IAM permissions in EKS cluster

with the introduction of IRSA , IAM roles for service account , there are now two options to define the IAM role in EKS cluster for the pods :

IRSA

each pod get specific IAM role . this is the preferred method.

  • pros - fine grain permissions per pods
  • cons - additional roles are needed
  • example

NodeInstanceRole

each node get specific IAM role .

  • pros - single instance profile per the EKS worker node
  • cons - each pod get all the permissions of the nodes
  • example

links
https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#create-iam-role
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html