kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add note about enabling external permissions for kOps addons 

Apply suggestions from code review

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
This commit is contained in:
Ole Markus With 2022-11-13 12:10:25 +01:00
parent d41ccbe18d
commit 2680788043
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/cluster_spec.md
View File

@ -1528,7 +1528,19 @@ The `enableAWSOIDCProvider` configures AWS to trust the service account issuer t
authenticate service accounts for IAM Roles for Service Accounts (IRSA). In order for this to work,
the service account issuer discovery URL must be publicly readable.
kOps can provision AWS permissions for use by service accounts:
### IAM roles for addons
Most kOps addons that interact with the AWS API can use dedicated IAM roles. To enable this, add the following:
```
spec:
iam:
useServiceAccountExternalPermissions: true
```
### IAM roles for user-managed ServiceAccounts
kOps can provision AWS permissions for use by arbitrary service accounts:
```yaml
spec: