IAM Roles for Kaniko Service Accounts
The information below is relevant in case ECR is used as Docker container registry. Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.
The "build-image-kaniko" stage manages ECR through IRSA that should be available on the cluster. Follow the steps below to create a required role:
-
Create AWS IAM Policy
AWSIRSA<CLUSTER_NAME><EDP_NAMESPACE>Kaniko_policy
:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/<EDP_NAMESPACE>/*"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/*"
}
]
} -
Create AWS IAM Role
AWSIRSA<CLUSTER_NAME><EDP_NAMESPACE>Kaniko
with trust relationships:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:edp:edp-kaniko"
}
}
}
]
} -
Attach the
AWSIRSA<CLUSTER_NAME><EDP_NAMESPACE>Kaniko_policy
policy to theAWSIRSA<CLUSTER_NAME><EDP_NAMESPACE>Kaniko
role. -
Define the resulted arn role value into the kaniko.roleArn parameter in values.yaml during the KubeRocketCI installation.