Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens
files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`.
Unfortunately, external-dns runs as 'nobody' so it cannot access this
file. External DNS is then unable to make any AWS API calls to work:
```
time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied"
```
See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
Below are the file permissions mounted on External DNS pod:
```
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/
total 0
drwxrwxrwt 3 root root 100 Sep 11 06:40 .
drwxr-xr-x 3 root root 28 Sep 11 06:40 ..
drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187
lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187
lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
-rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
```
This commit fixes this problem by specifying securityContext to make
mounted volumes with 65534 (nobody) group ownership.
Tutorial specifies version >0.4 which also removed the requirement for a trailing period. New users could misunderstand the trailing dot as a significant syntax. Removing the dot simplifies the configuration of the annotation.
Introducing support for NodePort services might break cluster which
using RBAC
* allow external-dns to list nodes
Signed-off-by: Nick Jüttner <nick@zalando.de>
* update RBAC rules in docs
* update docs with split between rbac and non
* make deployment use new sa
* docs: correctly reference service account in CRB
* docs: correctly reference service account in CRB in other docs
* [aws-doc-update] docker image version and new arg aws-zone-type
* changes after review
* remove annotation for ingress
* docs: modify docs according to suggestions
* Add RecordTTL
* Route53: test for custom TTL
* Fix tests
* Fix remaining tests
* Add ttl when endpoint is created from ingress
* Missed a word
* Fix bad refactoring
* Add ingress custom TTL test
* gofmt
* Satisfy go-lint
* Unshadow `endpoint` in azure provider
* Fix and add an output test
* Add TTL for endpoints generated from service templates
* Take TTL into account when generating update plan
* Tests for TTL change impact on the plan
* Refactor factory method name
* Refactoring
* Run gofmt
* Make endpoint string format look like BIND config
* Update plan and plan_test
* Replace NewEndpointWithTTLValue with NewEndpointWithTTL in aws
* Remove NewEndpointWithTTLValue func
* Update references to TTL
* Remove getTTLValue func
* Handle merge conflict
* Update tests
* Update README, CHANGELOG and documentation
* Run gofmt
* Move getTTLFromAnnotations to a common file
* Refactor getTTLFromAnnotations
* Gofmt
* Add tests for getTTLFromAnnotations
* Trigger build
* Add boilerplate header
* Update README/CHANGELOG according to code review
* Add ttl.md and link it from README
* change CNAME string to endpoint.RecordTypeCNAME
* fix test cases with AWS ALIAS records, these do not behave different in these tests
* Support for multiple domains within --domain-filter
The parameter accepts a comma separated list of domains with or without trailing dot. Example: --domain-filter="example.org, company.test.,staging.com". Closes#247 and #229
* Add boilerplate header
* Add documentation for methods and structs
* use StringsVar for the domain-filter flag
* go fmt
* Remove camel case from tests
* Revert changes in README.md
* Move DomainFilter to provider package
* Make a new slice and copy elements to it
* Update CHANGELOG.md
* docs: change minor spelling mistake
* adjust docs before the v0.3.0 release
* minor fixes
* docs: add missing dot
* docs: add missing dot
* docs: drop line
* docs: drop another line
* adjust documentation
* update main readme
* checkbox for releases, add --txt-owner-id flag in description
* docs: minor weird character fixes [ci skip]
* feat(aws): support hostnames as endpoint targets
* docs: describe how to run ExternalDNS on AWS
* docs: update changelog with CNAME feature
* docs: update changelog to include AWS documentation
* fix(aws): test that updating records removes the old value
* feat(google): add CNAME support to Google provider
* fix(source): sanitize source and target hostnames
* docs: update changelog to include latest changes
* docs(aws): mention that ExternalDNS takes full ownership of a hosted zone
* fix(aws): switch route53 tests to use endpoint pointers
* docs: add TODO to remove record filtering once ownership is in place
