I created CodePipeline definition on aws. On the beginning I build docker image and send it to ecr (container registry on aws). When the docker image has been sent to the registry I call lambda function that should update definition of existing deployment by replacing docker image id in that deployment definition. Lambda function is implemented using nodejs, takes recently sent image id and is trying to patch deployment definition. When it's trying to patch the deployment I receive a response like below.
body: {
kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message: 'deployments.apps "arch-app" is forbidden:
User "system:serviceaccount:arch-user:default" cannot patch resource "deployments"
in API group "apps" in the namespace "arch-ns"',
reason: 'Forbidden',
details: [Object],
code: 403
}
This user account belongs to aws iam and I used it to create test cluster with kubernetes so it's owner of the cluster. Any operation on the cluster I do I do it using this account and it works fine (I can create resources and apply changes on them without any problems using this account).
I created additional role in this namespace and role binding for the aws user account I use but it didn't resolve the issue (and probably was redundant). Lambda function has full permissions to all resources on ecr and eks.
Does/did anybody have similar issue with such deployment patching on eks using lambda function?
