Containers-roadmap: [EKS] [request]: Support TokenRequestProjection

Created on 4 Apr 2019  路  5Comments  路  Source: aws/containers-roadmap

Tell us about your request
Kubernetes 1.12 moved TokenRequestProjection into beta, but this feature does not appear to be enabled in EKS 1.12. Can you please enable it?

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I would like to use TokenRequestProjection to get a token bound to the specific pod. I can then use this token with other external services to prove pod identity.

Are you currently working around this issue?
It is very hard to prove pod identity without this feature.

Additional context
It looks like #23 mentions building off of TokenRequestProjection to provide IAM roles per pod. So it would make sense to enable this feature so that #23 can use it as well.

I attempted to test this feature with EKS 1.12 by running the example pod described here: https://kubernetes.io/docs/concepts/storage/volumes/#projected

apiVersion: v1
kind: Pod
metadata:
  name: sa-token-test
spec:
  containers:
  - name: container-test
    image: busybox
    volumeMounts:
    - name: token-vol
      mountPath: "/service-account"
      readOnly: true
  volumes:
  - name: token-vol
    projected:
      sources:
      - serviceAccountToken:
          audience: api
          expirationSeconds: 3600
          path: token

It gave me the following error:

MountVolume.SetUp failed for volume "token-vol" : failed to fetch token: the server could not find the requested resource

Attachments

EKS Proposed
Source
picture wadey
👍3

Most helpful comment

Hello all,

TokenRequestProjection was enabled in EKS along with the release of IAM Roles For Service Accounts (it was a big part making that feature work), for any new cluster with k8s version 1.13 and above.

https://github.com/aws/containers-roadmap/issues/23

Closing this request.

picture jqmichael on 12 Sep 2019
🚀1 👍1

All 5 comments

Hi @wadey, do you know if EKS has supported TokenRequestProjection?

pitlv2109 picture pitlv2109 on 12 Aug 2019

How do we enable TokenRequestProjection in EKS ? AWS has k8s 1.13 on EKS, but I am not clear how to get this enabled

pssayi picture pssayi on 29 Aug 2019
👍1

@pssayi The apiserver is managed by AWS, they should be the one who enable this feature

pitlv2109 picture pitlv2109 on 29 Aug 2019

Hello all,

TokenRequestProjection was enabled in EKS along with the release of IAM Roles For Service Accounts (it was a big part making that feature work), for any new cluster with k8s version 1.13 and above.

https://github.com/aws/containers-roadmap/issues/23

Closing this request.

jqmichael picture jqmichael on 12 Sep 2019
🚀1 👍1

I just tried to deploy istio-1.3 to eks cluster v1.14, and i got this error:
MountVolume.SetUp failed for volume "istio-token" : pod request ServiceAccountToken projection but the TokenRequestProjection feature was not enabled
Are you sure that TokenRequestProjection is enabled in eks?!

1hanymhajna picture 1hanymhajna on 21 Nov 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MartinDevillers picture MartinDevillers  路  3Comments
clareliguori picture clareliguori  路  3Comments
aliabas7 picture aliabas7  路  3Comments
talawahtech picture talawahtech  路  3Comments
AndrewMcFarren picture AndrewMcFarren  路  3Comments