Fix AWS IAM Roles for Service Accounts permission problem.

serialx · serialx · commit 729557ace98d · 2019-09-11T16:22:02.000+09:00
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work. See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html Below are the file permissions mounted on External DNS pod: ``` ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/ total 0 drwxrwxrwt 3 root root 100 Sep 11 06:40 . drwxr-xr-x 3 root root 28 Sep 11 06:40 .. drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token -rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token ```
diff --git a/Dockerfile b/Dockerfile
@@ -31,8 +31,4 @@ RUN apk add --no-cache ca-certificates && \
 
 COPY --from=builder /github.com/kubernetes-incubator/external-dns/build/external-dns /bin/external-dns
 
-# Run as UID for nobody since k8s pod securityContext runAsNonRoot can't resolve the user ID:
-# https://github.com/kubernetes/kubernetes/issues/40958
-USER 65534
-
 ENTRYPOINT ["/bin/external-dns"]
diff --git a/Dockerfile.mini b/Dockerfile.mini
@@ -29,8 +29,4 @@ FROM gcr.io/distroless/static
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /github.com/kubernetes-incubator/external-dns/build/external-dns /bin/external-dns
 
-# Run as UID for nobody since k8s pod securityContext runAsNonRoot can't resolve the user ID:
-# https://github.com/kubernetes/kubernetes/issues/40958
-USER 65534
-
 ENTRYPOINT ["/bin/external-dns"]
