[Question/EKS] Pod Identity or IRSA instead of AssumeRole?

[gschaffer-cxn]

When deploying the plugin as Daemonset as EKS you still need to configure the specific nodes to an IAM Role. This is generally needed anyway for SSM management, EC2 Security checks via Guardduty, etc

However this means the following security risk

• EC2 Instance has Instance Profile/IAM role named ManagedNode
• likely due to the usage of VPC-CNI or the EKS Observabliity addon the node will have extra policies attached that would not be necessary for the DaemonSet Pod:
• arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
• arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

Would it be possible to allow the usage of either IRSA or Pod identity https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html ? They are both in the AWS SDK Credential Chain, and https://jfrog.com/help/r/jfrog-installation-setup-documentation/configure-the-eks-cluster-with-the-aws-policy-and-iam-role already supports it

[RobinDuhan]

Hello, this is an in-progress feature. We'll update you soon. K8s released allowing this as part of kubelet.