AWS EKS: Assign multiple Service Accounts to Deployment\Pod

Question

I'm using Kubeless on AWS EKS. While installing Kubeless, the installation has a manifest which has some CRDs and a deployment object. The deployment object has already a Service Account attached. I have created another Service Account in the kube-system namespace, which has some AWS IAM roles attached. I also want to attach this newly created Service Account used for IAM roles to the Kubeless deployment object by modifying the Kubeless manifest file.

I want to have 2 Service Accounts attached to the deployment object: One that comes with Kubeless and other for AWS IAM. Any help would appreciated. Thanks

score 15 · Answer 1 · answered Mar 31 '20 at 21:17

15

This is not possible. If you look at the API documentation for PodSpec v1 core you can see that serviceAccountName expects a string not an array or object. This is because using a ServiceAccount resource creates a 1:1 relationship between your pod and authentication against the API server.

You will either need to:

Diversify your workload into multiple containers. Which with you can apply different service accounts.
Combine your service account capabilities into a single account and apply it exclusively to this pod.

I recommend #2.

answered Mar 31 '20 at 21:17

TJ Zimmerman

3,100
25
39

This is so dumb. This completely rails against Google's least privilege recommendations. – Nathan McKaskle Nov 10 '22 at 18:03
I'm not sure I agree. Considering what I described in 1 above correlates more with Least Privilege than what is requested in the original question. – TJ Zimmerman Feb 07 '23 at 23:48

AWS EKS: Assign multiple Service Accounts to Deployment\Pod

1 Answers1