buildx.make pushgives an example push the image to an aws ecr.
Refer README.md in charts for Helm installation.
Update below Env in hack/dev/ds.yaml:
EKS_CLUSTER_NAMEAWS_REGION_NAME
Run kubectl apply -f hack/dev/ds.yaml
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.