-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot use wildcard (*) namespace in kops when using IRSA #237
Comments
Discussed this with @olemarkus in #kops-users slack channel and he feels that https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/pkg/cache/cache.go#L130 needs to check for both EDIT: I can provide the full cluster spec after redacting sensitive parts if needed. |
@kmala Do you know if there's anyone that could take a look at this? Thanks! |
the changes looks small as we want to support wild card for all namespaces and don't see any issue with supporting this. let me check if any one can work on it |
Awesome, thanks for checking! |
I can probably do the PR as well, but it will take a few days before I can find the time. |
Hi @kmala @olemarkus I was wondering if you might have some sort of update for this? We are actually waiting to adopt this feature, which is kinda blocked by this issue. |
🙏 @olemarkus. That would be greatly appreciated. Although, @kmala it looks like @olemarkus is no longer active - I don't see any commits since August in hit GH profile. Would you or anyone else be able to make this small fix? |
i am bit busy currently and hence can't commit to it but can help review the changes. Otherwise i will try to get this prioritized |
I am active, just working in other ways :) I have a few things with slightly higher priority, but I'll try to have something by tomorrow. |
Have a look at #251 |
What happened:
We are trying to use wildcard namespace feature in kops that came up with this PR kubernetes/kops#16113. Now using wildcard namespace in kops cluster manifest and then trying to create a pod that references the service account and IAM policy fails with this particular error in
pod-identity-webhook
logs:What you expected to happen: Pod to be mutated and contain the required policy/role.
How to reproduce it (as minimally and precisely as possible): in
kops
cluster manifest, we have this:Then we try to deploy an workload:
pod-identity-webhook complains with:
Anything else we need to know?:
When we change the "*" to any namespace (default) everything works just fine as expected.
Environment:
aws eks describe-cluster --name <name> --query cluster.version
): 1.24.16 (not EKS)v0.4.0
The text was updated successfully, but these errors were encountered: