Add support to install EKS Pod Identity Webhook

2022-02-20 18:12:52 +09:00 · 2022-02-20 18:12:52 +09:00 · c8710203ba
parent a8ceb305de
commit c8710203ba
15 changed files with 440 additions and 4 deletions
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@ -5268,6 +5268,13 @@ spec:
              podCIDR:
                description: PodCIDR is the CIDR from which we allocate IPs for pods
                type: string
+              podIdentityWebhook:
+                description: PodIdentityWebhook determines the EKS Pod Identity Webhook
+                  configuration.
+                properties:
+                  enabled:
+                    type: boolean
+                type: object
              project:
                description: Project is the cloud project we should use, required
                  on GCE
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@ -216,6 +216,13 @@ type ClusterSpec struct {
 	SnapshotController *SnapshotControllerConfig `json:"snapshotController,omitempty"`
 	// Karpenter defines the Karpenter configuration.
 	Karpenter *KarpenterConfig `json:"karpenter,omitempty"`
+	// PodIdentityWebhook determines the EKS Pod Identity Webhook configuration.
+	PodIdentityWebhook *PodIdentityWebhookConfig `json:"podIdentityWebhook,omitempty"`
+}
+
+// PodIdentityWebhookConfig configures an EKS Pod Identity Webhook.
+type PodIdentityWebhookConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
 }

 type KarpenterConfig struct {
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@ -213,6 +213,13 @@ type ClusterSpec struct {
 	SnapshotController *SnapshotControllerConfig `json:"snapshotController,omitempty"`
 	// Karpenter defines the Karpenter configuration.
 	Karpenter *KarpenterConfig `json:"karpenter,omitempty"`
+	// PodIdentityWebhook determines the EKS Pod Identity Webhook configuration.
+	PodIdentityWebhook *PodIdentityWebhookConfig `json:"podIdentityWebhook,omitempty"`
+}
+
+// PodIdentityWebhookConfig configures an EKS Pod Identity Webhook.
+type PodIdentityWebhookConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
 }

 type KarpenterConfig struct {
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -984,6 +984,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*PodIdentityWebhookConfig)(nil), (*kops.PodIdentityWebhookConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(a.(*PodIdentityWebhookConfig), b.(*kops.PodIdentityWebhookConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.PodIdentityWebhookConfig)(nil), (*PodIdentityWebhookConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig(a.(*kops.PodIdentityWebhookConfig), b.(*PodIdentityWebhookConfig), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*RBACAuthorizationSpec)(nil), (*kops.RBACAuthorizationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(a.(*RBACAuthorizationSpec), b.(*kops.RBACAuthorizationSpec), scope)
 	}); err != nil {
@ -2765,6 +2775,15 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.Karpenter = nil
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(kops.PodIdentityWebhookConfig)
+		if err := Convert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.PodIdentityWebhook = nil
+	}
 	return nil
 }

@ -3181,6 +3200,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.Karpenter = nil
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(PodIdentityWebhookConfig)
+		if err := Convert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.PodIdentityWebhook = nil
+	}
 	return nil
 }

@ -6689,6 +6717,26 @@ func Convert_kops_PackagesConfig_To_v1alpha2_PackagesConfig(in *kops.PackagesCon
 	return autoConvert_kops_PackagesConfig_To_v1alpha2_PackagesConfig(in, out, s)
 }

+func autoConvert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in *PodIdentityWebhookConfig, out *kops.PodIdentityWebhookConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig is an autogenerated conversion function.
+func Convert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in *PodIdentityWebhookConfig, out *kops.PodIdentityWebhookConfig, s conversion.Scope) error {
+	return autoConvert_v1alpha2_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in, out, s)
+}
+
+func autoConvert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig(in *kops.PodIdentityWebhookConfig, out *PodIdentityWebhookConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig is an autogenerated conversion function.
+func Convert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig(in *kops.PodIdentityWebhookConfig, out *PodIdentityWebhookConfig, s conversion.Scope) error {
+	return autoConvert_kops_PodIdentityWebhookConfig_To_v1alpha2_PodIdentityWebhookConfig(in, out, s)
+}
+
 func autoConvert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
 	return nil
 }
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@ -1267,6 +1267,11 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 		*out = new(KarpenterConfig)
 		**out = **in
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(PodIdentityWebhookConfig)
+		**out = **in
+	}
 	return
 }

@ -4765,6 +4770,22 @@ func (in *PackagesConfig) DeepCopy() *PackagesConfig {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodIdentityWebhookConfig) DeepCopyInto(out *PodIdentityWebhookConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodIdentityWebhookConfig.
+func (in *PodIdentityWebhookConfig) DeepCopy() *PodIdentityWebhookConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(PodIdentityWebhookConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RBACAuthorizationSpec) DeepCopyInto(out *RBACAuthorizationSpec) {
 	*out = *in
--- a/pkg/apis/kops/v1alpha3/cluster.go
+++ b/pkg/apis/kops/v1alpha3/cluster.go
@ -214,6 +214,13 @@ type ClusterSpec struct {
 	SnapshotController *SnapshotControllerConfig `json:"snapshotController,omitempty"`
 	// Karpenter defines the Karpenter configuration.
 	Karpenter *KarpenterConfig `json:"karpenter,omitempty"`
+	// PodIdentityWebhook determines the EKS Pod Identity Webhook configuration.
+	PodIdentityWebhook *PodIdentityWebhookConfig `json:"podIdentityWebhook,omitempty"`
+}
+
+// PodIdentityWebhookConfig configures an EKS Pod Identity Webhook.
+type PodIdentityWebhookConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
 }

 type KarpenterConfig struct {
--- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
@ -984,6 +984,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*PodIdentityWebhookConfig)(nil), (*kops.PodIdentityWebhookConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(a.(*PodIdentityWebhookConfig), b.(*kops.PodIdentityWebhookConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.PodIdentityWebhookConfig)(nil), (*PodIdentityWebhookConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig(a.(*kops.PodIdentityWebhookConfig), b.(*PodIdentityWebhookConfig), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*RBACAuthorizationSpec)(nil), (*kops.RBACAuthorizationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(a.(*RBACAuthorizationSpec), b.(*kops.RBACAuthorizationSpec), scope)
 	}); err != nil {
@ -2648,6 +2658,15 @@ func autoConvert_v1alpha3_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.Karpenter = nil
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(kops.PodIdentityWebhookConfig)
+		if err := Convert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.PodIdentityWebhook = nil
+	}
 	return nil
 }

@ -3061,6 +3080,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha3_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.Karpenter = nil
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(PodIdentityWebhookConfig)
+		if err := Convert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.PodIdentityWebhook = nil
+	}
 	return nil
 }

@ -6439,6 +6467,26 @@ func Convert_kops_PackagesConfig_To_v1alpha3_PackagesConfig(in *kops.PackagesCon
 	return autoConvert_kops_PackagesConfig_To_v1alpha3_PackagesConfig(in, out, s)
 }

+func autoConvert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in *PodIdentityWebhookConfig, out *kops.PodIdentityWebhookConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig is an autogenerated conversion function.
+func Convert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in *PodIdentityWebhookConfig, out *kops.PodIdentityWebhookConfig, s conversion.Scope) error {
+	return autoConvert_v1alpha3_PodIdentityWebhookConfig_To_kops_PodIdentityWebhookConfig(in, out, s)
+}
+
+func autoConvert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig(in *kops.PodIdentityWebhookConfig, out *PodIdentityWebhookConfig, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	return nil
+}
+
+// Convert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig is an autogenerated conversion function.
+func Convert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig(in *kops.PodIdentityWebhookConfig, out *PodIdentityWebhookConfig, s conversion.Scope) error {
+	return autoConvert_kops_PodIdentityWebhookConfig_To_v1alpha3_PodIdentityWebhookConfig(in, out, s)
+}
+
 func autoConvert_v1alpha3_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
 	return nil
 }
--- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go
@ -1178,6 +1178,11 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 		*out = new(KarpenterConfig)
 		**out = **in
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(PodIdentityWebhookConfig)
+		**out = **in
+	}
 	return
 }

@ -4591,6 +4596,22 @@ func (in *PackagesConfig) DeepCopy() *PackagesConfig {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodIdentityWebhookConfig) DeepCopyInto(out *PodIdentityWebhookConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodIdentityWebhookConfig.
+func (in *PodIdentityWebhookConfig) DeepCopy() *PodIdentityWebhookConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(PodIdentityWebhookConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RBACAuthorizationSpec) DeepCopyInto(out *RBACAuthorizationSpec) {
 	*out = *in
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -286,6 +286,10 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 		}
 	}

+	if spec.PodIdentityWebhook != nil && spec.PodIdentityWebhook.Enabled {
+		allErrs = append(allErrs, validatePodIdentityWebhook(c, spec.PodIdentityWebhook, fieldPath.Child("podIdentityWebhook"))...)
+	}
+
 	return allErrs
 }

@ -1665,3 +1669,13 @@ func validateSnapshotController(cluster *kops.Cluster, spec *kops.SnapshotContro
 	}
 	return allErrs
 }
+
+func validatePodIdentityWebhook(cluster *kops.Cluster, spec *kops.PodIdentityWebhookConfig, fldPath *field.Path) (allErrs field.ErrorList) {
+	if spec != nil && spec.Enabled {
+		if !components.IsCertManagerEnabled(cluster) {
+			allErrs = append(allErrs, field.Forbidden(fldPath, "EKS Pod Identity Webhook requires that cert manager is enabled"))
+		}
+	}
+
+	return allErrs
+}
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@ -1275,6 +1275,11 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 		*out = new(KarpenterConfig)
 		**out = **in
 	}
+	if in.PodIdentityWebhook != nil {
+		in, out := &in.PodIdentityWebhook, &out.PodIdentityWebhook
+		*out = new(PodIdentityWebhookConfig)
+		**out = **in
+	}
 	return
 }

@ -4882,6 +4887,22 @@ func (in *PackagesConfig) DeepCopy() *PackagesConfig {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodIdentityWebhookConfig) DeepCopyInto(out *PodIdentityWebhookConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodIdentityWebhookConfig.
+func (in *PodIdentityWebhookConfig) DeepCopy() *PodIdentityWebhookConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(PodIdentityWebhookConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RBACAuthorizationSpec) DeepCopyInto(out *RBACAuthorizationSpec) {
 	*out = *in
--- a/pkg/model/iam/types.go
+++ b/pkg/model/iam/types.go
@ -52,10 +52,7 @@ func (b *IAMModelContext) IAMNameForServiceAccountRole(role Subject) (string, er
 	if !ok {
 		return "", fmt.Errorf("role %v does not have ServiceAccount", role)
 	}
-
-	name := serviceAccount.Name + "." + strings.ReplaceAll(serviceAccount.Namespace, "*", "wildcard") + ".sa." + b.ClusterName()
-	name = truncate.TruncateString(name, truncate.TruncateStringOptions{MaxLength: MaxLengthIAMRoleName, AlwaysAddHash: false})
-
+	name := IAMNameForServiceAccountRole(serviceAccount.Name, serviceAccount.Namespace, b.ClusterName())
 	return name, nil
 }

@ -63,3 +60,9 @@ func (b *IAMModelContext) IAMNameForServiceAccountRole(role Subject) (string, er
 func (b *IAMModelContext) ClusterName() string {
 	return b.Cluster.ObjectMeta.Name
 }
+
+func IAMNameForServiceAccountRole(name, namespace, clusterName string) string {
+	role := name + "." + strings.ReplaceAll(namespace, "*", "wildcard") + ".sa." + clusterName
+	role = truncate.TruncateString(role, truncate.TruncateStringOptions{MaxLength: MaxLengthIAMRoleName, AlwaysAddHash: false})
+	return role
+}
--- a/upup/models/BUILD.bazel
+++ b/upup/models/BUILD.bazel
@ -58,6 +58,7 @@ go_library(
        "cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template",
        "cloudup/resources/addons/gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml.template",
        "cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template",
+        "cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template",
    ],
    importpath = "k8s.io/kops/upup/models",
    visibility = ["//visibility:public"],
--- a/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template
+++ b/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template
@ -0,0 +1,183 @@
+# sourced from https://github.com/aws/amazon-eks-pod-identity-webhook/tree/b19c295a269ad9de50b10e3a9cdc9ec1f7d48a19/deploy
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - list
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-identity-webhook
+subjects:
+- kind: ServiceAccount
+  name: pod-identity-webhook
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-identity-webhook
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - watch
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-identity-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-identity-webhook
+subjects:
+- kind: ServiceAccount
+  name: pod-identity-webhook
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: pod-identity-webhook
+  template:
+    metadata:
+      labels:
+        app: pod-identity-webhook
+    spec:
+      serviceAccountName: pod-identity-webhook
+      containers:
+      - name: pod-identity-webhook
+        image: olemarkus/amazon-eks-pod-identity-webhook:latest
+        imagePullPolicy: Always
+        command:
+        - /webhook
+        - --in-cluster=false
+        - --namespace=kube-system
+        - --service-name=pod-identity-webhook
+        - --annotation-prefix=eks.amazonaws.com
+        - --token-audience=amazonaws.com
+        - --logtostderr
+        - --watch-config-map
+        - --v=5
+        volumeMounts:
+        - name: cert
+          mountPath: "/etc/webhook/certs"
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          secretName: pod-identity-webhook-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  secretName: pod-identity-webhook-cert
+  commonName: "pod-identity-webhook.kube-system.svc"
+  dnsNames:
+  - "pod-identity-webhook"
+  - "pod-identity-webhook.kube-system"
+  - "pod-identity-webhook.kube-system.svc"
+  - "pod-identity-webhook.kube-system.svc.local"
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  issuerRef:
+    name: eks-pod-identity-webhook.addons.k8s.io
+    kind: Issuer
+---
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+  annotations:
+    cert-manager.io/inject-ca-from: kube-system/pod-identity-webhook
+webhooks:
+- name: pod-identity-webhook.amazonaws.com
+  failurePolicy: Fail
+  clientConfig:
+    service:
+      name: pod-identity-webhook
+      namespace: kube-system
+      path: "/mutate"
+  objectSelector:
+    matchExpressions:
+    - key: kops.k8s.io/managed-by
+      operator: NotIn
+      values:
+      - kops
+    - key: k8s-app
+      operator: NotIn
+      values:
+      - kube-apiserver
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  sideEffects: None
+  admissionReviewVersions: ["v1beta1"]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: "https"
+    prometheus.io/scrape: "true"
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: pod-identity-webhook
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "443"
+    prometheus.io/scheme: "https"
+    prometheus.io/scrape: "true"
+data:
+  config: {{ PodIdentityWebhookConfigMapData }}
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go
@ -710,6 +710,26 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*Addon
 		}
 	}

+	if b.Cluster.Spec.PodIdentityWebhook != nil && fi.BoolValue(&b.Cluster.Spec.PodIdentityWebhook.Enabled) {
+
+		key := "eks-pod-identity-webhook.addons.k8s.io"
+
+		{
+			id := "k8s-1.16"
+			location := key + "/" + id + ".yaml"
+
+			addons.Add(&channelsapi.AddonSpec{
+				Name: fi.String(key),
+				Selector: map[string]string{
+					"k8s-addon": key,
+				},
+				Manifest: fi.String(location),
+				Id:       id,
+				NeedsPKI: true,
+			})
+		}
+	}
+
 	if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS {
 		key := "storage-aws.addons.k8s.io"

--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@ -58,6 +58,7 @@ import (
 	"k8s.io/kops/pkg/kubemanifest"
 	"k8s.io/kops/pkg/model"
 	"k8s.io/kops/pkg/model/components/kopscontroller"
+	"k8s.io/kops/pkg/model/iam"
 	"k8s.io/kops/pkg/resources/spotinst"
 	"k8s.io/kops/pkg/wellknownports"
 	"k8s.io/kops/upup/pkg/fi"
@ -303,6 +304,8 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS
 		return karpenterInstanceTypes(tf.cloud.(awsup.AWSCloud), ig)
 	}

+	dest["PodIdentityWebhookConfigMapData"] = tf.podIdentityWebhookConfigMapData
+
 	return nil
 }

@ -763,6 +766,31 @@ func (tf *TemplateFunctions) architectureOfAMI(amiID string) string {
 	return "arm64"
 }

+type podIdentityWebhookMapping struct {
+	RoleARN         string
+	Audience        string
+	UseRegionalSTS  bool
+	TokenExpiration int64
+}
+
+func (tf *TemplateFunctions) podIdentityWebhookConfigMapData() (string, error) {
+	sas := tf.Cluster.Spec.IAM.ServiceAccountExternalPermissions
+	mappings := make(map[string]podIdentityWebhookMapping)
+	for _, sa := range sas {
+		if sa.AWS == nil {
+			continue
+		}
+		key := sa.Namespace + "/" + sa.Name
+		mappings[key] = podIdentityWebhookMapping{
+			RoleARN:        fmt.Sprintf("arn:%s:iam::%s:role/%s", tf.AWSPartition, tf.AWSAccountID, iam.IAMNameForServiceAccountRole(sa.Name, sa.Namespace, tf.ClusterName())),
+			Audience:       "amazonaws.com",
+			UseRegionalSTS: true,
+		}
+	}
+	jsonBytes, err := json.Marshal(mappings)
+	return fmt.Sprintf("%q", jsonBytes), err
+}
+
 func karpenterInstanceTypes(cloud awsup.AWSCloud, ig kops.InstanceGroupSpec) ([]string, error) {
 	var mixedInstancesPolicy *kops.MixedInstancesPolicySpec