| Feature | EKS Pod Identity | IRSA |
|---|---|---|
| Role Extensibility | No need to update the role's trust policy for each new cluster. | Need to update role's trust policy with new EKS cluster OIDC provider endpoint. |
| Cluster Scalability | No need to setup IAM OIDC provider. | Need to setup IAM OIDC provider. Default global limit of 100 OIDC providers for AWS account applies. |
| Role Scalability | No need to define trust relationship between IAM role and service account in the trust policy. | Need to define trust relationship between IAM role and service account in the trust policy. Max of 8 trust relationships within a single trust policy applies due to limit on trust policy size. |
| Role Reusability | AWS STS temporary credentials supplied by EKS Pod Identity include role session tags, such as cluster name, namespace, service account name. | AWS STS session tags are not supported. You can reuse a role between clusters but every pod receives all of the permissions of the role. |
| Environments Supported | Only available on Amazon EKS. | IRSA can be used with Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on AWS, and self-managed Kubernetes clusters on Amazon EC2 instances. |
| EKS Versions Supported | EKS Kubernetes versions 1.24 or later. | All of the supported EKS cluster versions. |
Created
May 24, 2024 15:40
-
-
Save seifrajhi/af53b892b6bf8a70efccf564065feca3 to your computer and use it in GitHub Desktop.
comparing EKS Pod Identity and IRSA
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment