Helm chart falcon-sensor requiring modification to get IAM role via IRSA

[aleliaert]

Was having an issue getting IRSA working for the falcon-sensor-injector in our environment. Per support case, it was suggested to set env vars AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE which did work for us.

Example of what we did to our helm chart:

        env:
        - name: AWS_ROLE_ARN
          value: {{ .Values.regrettableIrsaWorkaround.roleArn }}
        - name: AWS_WEB_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
        {{- end }}

Have not seen the need to pass similar env vars for other workloads on our EKS cluster that get their IAM roles via IRSA.

If this is required for the falcon-sensor-injector to use an IRSA role, can we add logic to the Helm chart to support this? Or alternatively request that the maintainers of the falcon-sensor-injector change its behavior to not need such?

Thanks!

[gpontejos]

Hi! I believe the annotations on the service account should be taking care of those variables for you. We this block here to append annotations to the service account. Are the env vars not being added by EKS to the pod when the eks role arn annotation is present?