Adding Jitter and updating tests cases for token expiration jitter

aws · Mar 1, 2025 · 162e46e · 162e46e
1 parent 04fae22
commit 162e46e
Show file tree

Hide file tree

Showing 22 changed files with 55 additions and 61 deletions.
diff --git a/main.go b/main.go
@@ -21,6 +21,7 @@ import (
 	"crypto/x509/pkix"
 	goflag "flag"
 	"fmt"
+	"math/rand"
 	"net/http"
 	"os"
 	"strings"
@@ -46,6 +47,7 @@ import (
 )
 
 var webhookVersion = "v0.1.0"
+var random = rand.New(rand.NewSource(time.Now().UnixNano()))
 
 func main() {
 	port := flag.Int("port", 443, "Port to listen on")
@@ -208,6 +210,7 @@ func main() {
 	}
 
 	mod := handler.NewModifier(
+		random,
 		handler.WithAnnotationDomain(*annotationPrefix),
 		handler.WithMountPath(*mountPath),
 		handler.WithServiceAccountCache(saCache),

diff --git a/pkg/constants.go b/pkg/constants.go
@@ -18,7 +18,9 @@ const (
 	// 24hrs as that is max for EKS
 	MaxTokenExpiration = int64(86400)
 	// Default token expiration in seconds if none is defined, 22hrs
-	DefaultTokenExpiration = int64(79200)
+	DefaultTokenExpiration = int64(86400)
+	// Used for the minimum jitter value when using the default token expiration
+	DefaultMinTokenExpiration = int64(79200)
 	// 10mins is min for kube-apiserver
 	MinTokenExpiration = int64(600)
 

diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
@@ -86,12 +86,17 @@ func WithSALookupGraceTime(saLookupGraceTime time.Duration) ModifierOpt {
 }
 
 // NewModifier returns a Modifier with default values
-func NewModifier(opts ...ModifierOpt) *Modifier {
+func NewModifier(random *rand.Rand, opts ...ModifierOpt) *Modifier {
+	//if random == nil {
+	//	random = rand.New(rand.NewSource(time.Now().UnixNano()))
+	//}
+
 	mod := &Modifier{
 		AnnotationDomain: "eks.amazonaws.com",
 		MountPath:        "/var/run/secrets/eks.amazonaws.com/serviceaccount",
 		volName:          "aws-iam-token",
 		tokenName:        "token",
+		rand:             *random,
 	}
 	for _, opt := range opts {
 		opt(mod)
@@ -110,6 +115,7 @@ type Modifier struct {
 	volName                    string
 	tokenName                  string
 	saLookupGraceTime          time.Duration
+	rand                       rand.Rand
 }
 
 type patchOperation struct {
@@ -418,14 +424,7 @@ func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig {
 		regionalSTS, tokenExpiration := m.Cache.GetCommonConfigurations(pod.Spec.ServiceAccountName, pod.Namespace)
 		tokenExpiration, containersToSkip := m.parsePodAnnotations(pod, tokenExpiration)
 
-		if tokenExpiration == pkg.DefaultTokenExpiration {
-			klog.V(4).Infof("Adding jitter to default token expiration")
-			var err error
-			tokenExpiration, err = addJitter(tokenExpiration, 5, pkg.MinTokenExpiration, pkg.MaxTokenExpiration)
-			if err != nil {
-				klog.Errorf("Error adding jitter to default token expiration: %v", err)
-			}
-		}
+		tokenExpiration = m.addJitterToDefaultToken(tokenExpiration)
 		webhookPodCount.WithLabelValues("container_credentials").Inc()
 
 		return &podPatchConfig{
@@ -468,6 +467,7 @@ func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig {
 	klog.V(5).Infof("Value of roleArn after after cache retrieval for service account %s: %s", request.CacheKey(), response.RoleARN)
 	if response.RoleARN != "" {
 		tokenExpiration, containersToSkip := m.parsePodAnnotations(pod, response.TokenExpiration)
+		tokenExpiration = m.addJitterToDefaultToken(tokenExpiration)
 
 		webhookPodCount.WithLabelValues("sts_web_identity").Inc()
 
@@ -488,24 +488,13 @@ func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig {
 	return nil
 }
 
-func addJitter(val int64, jitterPercent int64, min int64, max int64) (int64, error) {
-	if max < min {
-		return val, error(fmt.Errorf("max value %d is less than min value %d, cannot add jitter", max, min))
+func (m *Modifier) addJitterToDefaultToken(tokenExpiration int64) int64 {
+	if tokenExpiration == pkg.DefaultTokenExpiration {
+		klog.V(0).Infof("Adding jitter to default token expiration")
+		tokenExpiration = m.rand.Int63n(pkg.DefaultTokenExpiration-pkg.DefaultMinTokenExpiration+int64(1)) + pkg.DefaultMinTokenExpiration
 	}
 
-	jitterFactor := float64(jitterPercent) / 100.0
-	jitterMin := int64(float64(val) - (float64(val) * jitterFactor))
-	if jitterMin < min {
-		jitterMin = min
-	}
-	jitterMax := int64(float64(val) + (float64(val) * jitterFactor))
-	if jitterMax > max {
-		jitterMax = max
-	}
-
-	valWithJitter := rand.Int63n(jitterMax - jitterMin + 1) + jitterMin
-
-	return valWithJitter, nil
+	return tokenExpiration
 }
 
 // MutatePod takes a AdmissionReview, mutates the pod, and returns an AdmissionResponse

diff --git a/pkg/handler/handler_pod_test.go b/pkg/handler/handler_pod_test.go
@@ -62,7 +62,7 @@ const (
 // buildModifierFromPod gets values to set up test case environments with as if
 // the values were set by service account annotation/flag before the test case.
 // Test cases are defined entirely by pod yamls.
-func buildModifierFromPod(pod *corev1.Pod) *Modifier {
+func buildModifierFromPod(pod *corev1.Pod, t *testing.T) *Modifier {
 	var modifierOpts []ModifierOpt
 
 	if path, ok := pod.Annotations[handlerMountPathAnnotation]; ok {
@@ -76,7 +76,7 @@ func buildModifierFromPod(pod *corev1.Pod) *Modifier {
 	modifierOpts = append(modifierOpts, WithServiceAccountCache(buildFakeCacheFromPod(pod)))
 	modifierOpts = append(modifierOpts, WithContainerCredentialsConfig(buildFakeConfigFromPod(pod)))
 
-	return NewModifier(modifierOpts...)
+	return NewModifier(getAlwaysZeroRand(t), modifierOpts...)
 }
 
 func buildFakeCacheFromPod(pod *corev1.Pod) *cache.FakeServiceAccountCache {
@@ -157,7 +157,7 @@ func TestUpdatePodSpec(t *testing.T) {
 			pod.Spec.ServiceAccountName = "default"
 
 			t.Run(fmt.Sprintf("Pod %s in file %s", pod.Name, path), func(t *testing.T) {
-				modifier := buildModifierFromPod(pod)
+				modifier := buildModifierFromPod(pod, t)
 				patchConfig := modifier.buildPodPatchConfig(pod)
 				patch, _ := modifier.getPodSpecPatch(pod, patchConfig)
 				patchBytes, err := json.Marshal(patch)

diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go
@@ -19,10 +19,13 @@ import (
 	"bytes"
 	"encoding/json"
 	"github.com/aws/amazon-eks-pod-identity-webhook/pkg/containercredentials"
+	mocks "github.com/aws/amazon-eks-pod-identity-webhook/pkg/mocks/math/rand"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
 	"io"
 	"io/ioutil"
 	"k8s.io/apimachinery/pkg/types"
+	"math/rand"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -49,9 +52,11 @@ func TestMutatePod(t *testing.T) {
 	}
 
 	modifier := NewModifier(
+		getAlwaysZeroRand(t),
 		WithServiceAccountCache(cache.NewFakeServiceAccountCache(testServiceAccount)),
 		WithContainerCredentialsConfig(&containercredentials.FakeConfig{}),
 	)
+
 	cases := []struct {
 		caseName string
 		input    *v1beta1.AdmissionReview
@@ -105,6 +110,7 @@ func TestMutatePod(t *testing.T) {
 
 func TestMutatePod_MutationNotNeeded(t *testing.T) {
 	modifier := NewModifier(
+		getAlwaysZeroRand(t),
 		WithServiceAccountCache(cache.NewFakeServiceAccountCache()),
 		WithContainerCredentialsConfig(&containercredentials.FakeConfig{}),
 	)
@@ -180,22 +186,15 @@ func serializeAdmissionReview(t *testing.T, want *v1beta1.AdmissionReview) []byt
 	return wantedBytes
 }
 
-func TestAddJitterMinMax(t *testing.T) {
-	var (
-		min int64
-		max int64
-	)
-	min, max = 8, 11
-	for i := 0; i < 10; i++ {
-		jitter, err := addJitter(10, 1000, min, max)
-		assert.True(t, jitter >= min && jitter <= max)
-		assert.True(t, err == nil)
-	}
-}
+func getAlwaysZeroRand(t *testing.T) *rand.Rand {
+	// Mock random and always return 0
+	mockRandomSource := mocks.NewSource64(t)
+	mockRandomSource.On("Int63", mock.Anything).Return(int64(0))
+
+	mockRand := rand.New(mockRandomSource)
+	mockRand.Int63()
 
-func TestAddJitterMinGTMax(t *testing.T) {
-	_, err := addJitter(10, 1000, 11, 8)
-	assert.True(t, err != nil)
+	return mockRand
 }
 
 func TestModifierHandler(t *testing.T) {
@@ -208,6 +207,7 @@ func TestModifierHandler(t *testing.T) {
 	}
 
 	modifier := NewModifier(
+		getAlwaysZeroRand(t),
 		WithServiceAccountCache(cache.NewFakeServiceAccountCache(testServiceAccount)),
 		WithContainerCredentialsConfig(&containercredentials.FakeConfig{}),
 	)

diff --git a/pkg/handler/testdata/betaWindowsPodWithoutVolumes.pod.yaml b/pkg/handler/testdata/betaWindowsPodWithoutVolumes.pod.yaml
@@ -7,7 +7,7 @@ metadata:
     testing.eks.amazonaws.com/skip: "false"
     testing.eks.amazonaws.com/serviceAccount/roleArn: "arn:aws:iam::111122223333:role/s3-reader"
     testing.eks.amazonaws.com/serviceAccount/audience: "sts.amazonaws.com"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":86400,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"C:\\var\\run\\secrets\\eks.amazonaws.com\\serviceaccount\\token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":79200,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"C:\\var\\run\\secrets\\eks.amazonaws.com\\serviceaccount\\token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
 spec:
   containers:
   - image: amazonlinux

diff --git a/pkg/handler/testdata/containercredentials/rawPodSkip.pod.yaml b/pkg/handler/testdata/containercredentials/rawPodSkip.pod.yaml
@@ -9,7 +9,7 @@ metadata:
     testing.eks.amazonaws.com/containercredentials/mountPath: "/con-creds-mount-path"
     testing.eks.amazonaws.com/containercredentials/volumeName: "con-creds-volume-name"
     testing.eks.amazonaws.com/containercredentials/tokenPath: "con-creds-token-path"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":86400,"path":"con-creds-token-path"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"sidecar","image":"amazonlinux","resources":{}},{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":79200,"path":"con-creds-token-path"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"sidecar","image":"amazonlinux","resources":{}},{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
     # Pod Annotation
     eks.amazonaws.com/skip-containers: "sidecar"
 spec:

diff --git a/pkg/handler/testdata/containercredentials/rawPodWithVolume.pod.yaml b/pkg/handler/testdata/containercredentials/rawPodWithVolume.pod.yaml
@@ -10,7 +10,7 @@ metadata:
     testing.eks.amazonaws.com/containercredentials/mountPath: "/con-creds-mount-path"
     testing.eks.amazonaws.com/containercredentials/volumeName: "con-creds-volume-name"
     testing.eks.amazonaws.com/containercredentials/tokenPath: "con-creds-token-path"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes/0","value":{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":86400,"path":"con-creds-token-path"}}]}}},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes/0","value":{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":79200,"path":"con-creds-token-path"}}]}}},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
 spec:
   containers:
   - image: amazonlinux

diff --git a/pkg/handler/testdata/containercredentials/rawPodWithoutVolumes.pod.yaml b/pkg/handler/testdata/containercredentials/rawPodWithoutVolumes.pod.yaml
@@ -9,7 +9,7 @@ metadata:
     testing.eks.amazonaws.com/containercredentials/mountPath: "/con-creds-mount-path"
     testing.eks.amazonaws.com/containercredentials/volumeName: "con-creds-volume-name"
     testing.eks.amazonaws.com/containercredentials/tokenPath: "con-creds-token-path"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":86400,"path":"con-creds-token-path"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"con-creds-volume-name","projected":{"sources":[{"serviceAccountToken":{"audience":"con-creds-aud","expirationSeconds":79200,"path":"con-creds-token-path"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_CONTAINER_CREDENTIALS_FULL_URI","value":"con-creds-uri"},{"name":"AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE","value":"/con-creds-mount-path/con-creds-token-path"}],"resources":{},"volumeMounts":[{"name":"con-creds-volume-name","readOnly":true,"mountPath":"/con-creds-mount-path"}]}]}]'
 spec:
   containers:
   - image: amazonlinux

diff --git a/pkg/handler/testdata/initPodNeedsRegion.pod.yaml b/pkg/handler/testdata/initPodNeedsRegion.pod.yaml
@@ -7,7 +7,7 @@ metadata:
     testing.eks.amazonaws.com/serviceAccount/roleArn: "arn:aws:iam::111122223333:role/s3-reader"
     testing.eks.amazonaws.com/serviceAccount/audience: "sts.amazonaws.com"
     testing.eks.amazonaws.com/handler/region: "seattle"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":86400,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_DEFAULT_REGION","value":"seattle"},{"name":"AWS_REGION","value":"seattle"},{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]},{"op":"add","path":"/spec/initContainers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_DEFAULT_REGION","value":"seattle"},{"name":"AWS_REGION","value":"seattle"},{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":79200,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_DEFAULT_REGION","value":"seattle"},{"name":"AWS_REGION","value":"seattle"},{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]},{"op":"add","path":"/spec/initContainers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_DEFAULT_REGION","value":"seattle"},{"name":"AWS_REGION","value":"seattle"},{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
 spec:
   initContainers:
   - image: amazonlinux

diff --git a/pkg/handler/testdata/rawPodHasSTS.pod.yaml b/pkg/handler/testdata/rawPodHasSTS.pod.yaml
@@ -8,7 +8,7 @@ metadata:
     testing.eks.amazonaws.com/serviceAccount/audience: "sts.amazonaws.com"
     testing.eks.amazonaws.com/handler/injectSTS: "true"
     testing.eks.amazonaws.com/handler/region: "cn-north-1"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":86400,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_REGION","value":"cn-northwest-1"},{"name":"AWS_STS_REGIONAL_ENDPOINTS","value":"regional"},{"name":"AWS_ROLE_ARN","value":"arn:aws-cn:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":79200,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_REGION","value":"cn-northwest-1"},{"name":"AWS_STS_REGIONAL_ENDPOINTS","value":"regional"},{"name":"AWS_ROLE_ARN","value":"arn:aws-cn:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
 spec:
   containers:
   - env: