Skip to content

Commit 84a0b57

Browse files
zac-nixonzac-nixon
committed
mention pod identity
1 parent 1c47c3f commit 84a0b57

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

docs/deploy/installation.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ Instead of depending on IMDSv2, you can specify the AWS Region via the controlle
4343

4444
The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB APIs with IAM permissions.
4545

46-
The IAM permissions can either be setup using [IAM roles for service accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or can be attached directly to the worker node IAM roles. The best practice is using IRSA if you're using Amazon EKS. If you're using kOps or self-hosted Kubernetes, you must manually attach polices to node instances.
46+
The IAM permissions can either be setup using [IAM roles for service accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), or can be attached directly to the worker node IAM roles. The best practice is using IRSA if you're using Amazon EKS. If you're using kOps or self-hosted Kubernetes, you must manually attach polices to node instances.
4747

4848
### Option A: Recommended, IAM roles for service accounts (IRSA)
4949

@@ -121,7 +121,13 @@ Example condition for cluster name resource tag:
121121
--approve
122122
```
123123
124-
### Option B: Attach IAM policies to nodes
124+
### Option B: Recommended, Pod Identity
125+
126+
127+
Follow the Pod Identity set-up guide [here](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html).
128+
129+
130+
### Option C: Attach IAM policies to nodes
125131
If you're not setting up IAM roles for service accounts, apply the IAM policies from the following URL at a minimum. Please be aware of the possibility that the controller permissions may be assumed by other users in a pod after retrieving the node role credentials, so the best practice would be using IRSA instead of attaching IAM policy directly.
126132
```
127133
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.15.0/docs/install/iam_policy.json

0 commit comments

Comments
 (0)