From 729557ace98d8ccacf88fb1e2166151a05e5be4b Mon Sep 17 00:00:00 2001
From: Brian Hong <sungjinhong@devsisters.com>
Date: Wed, 11 Sep 2019 16:22:02 +0900
Subject: [PATCH] Fix AWS IAM Roles for Service Accounts permission problem.

Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens
files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`.
Unfortunately, external-dns runs as 'nobody' so it cannot access this
file. External DNS is then unable to make any AWS API calls to work.

See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html

Below are the file permissions mounted on External DNS pod:

```
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/
total 0
drwxrwxrwt    3 root     root           100 Sep 11 06:40 .
drwxr-xr-x    3 root     root            28 Sep 11 06:40 ..
drwxr-xr-x    2 root     root            60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187
lrwxrwxrwx    1 root     root            31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187
lrwxrwxrwx    1 root     root            12 Sep 11 06:40 token -> ..data/token
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
-rw-------    1 root     root          1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
```
---
 Dockerfile      | 4 ----
 Dockerfile.mini | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index eabbf5b025..95ba8f5038 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,8 +31,4 @@ RUN apk add --no-cache ca-certificates && \
 
 COPY --from=builder /github.com/kubernetes-incubator/external-dns/build/external-dns /bin/external-dns
 
-# Run as UID for nobody since k8s pod securityContext runAsNonRoot can't resolve the user ID:
-# https://github.com/kubernetes/kubernetes/issues/40958
-USER 65534
-
 ENTRYPOINT ["/bin/external-dns"]
diff --git a/Dockerfile.mini b/Dockerfile.mini
index 748b0b3652..62e0c6418e 100644
--- a/Dockerfile.mini
+++ b/Dockerfile.mini
@@ -29,8 +29,4 @@ FROM gcr.io/distroless/static
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /github.com/kubernetes-incubator/external-dns/build/external-dns /bin/external-dns
 
-# Run as UID for nobody since k8s pod securityContext runAsNonRoot can't resolve the user ID:
-# https://github.com/kubernetes/kubernetes/issues/40958
-USER 65534
-
 ENTRYPOINT ["/bin/external-dns"]