Jonah Back

You should be able to make this work with the way things are today in instance-manager and upgrade-manager. Upgrade manager uses the eviction API to drain pods from a node....

Ah sorry @preflightsiren - didn't see this reply. Basically, where I was going is that Pods that can't handle disruption can define PodDisruptionBudgets - which are respected by the upgrade...

I could see it being useful - though we just use multiple IGs right now with `scale from zero` enabled and it solves it for us. CA does a decent...

More like - we have multiple IGs with different compute / memory requirements. CA is configured to `least-waste`

I wonder if it makes sense to use EventBridge + SQS for this. We use the AWS Node Termination Handler (https://github.com/aws/aws-node-termination-handler) with the queue processor, which uses EventBridge + SQS...

@eytan-avisror I think it's more desirable to keep the metadata as a label on the IG - so that folks that may want to use it can target it with...

I'm not sure I fully understand the use case - if I have it right, the intention is to enforce the existence of annotations on IGs dynamically through a rule...

We've been leveraging Calico's `GlobalNetworkPolicy` to deny IMDS access across all namespaces, and forcing namespaces to use IAM Roles for Service Accounts. ```yaml apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: name: block-aws-metadata-access...

Yeah, I think delegating to the SDK is probably long-term the best move. It's the behavior folks generally expect when any tool integrates with AWS for access

I wonder if the easiest solution here is to let clients plug in a custom AuthTranslator - allowing them to implement whatever custom logic they need to resolve the credentials....