Migrate from IRSA to Pod Identity Seamlessly using Rafay - Part 3¶
In continuation of our Part 1 of our blog introducing Pod Identity vs. IRSA for Amazon EKS, and Part 2, where we explored how to use Amazon EKS Pod Identity with the Rafay platform, this is Part 3 of the blog post. It will guide you through the migration of existing IRSA to Pod Identity using Rafay.
Migrating existing IAM Roles for Service Accounts (IRSA) to EKS Pod Identity begins with ensuring that your EKS cluster is upgraded to version 1.24
or higher, as outlined in the AWS documentation.
Next, make sure to install the EKS Pod Identity Agent Add-on
on your cluster using the Rafay platform. Rafay streamlines this migration process by automatically adding the EKS service principal pods.eks.amazonaws.com
to your roles, preparing service accounts for use in Kubernetes pods to interact with AWS services.
Migration Process¶
When migrating from IRSA to Pod Identity, Rafay also provides the flexibility to either retain or remove the existing OIDC relationship. With a seamless workflow, you can efficiently convert your current IRSA associations to Pod Identity, ensuring a smooth migration experience.
Migration Options¶
This can also be done using the RCTL interface. Below is how to do it using the UI.
Example IRSA List Before Migration:
After initiating the migration to Pod Identity, all IRSA associations were successfully transitioned, as illustrated below:
Permissions Required¶
To ensure a smooth migration process, verify that the user or role associated with your cloud credentials has the following permissions:
eks:CreatePodIdentityAssociation
eks:DescribePodIdentityAssociation
eks:DeletePodIdentityAssociation
eks:UpdatePodIdentityAssociation
eks:ListPodIdentityAssociations
iam:UntagRole
Conclusion¶
Migrating from IRSA to Pod Identity enhances your IAM role management within Amazon EKS clusters by consolidating role associations and alleviating issues related to multiple OIDC providers and trust policy sizes. Rafay provides an easy way to migrate, taking care of all the manual steps involved in transitioning from IRSA to Pod Identity seamlessly. This includes updating the trust relationship with the required EKS service principal and managing the IRSA annotations as part of the migration process.