external-dns/docs/tutorials
Brian Hong c97781a49d
Fix AWS IAM Roles for Service Accounts permission
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens
files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`.
Unfortunately, external-dns runs as 'nobody' so it cannot access this
file. External DNS is then unable to make any AWS API calls to work:

```
time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied"
```

See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html

Below are the file permissions mounted on External DNS pod:

```
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/
total 0
drwxrwxrwt    3 root     root           100 Sep 11 06:40 .
drwxr-xr-x    3 root     root            28 Sep 11 06:40 ..
drwxr-xr-x    2 root     root            60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187
lrwxrwxrwx    1 root     root            31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187
lrwxrwxrwx    1 root     root            12 Sep 11 06:40 token -> ..data/token
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
-rw-------    1 root     root          1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
```

This commit fixes this problem by specifying securityContext to make
mounted volumes with 65534 (nobody) group ownership.
2019-09-16 17:01:07 +09:00
..
alb-ingress.md add tutorial for using alb-ingress-controller with ExternalDNS 2019-06-27 17:13:08 -07:00
alibabacloud.md Update the docs link 2019-04-16 09:58:20 +08:00
aws-sd.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
aws.md Fix AWS IAM Roles for Service Accounts permission 2019-09-16 17:01:07 +09:00
azure.md docs(azure): better security granuality concerning external dns service principal 2018-12-24 16:44:06 +01:00
cloudflare.md docs(cloudflare): set ttl annotation for cloudflare proxied entries to 1 2019-05-20 22:38:58 -04:00
contour.md Add documentation for Contour IngressRoute source 2019-07-04 20:06:25 -05:00
coredns.md Add apiVersion to ingress.yaml, and Delete the duplicated line in dnstools 2019-01-12 00:06:43 +08:00
designate.md Tutorial with example on how to use Designate was added 2017-09-22 20:55:08 -07:00
digitalocean.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
dnsimple.md Add DNSimple Tutorial Document 2019-07-29 17:44:55 -04:00
dyn.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
exoscale.md added list nodes 2018-07-13 12:52:16 +02:00
externalname.md Add docs for ExternalName services 2019-05-29 15:49:20 +03:00
gke.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
hostport.md adding a flag to optionally publish hostIP instead of podIP for headless services (#597) 2018-07-26 18:16:32 +02:00
infoblox.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
istio.md Add support for multiple Istio Ingress Gateways 2019-03-18 22:13:44 +01:00
linode.md Updating changelog for new release v0.5.5 2018-08-17 13:28:28 +02:00
nginx-ingress.md Remove disable-addon argument from gke + nginx tutorial 2019-04-14 16:36:46 +01:00
ns1.md Add tutorial for NS1 and link in README 2019-04-23 11:27:25 -04:00
oracle.md Oracle doc fix (add "key:" to secret) (#750) 2018-11-06 20:58:18 +01:00
pdns.md pdns: Add DomainFilter support 2018-10-22 13:54:11 -07:00
public-private-route53.md Bump version to v0.5.4 (#618) 2018-06-28 15:30:56 +02:00
rcodezero.md Trigger travis 2019-02-19 11:49:41 +01:00
rdns.md Add rancher dns(RDNS) provider 2019-07-19 19:40:00 +08:00
rfc2136.md Update rfc2136 tutorial for use with Microsoft DNS 2019-09-05 13:28:09 -05:00
security-context.md docs: document how to use a different security context 2018-10-02 18:36:58 +02:00
transip.md tweaked transip provider tutorial 2019-05-07 12:01:01 +02:00
vinyldns.md Docs and small fix to find suitable zone 2019-07-01 16:53:50 -04:00