Fix AWS IAM Roles for Service Accounts permission

serialx · serialx · commit c97781a49dd3 · 2019-09-16T17:01:07.000+09:00
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work: ``` time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied" ``` See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html Below are the file permissions mounted on External DNS pod: ``` ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/ total 0 drwxrwxrwt 3 root root 100 Sep 11 06:40 . drwxr-xr-x 3 root root 28 Sep 11 06:40 .. drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token -rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token ``` This commit fixes this problem by specifying securityContext to make mounted volumes with 65534 (nobody) group ownership.
diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md
@@ -159,6 +159,8 @@ spec:
         - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
         - --registry=txt
         - --txt-owner-id=my-hostedzone-identifier
+      securityContext:
+        fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
 ```
 
 
