The token-injector-webhook is a Kubernetes mutating admission webhook that mutates any k8s Pod running under specially annotated Kubernetes Service Account (see below) and labeled with
admission.token-injector/enabled: "true"To allow k8s Pod mutation process, the Pod need to be runned from a k8s Service Account annotated as shown below:
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_ROLE_NAME}
iam.gke.io/gcp-service-account: ${IAM_SA_NAME}@${IAM_SA_PROJECT_ID}.iam.gserviceaccount.com
name: ${KSA_NAME}
namespace: application-namespaceThis could be done manually invoking commands:
kubectl annotate serviceaccount ${KSA_NAME} \
--namespace ${NAMESPACE} \
iam.gke.io/gcp-service-account=${IAM_SA_NAME}@${IAM_SA_PROJECT_ID}.iam.gserviceaccount.comand
kubectl annotate serviceaccount ${KSA_NAME} \
--namespace ${NAMESPACE} \
amazonaws.com/role-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_ROLE_NAME}Read more.
Example k8s Pod definition which could be used for testing Kubernetes mutating admission webhook flow is described below:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: application-namespace
labels:
admission.token-injector/enabled: "true" # required
spec:
serviceAccountName: ${KSA_NAME} # required
containers:
- name: test-pod
image: mikesir87/aws-cli
command: ["tail", "-f", "/dev/null"]