[Feature] eksctl roleOnly parameter for podIdentityAssociations

[ruzickap]

What feature/behavior/change do you want? + Why do you want this feature?

I would like to create the Pod Identity Associations without creating service accounts (like it was before eksctl v0.177.0.

Reason: Most of the Helm charts do create service accounts by default...

It would be create if roleOnly parameter can be introduced to allow the user to decide if the SA will be created or not:

iam:
  withOIDC: true
  podIdentityAssociations:
    - namespace: aws-ebs-csi-driver
      serviceAccountName: ebs-csi-controller-sa
      roleName: eksctl-test-pia-aws-ebs-csi-driver
      roleOnly: true                                 ##### <<<<<<<
      wellKnownPolicies:
        ebsCSIController: true

Details:

What happened?

eksctl in version v0.177.0 creates service account when using the podIdentityAssociations.

This was not the case before this version...

How to reproduce it?

Example:

$ export AWS_DEFAULT_REGION="us-east-1"

$ gh release download v0.176.0 --repo eksctl-io/eksctl --pattern eksctl_Darwin_arm64.tar.gz --output - | sudo tar xz -C /tmp/

$ /tmp/eksctl version
0.176.0

$ cat > /tmp/eksctl-test.yaml << EOF
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  region: us-east-1
  name: test
accessConfig:
  authenticationMode: API_AND_CONFIG_MAP
iam:
  withOIDC: true
  podIdentityAssociations:
    - namespace: aws-ebs-csi-driver
      serviceAccountName: ebs-csi-controller-sa
      roleName: eksctl-test-pia-aws-ebs-csi-driver
      wellKnownPolicies:
        ebsCSIController: true
addons:
  - name: eks-pod-identity-agent
managedNodeGroups:
  - name: mng01-ng
    instanceType: t4g.medium
    desiredCapacity: 2
    minSize: 2
    maxSize: 5
    volumeSize: 20
EOF

$ export KUBECONFIG="/tmp/kubeconfig-test.conf"
$ /tmp/eksctl create cluster --config-file "/tmp/eksctl-test.yaml" --kubeconfig "${KUBECONFIG}"
2024-05-18 20:38:43 [ℹ]  eksctl version 0.176.0
2024-05-18 20:38:43 [ℹ]  using region us-east-1
...

$ kubectl get serviceaccount -A | grep ebs
<...empty output...>

$ kubectl get ns
NAME              STATUS   AGE
default           Active   13m
kube-node-lease   Active   13m
kube-public       Active   13m
kube-system       Active   13m

As you can see there is no namespace/service account created.

Details:

• [Help] Command create podidentityassociation doesn't create SA for me #7507
• Handle K8s service account lifecycle on eksctl create/delete podidentityassociation commands #7706

Thank you...

[cPu1]

Given that creating a service account by default was not the initial behavior for pod identity, and it has broken Helm and Karpenter users relying on eksctl not creating a corresponding service account by default, we are going to introduce a new field podIdentityAssociation.createServiceAccount that defaults to false so that use cases like #7507 are still possible. We have added this to our backlog and will work on a fix soon.

[TiberiuGC]

A release is now out with the new podIdentityAssociation.createServiceAccount option.
https://github.com/eksctl-io/eksctl/releases/tag/v0.180.0