IAM permissions in EKS cluster

with the introduction of IRSA , IAM roles for service account , there are now two options to define the IAM role in EKS cluster for the pods :

IRSA

each pod get specific IAM role . this is the preferred method.

• pros - fine grain permissions per pods
• cons - additional roles are needed
• example

NodeInstanceRole

each node get specific IAM role .

• pros - single instance profile per the EKS worker node
• cons - each pod get all the permissions of the nodes
• example

links
https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#create-iam-role
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html