feat: Add pod identity note for ECR access (#6369)

whatnick · web-flow · commit 0a9d91340660 · 2025-09-26T01:22:28.000Z
* Add pod identity note for ECR access

* Add tabs for TF and CLI samples

* Fix up TAB syntax

* Add triple === for content tabs
diff --git a/contribute-to-docs/getting-started/formatting.md b/contribute-to-docs/getting-started/formatting.md
@@ -112,7 +112,7 @@ within tabs. Indent the tab content by four spaces to make the tabs display prop
 
 For example:
 
-    == "tab1 name"
+    === "tab1 name"
 
         This is a stem:
 
@@ -124,7 +124,7 @@ For example:
 
         1. This is another step.
 
-    == "tab2 name"
+    === "tab2 name"
 
         This is a stem:
 
diff --git a/docs/versioned/install/operator/configuring-serving-cr.md b/docs/versioned/install/operator/configuring-serving-cr.md
@@ -257,6 +257,124 @@ spec:
       ...
 ```
 
+### Connect to AWS ECR using Pod Identity
+
+The use of AWS ECR as source of images for deployment using knative-serving requires access to digests for images. This can be obtained via a managed policy - `AmazonEC2ContainerRegistryReadOnly` which is attached to an IAM Role - `knative-serving-controller`. This role is then attached to the `controller` ServiceAccount in the `knative-serving` namespace. This will allow the controller pods to retrieve relevant digests for containers from ECR. Samples are provided below as AWS-CLI commands and Terraform module to perform the setup. Please adapt to the relevant IaC tooling your team uses.
+
+=== "Terraform Example"
+
+    The terraform sample uses AWS Provider Terraform module to put all the pieces together.
+
+    ```terraform
+    module "pod_identity_knative" {
+      source  = "terraform-aws-modules/eks-pod-identity/aws"
+      version = "~>"2.0.0"
+
+      name = "knative-serving-controller"
+
+      additional_policy_arns = {
+        AmazonEC2ContainerRegistryReadOnly = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+      }
+
+      # Pod Identity Associations
+      associations = {
+        knative-serving-controller = {
+          cluster_name    = "some-cluster-name"
+          namespace       = "knative-serving"
+          service_account = "controller"
+        }
+      }
+    }
+    ```
+
+=== "AWS CLI Example"
+
+    The AWS CLI sample uses a bash script to setup the relevant infrastructure
+
+    ```bash
+    # Set variables
+    REGION="<region>"
+    CLUSTER_NAME="<some-cluster-name>"
+    ROLE_NAME="knative-serving-controller"
+    NAMESPACE="knative-serving"
+    SERVICE_ACCOUNT="controller"
+
+    ACCOUNT_ID="$(aws sts get-caller-identity --query 'Account' --output text)"
+    PARTITION="$(aws sts get-caller-identity --query 'Arn' --output text | cut -d: -f2)"
+
+    # Create trust policy for EKS Pod Identity
+    cat > trust-policy.json <<EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "EKSPodIdentityTrust",
+          "Effect": "Allow",
+          "Principal": { "Service": "pods.eks.amazonaws.com" },
+          "Action": [ "sts:AssumeRole", "sts:TagSession" ],
+          "Condition": {
+            "StringEquals": { "aws:SourceAccount": "${ACCOUNT_ID}" },
+            "StringLike": {
+              "aws:SourceArn": "arn:${PARTITION}:eks:${REGION}:${ACCOUNT_ID}:cluster/${CLUSTER_NAME}"
+            }
+          }
+        }
+      ]
+    }
+    EOF
+
+    # Create IAM role and attach ECR read-only policy
+    aws iam create-role \
+      --role-name "${ROLE_NAME}" \
+      --assume-role-policy-document file://trust-policy.json
+
+    aws iam attach-role-policy \
+      --role-name "${ROLE_NAME}" \
+      --policy-arn "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+
+    ROLE_ARN="$(aws iam get-role --role-name "${ROLE_NAME}" --query 'Role.Arn' --output text)"
+    echo "Created role: ${ROLE_ARN}"
+
+    # Ensure the EKS Pod Identity Agent add-on is installed
+    aws eks create-addon \
+      --region "${REGION}" \
+      --cluster-name "${CLUSTER_NAME}" \
+      --addon-name eks-pod-identity-agent \
+      --resolve-conflicts OVERWRITE || true
+
+    # Associate the role with the Knative Serving controller ServiceAccount
+    aws eks create-pod-identity-association \
+      --region "${REGION}" \
+      --cluster-name "${CLUSTER_NAME}" \
+      --namespace "${NAMESPACE}" \
+      --service-account "${SERVICE_ACCOUNT}" \
+      --role-arn "${ROLE_ARN}"
+
+    # Optional: verify association
+    aws eks list-pod-identity-associations \
+      --region "${REGION}" \
+      --cluster-name "${CLUSTER_NAME}" \
+      --query "associations[?namespace=='${NAMESPACE}' && serviceAccount=='${SERVICE_ACCOUNT}']"
+
+    # Cleanup local file
+    rm -f trust-policy.json
+    ```
+
+    Expected output is something like :
+    ```json
+    {
+        "associations": [
+            {
+                "clusterName": "<some-cluster-name>",
+                "namespace": "knative-serving",
+                "serviceAccount": "controller",
+                "associationArn": "<ROLE-ARN>",
+                "associationId": "<SOME-RANDOM-STRING>"
+            },
+            ...
+    }
+    ```
+
 ## SSL certificate for controller
 
 To [enable tag to digest resolution](../../serving/tag-resolution.md), the Knative Serving controller needs to access the container registry.
