mirror of
https://github.com/kubernetes-sigs/external-dns.git
synced 2025-08-06 17:46:57 +02:00
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work: ``` time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied" ``` See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html Below are the file permissions mounted on External DNS pod: ``` ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/ total 0 drwxrwxrwt 3 root root 100 Sep 11 06:40 . drwxr-xr-x 3 root root 28 Sep 11 06:40 .. drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token -rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token ``` This commit fixes this problem by specifying securityContext to make mounted volumes with 65534 (nobody) group ownership. |
||
---|---|---|
.. | ||
alb-ingress.md | ||
alibabacloud.md | ||
aws-sd.md | ||
aws.md | ||
azure.md | ||
cloudflare.md | ||
contour.md | ||
coredns.md | ||
designate.md | ||
digitalocean.md | ||
dnsimple.md | ||
dyn.md | ||
exoscale.md | ||
externalname.md | ||
gke.md | ||
hostport.md | ||
infoblox.md | ||
istio.md | ||
linode.md | ||
nginx-ingress.md | ||
ns1.md | ||
oracle.md | ||
pdns.md | ||
public-private-route53.md | ||
rcodezero.md | ||
rdns.md | ||
rfc2136.md | ||
security-context.md | ||
transip.md | ||
vinyldns.md |