Using EKS Pod Identity
To use EKS Pod Identity in your cluster, the EKS Pod Identity Agent addon must be installed on your EKS cluster. Let's install it using below command.
{ "addon": {"addonName": "eks-pod-identity-agent",
"clusterName": "eks-workshop",
"status": "CREATING",
"addonVersion": "v1.1.0-eksbuild.1",
"health": {"issues": []
},
"addonArn": "arn:aws:eks:us-west-2:1234567890:addon/eks-workshop/eks-pod-identity-agent/9ec6cfbd-8c9f-7ff4-fd26-640dda75bcea",
"createdAt": "2024-01-12T22:41:01.414000+00:00",
"modifiedAt": "2024-01-12T22:41:01.434000+00:00",
"tags": {}}
}
Now, take a look at what has been created in your EKS cluster by the new addon. You can see a DaemonSet deployed on the kube-system Namespace, which will run a Pod on each Node in our Cluster.
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
eks-pod-identity-agent 3 3 3 3 3 <none> 3d21h
NAME READY STATUS RESTARTS AGE
eks-pod-identity-agent-4tn28 1/1 Running 0 3d21h
eks-pod-identity-agent-hslc5 1/1 Running 0 3d21h
eks-pod-identity-agent-thvf5 1/1 Running 0 3d21h
An IAM role, which provides the required permissions for the carts service to read and write to DynamoDB table has been created when you ran the prepare-environment script in the first step of this module. You can view the policy as shown below.
{"Statement": [
{"Action": "dynamodb:*",
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:us-west-2:1234567890:table/eks-workshop-carts",
"arn:aws:dynamodb:us-west-2:1234567890:table/eks-workshop-carts/index/*"
],
"Sid": "AllAPIActionsOnCart"
}
],
"Version": "2012-10-17"
}
The role has also been configured with the appropriate trust relationship, which allows the EKS Service Principal to assume this role for Pod Identity. You can view it with the command below.
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Principal": {"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
Next, we will use Amazon EKS Pod Identity feature to associate an AWS IAM role to the Kubernetes service account that will be used by our deployment. To create the association, run the following command.
{ "association": {"clusterName": "eks-workshop",
"namespace": "carts",
"serviceAccount": "carts",
"roleArn": "arn:aws:iam::1234567890:role/eks-workshop-carts-dynamo",
"associationArn": "arn:aws::1234567890:podidentityassociation/eks-workshop/a-abcdefghijklmnop1",
"associationId": "a-abcdefghijklmnop1",
"tags": {},"createdAt": "2024-01-09T16:16:38.163000+00:00",
"modifiedAt": "2024-01-09T16:16:38.163000+00:00"
}
}
All that's left is to verify that the carts Deployment is using the carts Service Account.
Service Account: carts
With the Service Account verified, let's recycle the carts Pods.
deployment.apps/carts restarted
Waiting for deployment "carts" rollout to finish: 1 old replicas are pending termination...
deployment "carts" successfully rolled out
Now, let's verify if the DynamoDB permission issue that we had encountered has been resolved for carts application in the next section.