Add eks pod identities

Author: stefanmcshane

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2949,6 +2949,35 @@ spec:
                 description: Partition is the AWS security partition being used. Defaults
                   to "aws"
                 type: string
+              podIdentityAssociations:
+                description: |-
+                  PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+                  This requires using the AWS EKS Addon for Pod Identity.
+                items:
+                  description: PodIdentityAssociation represents an association between
+                    a Kubernetes Service Account in a namespace, and an AWS IAM role
+                    which allows the service principal `pods.eks.amazonaws.com` in
+                    its trust policy.
+                  properties:
+                    serviceAccountName:
+                      description: ServiceAccountName is the name of the kubernetes
+                        Service Account within the namespace
+                      type: string
+                    serviceAccountNamespace:
+                      default: default
+                      description: ServiceAccountNamespace is the kubernetes namespace,
+                        which the kubernetes Service Account resides in. Defaults
+                        to "default" namespace.
+                      type: string
+                    serviceAccountRoleARN:
+                      description: RoleARN is the ARN of an IAM role which the Service
+                        Account can assume.
+                      type: string
+                  required:
+                  - serviceAccountName
+                  - serviceAccountNamespace
+                  type: object
+                type: array
               region:
                 description: The AWS Region the cluster lives in.
                 type: string

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml

@@ -882,6 +882,35 @@ spec:
                         description: Partition is the AWS security partition being
                           used. Defaults to "aws"
                         type: string
+                      podIdentityAssociations:
+                        description: |-
+                          PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+                          This requires using the AWS EKS Addon for Pod Identity.
+                        items:
+                          description: PodIdentityAssociation represents an association
+                            between a Kubernetes Service Account in a namespace, and
+                            an AWS IAM role which allows the service principal `pods.eks.amazonaws.com`
+                            in its trust policy.
+                          properties:
+                            serviceAccountName:
+                              description: ServiceAccountName is the name of the kubernetes
+                                Service Account within the namespace
+                              type: string
+                            serviceAccountNamespace:
+                              default: default
+                              description: ServiceAccountNamespace is the kubernetes
+                                namespace, which the kubernetes Service Account resides
+                                in. Defaults to "default" namespace.
+                              type: string
+                            serviceAccountRoleARN:
+                              description: RoleARN is the ARN of an IAM role which
+                                the Service Account can assume.
+                              type: string
+                          required:
+                          - serviceAccountName
+                          - serviceAccountNamespace
+                          type: object
+                        type: array
                       region:
                         description: The AWS Region the cluster lives in.
                         type: string

controlplane/eks/api/v1beta1/conversion.go

@@ -41,6 +41,7 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.VpcCni.Disable = r.Spec.DisableVPCCNI
 	dst.Spec.Partition = restored.Spec.Partition
 	dst.Spec.RestrictPrivateSubnets = restored.Spec.RestrictPrivateSubnets
+	dst.Spec.PodIdentityAssociations = restored.Spec.PodIdentityAssociations
 
 	return nil
 }

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -164,6 +164,11 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Addons *[]Addon `json:"addons,omitempty"`
 
+	// PodIdentityAssociations represent Kubernetes Service Accounts mapping to AWS IAM Roles without IRSA, using EKS Pod Identity.
+	// This requires using the AWS EKS Addon for Pod Identity.
+	// +optional
+	PodIdentityAssociations []PodIdentityAssociation `json:"podIdentityAssociations,omitempty"`
+
 	// OIDCIdentityProviderConfig is used to specify the oidc provider config
 	// to be attached with this eks cluster
 	// +optional

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -24,6 +24,7 @@ import (
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog/v2"
@@ -63,8 +64,10 @@ func (r *AWSManagedControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
 // +kubebuilder:webhook:verbs=create;update,path=/validate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplane,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes,versions=v1beta2,name=validation.awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 // +kubebuilder:webhook:verbs=create;update,path=/mutate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplane,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes,versions=v1beta2,name=default.awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.Defaulter = &AWSManagedControlPlane{}
-var _ webhook.Validator = &AWSManagedControlPlane{}
+var (
+	_ webhook.Defaulter = &AWSManagedControlPlane{}
+	_ webhook.Validator = &AWSManagedControlPlane{}
+)
 
 func parseEKSVersion(raw string) (*version.Version, error) {
 	v, err := version.ParseGeneric(raw)
@@ -96,6 +99,7 @@ func (r *AWSManagedControlPlane) ValidateCreate() (admission.Warnings, error) {
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, validateNetwork(r.Spec)...)
 	allErrs = append(allErrs, validatePrivateDNSHostnameTypeOnLaunch(r.Spec)...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -132,6 +136,7 @@ func (r *AWSManagedControlPlane) ValidateUpdate(old runtime.Object) (admission.W
 	allErrs = append(allErrs, validateKubeProxy(r.Spec)...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, validatePrivateDNSHostnameTypeOnLaunch(r.Spec)...)
+	allErrs = append(allErrs, r.validServiceAccountName()...)
 
 	if r.Spec.Region != oldAWSManagedControlplane.Spec.Region {
 		allErrs = append(allErrs,
@@ -444,6 +449,28 @@ func validatePrivateDNSHostnameTypeOnLaunch(r AWSManagedControlPlaneSpec) field.
 	return allErrs
 }
 
+func (r *AWSManagedControlPlane) validServiceAccountName() field.ErrorList {
+	var allErrs field.ErrorList
+
+	if r.Spec.PodIdentityAssociations != nil {
+		for i, association := range r.Spec.PodIdentityAssociations {
+			associationPath := field.NewPath("spec", "podIdentityAssociations").Index(i)
+			if association.ServiceAccountName == "" {
+				allErrs = append(allErrs, field.Required(associationPath.Child("serviceAccountName"), "serviceAccountName is required"))
+			}
+
+			// kubernetes uses ValidateServiceAccountName internally, which maps to IsDNS1123Subdomain
+			// https://github.com/kubernetes/apimachinery/blob/d794766488ac2892197a7cc8d0b4b46b0edbda80/pkg/api/validation/generic.go#L68
+
+			if validationErrs := validation.IsDNS1123Subdomain(association.ServiceAccountName); len(validationErrs) > 0 {
+				allErrs = append(allErrs, field.Invalid(associationPath.Child("serviceAccountName"), association.ServiceAccountName, fmt.Sprintf("serviceAccountName is invalid: %v", validationErrs)))
+			}
+		}
+	}
+
+	return allErrs
+}
+
 func validateNetwork(r AWSManagedControlPlaneSpec) field.ErrorList {
 	var allErrs field.ErrorList
 

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

@@ -52,6 +52,13 @@ const (
 	EKSAddonsConfiguredFailedReason = "EKSAddonsConfiguredFailed"
 )
 
+const (
+	// EKSPodIdentityAssociationConfiguredCondition condition reports on the successful reconciliation of EKS pod identity associations.
+	EKSPodIdentityAssociationConfiguredCondition clusterv1.ConditionType = "EKSPodIdentityAssociationConfigured"
+	// EKSPodIdentityAssociationFailedReason is used to report failures while reconciling the EKS pod identity associations.
+	EKSPodIdentityAssociationFailedReason = "EKSPodIdentityAssociationConfigurationFailed"
+)
+
 const (
 	// EKSIdentityProviderConfiguredCondition condition reports on the successful association of identity provider config.
 	EKSIdentityProviderConfiguredCondition clusterv1.ConditionType = "EKSIdentityProviderConfigured"

controlplane/eks/api/v1beta2/conditions_consts.go

@@ -294,3 +294,17 @@ type OIDCIdentityProviderConfig struct {
 	// +optional
 	Tags infrav1.Tags `json:"tags,omitempty"`
 }
+
+// PodIdentityAssociation represents an association between a Kubernetes Service Account in a namespace, and an AWS IAM role which allows the service principal `pods.eks.amazonaws.com` in its trust policy.
+type PodIdentityAssociation struct {
+	// ServiceAccountName is the name of the kubernetes Service Account within the namespace
+	// +kubebuilder:validation:Required
+	ServiceAccountName string `json:"serviceAccountName"`
+	// ServiceAccountNamespace is the kubernetes namespace, which the kubernetes Service Account resides in. Defaults to "default" namespace.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=default
+	ServiceAccountNamespace string `json:"serviceAccountNamespace"`
+	// RoleARN is the ARN of an IAM role which the Service Account can assume.
+	// +kubebuilder:validation:Required
+	RoleARN string `json:"serviceAccountRoleARN,omitempty"`
+}

controlplane/eks/api/v1beta2/types.go

@@ -432,7 +432,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("tag-key"),
 				Values: aws.StringSlice([]string{"sigs.k8s.io/cluster-api-provider-aws/cluster/test-cluster"}),
 			},
-		}})).Return(&ec2.DescribeRouteTablesOutput{
+		},
+	})).Return(&ec2.DescribeRouteTablesOutput{
 		RouteTables: []*ec2.RouteTable{
 			{
 				Routes: []*ec2.Route{
@@ -492,7 +493,8 @@ func mockedCallsForMissingEverything(ec2Rec *mocks.MockEC2APIMockRecorder, subne
 				Name:   aws.String("state"),
 				Values: aws.StringSlice([]string{ec2.VpcStatePending, ec2.VpcStateAvailable}),
 			},
-		}}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
+		},
+	}), gomock.Any()).Return(nil).MinTimes(1).MaxTimes(2)
 
 	ec2Rec.DescribeAddressesWithContext(context.TODO(), gomock.Eq(&ec2.DescribeAddressesInput{
 		Filters: []*ec2.Filter{
@@ -924,6 +926,12 @@ func mockedEKSCluster(g *WithT, eksRec *mock_eksiface.MockEKSAPIMockRecorder, ia
 		ClusterName: aws.String("test-cluster"),
 	}).Return(&eks.ListAddonsOutput{}, nil)
 
+	eksRec.ListPodIdentityAssociationsWithContext(context.TODO(), gomock.Eq(&eks.ListPodIdentityAssociationsInput{
+		ClusterName: aws.String("test-cluster"),
+	})).Return(&eks.ListPodIdentityAssociationsOutput{
+		Associations: []*eks.PodIdentityAssociationSummary{},
+	}, nil)
+
 	awsNodeRec.ReconcileCNI(gomock.Any()).Return(nil)
 	kubeProxyRec.ReconcileKubeProxy(gomock.Any()).Return(nil)
 	iamAuthenticatorRec.ReconcileIAMAuthenticator(gomock.Any()).Return(nil)