YAML output for pvc-protection-controller
Is there a way we can view the YAML output spec for any pvc-protection-controller pods? If it’s already configured with a volume-mount with a path of /var/run/secrets/kubernetes.io/serviceaccount and a name set to kube-api-access-000 then it’s already using the projected service account volume with short-term credentials.
- Argomenti
- Container
- Lingua
- English
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
The pvc-protection-controller is part of the Kubernetes controller manager, not a standalone pod that you can directly view with kubectl. It's a controller that runs within the kube-controller-manager component of the Kubernetes control plane.
To view metrics related to the controller manager (which includes the pvc-protection-controller), you can use the following command for EKS clusters running Kubernetes version 1.28 and above:
kubectl get --raw "/apis/metrics.eks.amazonaws.com/v1/kcm/container/metrics"
This will return metrics in Prometheus format, which may include workqueue metrics for the pvc-protection-controller.
Regarding service account volume mounts, the controller manager itself would have the appropriate volume mounts configured by EKS as part of the control plane setup. Since the pvc-protection-controller runs as part of the controller manager process and not as a separate pod, you wouldn't be able to directly inspect its volume mounts in the same way you would for a standalone pod.
If you're concerned about credential management for EKS components, EKS now supports Pod Identity for add-ons, which simplifies IAM permissions for Kubernetes workloads. This feature allows for more direct IAM permission assignment without requiring OpenID Connect (OIDC) providers.
Sources
Fetch control plane raw metrics in Prometheus format - Amazon EKS
Simplifying IAM Permissions for Amazon EKS Addons with EKS Pod Identity | Containers
