|
|
|
|
|
|
by sleepybrett
2817 days ago
|
|
|
We've been using kube2iam for this for a couple of years. You just create a role give it an assume role policy that allows the node to assume it. Then annotate your pod w/ the role arn. When they make a call to get their instance profile you get the role instead. It's a little annoying in that your pod code thinks its making a metadata call (which is super super fast), but what is actually happening is kube2iam intercepted that and will make a sts:assumerole call... which takes forever. So people just need to set their timeout a little higher than normal. https://github.com/jtblin/kube2iam |
|
|