spring data flow : IAM role assignment to pods using pod-annotations

10/23/2019

We are currently in the process of deploying a new spring data flow stream application in our aws EKS cluster. As part of this, the pods launched by the skipper should have the IAM roles defined in the annotation so that they can access the required AWS services. I have created the required iam role in AWS account and trying to pass the role using the pod-annotations property in the deploy stream for the application,

sample deployment property:

deployer.datastreamdemosource.kubernetes.pod-annotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXXXX:role/spring-dataflow-test-role

The skipper is able to launch pods in the cluster but I can see the requested annotation is not assigned to the pod template,

The annotation value assigned to the pod is

Am i using the correct property to assign the required iam role? or how to assign IAM roles to the pods launched by the skipper as part of the stream?. We do not want to use a global IAM role for the streams since some pods will have additional permissions that they do not need. has anyone successfully deployed dataflow streaming applications in AWS EKS with iam roles for each pods ?

-- SimbuStar
amazon-web-services
annotations
dataflow
kubernetes
spring-cloud-dataflow

2 Answers

10/23/2019

What you tried as deployment property has a typo in it indeed. To override the podAnnotations at each stream-app level, you should be using it as deployer.<app-name>.kubernetes.podAnnotations for each of the desired apps in the stream definition.

SCDF's K8s-deployer specifically expects the property in that format, and that's why it is not parsed and annotated correctly on the deployed apps. If you're using the UI, however, we attempt to list all the deployer properties in a dialog-window for you automatically, so the value is all is expected from you.

There was a recent discussion around volumeMounts along the same lines in SCDF's Gitter channel. The background discussed in the channel might be useful.

-- Sabby Anandan
Source: StackOverflow

10/23/2019

After reading documents for hours I found the required configurations in the below link

https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#_annotations

So you need to use the below property definitions under the deployment Platform in your Streams which will allow the skipper to launch the pods with required annotations.

 deployer.data-stream-demo-source.kubernetes.podAnnotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXXX:role/spring-dataflow-test-role
 deployer.data-stream-demo-sink.kubernetes.podAnnotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXX:role/spring-dataflow-test-role

The default pod-annotation property in the deploy stream definition is not working as expected and not sure it's because of a typo in pod-annotations.

its the same case with other annotations as well (job-annotations,service-annotations).

For now, you can define the required annotation definition in the freetext tab or you can define in the application property level when registering apps to the dataflow server. By the way, I am using spring-cloud-dataflow-server Version: 2.2.1.RELEASE

-- SimbuStar
Source: StackOverflow