-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for EKS Pod Identity #784
Comments
To build on @askulkarni2's comment above: Both EKS pod identity and IAM role for Service Account (IRSA) are not currently working with AWS for FluentBit. I tested an OpenSearch Ingestion Pipeline with AWS for FluentBit following the instructions at https://docs.aws.amazon.com/opensearch-service/latest/developerguide/configure-client-fluentbit.html. For http output, FluentBit seems to build the SIGv4 request from scratch. IRSA and Pod Identity are ignored and the code relies on
A temporary workaround was to setup the A change in upstream |
I created the AWS credential providers for the Fluent Bit C plugins and docs: https://github.com/aws/aws-for-fluent-bit/blob/mainline/troubleshooting/debugging.md#credential-chain-resolution-issues These are our different plugins: https://github.com/aws/aws-for-fluent-bit/blob/mainline/troubleshooting/debugging.md#aws-go-plugins-vs-aws-core-c-plugins I'm new to EKS Pod identities. It looks like the credentials are vended via a local agent that has an http cred endpoint on a link local IP: https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html This is exacty the same as how ECS cred vending works AFAICT: https://aws.amazon.com/blogs/compute/under-the-hood-task-networking-for-amazon-ecs/ So it should be pretty simple to modify the http credentials provider to support it: https://github.com/fluent/fluent-bit/blob/master/src/aws/flb_aws_credentials_http.c I can't promise I'll work on this right now but I agree that Fluent Bit should support all new EKS features. |
Possibly related: aws/amazon-eks-pod-identity-webhook#216 (comment) |
Took a look at the AWS SDK Go implementation and it's similar to the ECS credential provider with a few differences. It is in front of the ECS credential provider in the chain and selected based on the presence of |
Any update? Seems like IRSAv2 is not working right now |
I am working on implementing support for EKS Pod identity actively. I can not promise a release date for it. |
Thank you @PettitWesley for working on it. |
@PettitWesley -- any update on this work? Thanks! |
@PettitWesley Any update on this yet? |
I'm also interested in this in order to get the container insights addon off of needing cloudwatch permissions on the instance profile and being able to use pod identity instead. This may require an update to fluent-bit upstream, see these linked issues |
Thanks for that! Do you think it's worth putting a giant label on the READ ME - so newbies like me don't spend hours on it :) |
Describe the question/issue
Amazon EKS launched Pod Identity to simplify IAM configuration for pods. In order for AWS for FluentBit to support this, it will need to use an AWS SDK version that provides the new credential provider logic available >= v1.47.11.
The text was updated successfully, but these errors were encountered: