Feature: Natively Support IRSA on EKS Properly #200
Comments
|
@callum-tait-pbx Thank you so much for writing this up 🙏 I wasn't really sure what's happening on the mentioned issues until now. But after reading this, I got to think that this might be due to that how we mark a runner pod to be restarted: Perhaps we'd need to use some other criteria to mark runner pods to be restarted, so that it won't interfere with mutating webhooks - perhaps inject a pod spec hash into the runner pod annotations and compare that against the desired pod spec hash instead? |
|
Apologies for the late response, busy times at the moment! That would make a lot of sense to me.
I quite like idea |
|
Thanks for confirming! I'm going to work on this in the next few days |
One of the pod recreation conditions has been modified to use hash of runner spec, so that the controller does not keep restarting pods mutated by admission webhooks. This naturally allows us, for example, to use IRSA for EKS that requires its admission webhook to mutate the runner pod to have additional, IRSA-related volumes, volume mounts and env. Resolves #200
|
@callum-tait-pbx I'm working on this at #226 |
One of the pod recreation conditions has been modified to use hash of runner spec, so that the controller does not keep restarting pods mutated by admission webhooks. This naturally allows us, for example, to use IRSA for EKS that requires its admission webhook to mutate the runner pod to have additional, IRSA-related volumes, volume mounts and env. Resolves #200
One of the pod recreation conditions has been modified to use hash of runner spec, so that the controller does not keep restarting pods mutated by admission webhooks. This naturally allows us, for example, to use IRSA for EKS that requires its admission webhook to mutate the runner pod to have additional, IRSA-related volumes, volume mounts and env. Resolves #200
|
@callum-tait-pbx Could you try v0.15.0? There's also a small documentation about this feature at https://github.com/summerwind/actions-runner-controller#using-eks-iam-role-for-service-accounts for your reference. |
This has come up in a few issues so I thought it would be good to create a issue specifically tackling implementing support. Additionally, having this explicitly called out will help people who want to implement the project on EKS in the meantime.
Classing it as a feature as there is a workaround and the project doesn't say it was created specifically for EKS.
Problem
EKS IAM Roles for Service Accounts (IRSA) is how AWS have implemented support role based authentication for their managed K8s service, EKS. The implementation does some manipulation of pods automatically injecting a volume and some environment variables. This automagic results in the controller spinning up a pod that is not as it expects resulting in a terminate-create loop.
Workaround
The workaround is to explicitly set the yaml that normally gets injected so the controller expects it preventing it fromt freaking out and getting stuck in a terminate-create loop.
Expected Behaviour
Only IRSA needs to be configured https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html, the values should get automatically injected into the runner definitions and the controller should not freak out as a result.
Normally injected YAML once IRSA is configured on your cluster:
Existing Issues That Reference this Bug/Feature
#16
#37
The text was updated successfully, but these errors were encountered: