kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add webhook notes + some docs changes

This commit is contained in:
Ole Markus With 2022-03-04 20:07:49 +01:00
parent 52fdf77f6a
commit 9b934ea153
3 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
docs/addons.md
View File

@ -224,6 +224,28 @@ spec:
memoryRequest: 32Mi
cpuRequest: 10m
```
#### Pod Identity Webhook
{{ kops_feature_table(kops_added_default='1.23') }}
When using [IAM roles for Service Accounts](/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa) (IRSA), Pods require an additinal token to authenticate with the AWS API. In addition, the SDK requires specific environment variables set to make use of these tokens. This addon will mutate Pods configured to use IRSA so that users do not need to do this themselves.
All ServiceAccounts configured with AWS privileges in the Cluster spec will automatically be mutated to assume the configured role.
```yaml
spec:
certManager:
enabled: true
podIdentityWebhook:
enabled: true
```
The EKS annotations on ServiceAccounts are typically not necessary as kOps will configure the webhook with all ServiceAccount to role mapping configured in the Cluster spec. But if you need specific configuration, you may annotate the ServiceAccount, overriding the kOps configuration.
Read more about Pod Identity Webhook in the [official documentation](https://github.com/aws/amazon-eks-pod-identity-webhook).
#### Snapshot controller
{{ kops_feature_table(kops_added_default='1.21', k8s_min='1.20') }}
@ -247,23 +269,6 @@ spec:
enabled: true
```
#### EKS Pod Identity Webhook
{{ kops_feature_table(kops_added_default='1.24') }}
kOps can install EKS Pod Identity Webhook for IAM Role for Service Accounts.
You need to enable cert-manager to use this feature.
```yaml
spec:
certManager:
enabled: true
podIdentityWebhook:
enabled: true
```
Read more about EKS Pod Identity Webhook in the [official documentation](https://github.com/aws/amazon-eks-pod-identity-webhook).
## Custom addons
The command `kops create cluster` does not support specifying addons to be added to the cluster when it is created. Instead they can be added after cluster creation using kubectl. Alternatively when creating a cluster from a yaml manifest, addons can be specified using `spec.addons`.

2
docs/cluster_spec.md
View File

@ -1458,3 +1458,5 @@ spec:
}
]
```
To configure Pods to assume the given IAM roles, enable the [Pod Identity Webhook](/addons/#pod-identity-webhook). Without this webhook, you need to modify your Pod specs yourself for your Pod to assume the defined roles.

4
docs/releases/1.23-NOTES.md
View File

@ -6,14 +6,14 @@ This is a document to gather the release notes prior to the release.
# Significant changes
## Other significant changes
* If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
managed subnets will be configured to launch instances with Resource Based Names.
* Support for [ShutdownGracePeriod and ShutdownGracePeriodCriticalPods](https://kubernetes.io/blog/2021/04/21/graceful-node-shutdown-beta/). By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.
* By enabling the [pod identity webhook](https://kops.sigs.k8s.io/addons/#pod-identity-webhook), you no longer need to modify your Pod specs to assume IAM roles.
# Breaking changes
* Support for Kubernetes version 1.17 has been removed.