Pod identity support for the node component in EKS managed addon #1759
Description
Is your feature request related to a problem?/Why is this needed
In the documentation (https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/parameters.md) it is indicated the one can use the iam mount option to
Use the CSI Node Pod's IAM identity to authenticate with Amazon EFS.
However, the EKS EFS CSI driver managed addon does not seem to support configuring a pod identity for the node component, only for the controller component.
/feature
Describe the solution you'd like in detail
In addition to being able to configure a pod identity for the controller component when deploying the EKS EFS CSI driver managed addon, I’d like to be able to configure a pod identity for the node component as well.
Describe alternatives you've considered
Until this feature is available, one can manually add a pod identity association for the node component service account.
Additional context
We try to secure the access to our EFS filesystems as much as possible and so we mandate the use of IAM to mount a filesystem. We do so by using the following filesystem policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:elasticfilesystem:eu-west-1:<redacted>:file-system/fs-<redacted>",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:elasticfilesystem:eu-west-1:<redacted>:file-system/fs-<redacted>",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "false"
}
}
}
]
}
We then assign a policy to IAM roles to give access to the filesystem. In the case of the EFS CSI driver, we assign this policy to the node pod identity
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": "arn:aws:elasticfilesystem:eu-west-1:<redacted>:file-system/fs-<redacted>",
"Effect": "Allow"
}
]
}