-
Brian Hong authored
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work: ``` time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied" ``` See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html Below are the file permissions mounted on External DNS pod: ``` ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/ total 0 drwxrwxrwt 3 root root 100 Sep 11 06:40 . drwxr-xr-x 3 root root 28 Sep 11 06:40 .. drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token -rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token ``` This commit fixes this problem by specifying securityContext to make mounted volumes with 65534 (nobody) group ownership.
c97781a4
