Open gtirloni opened 10 months ago
Hi @gtirloni , we don't support the exec part of the user in kubeconfig at the moment. So if authenticating requires running an external command, it won't work. We are planning on adding this functionality though.
I have the same issue with the flatpak
installation with both EKS and GKE clusters.
10:04:39.295 › server process stderr: 2023/12/15 10:04:39 http: proxy error: getting credentials: exec: executable gke-gcloud-auth-plugin not found
10:04:39.332 › server process stderr: 2023/12/15 10:04:39 http: proxy error: getting credentials: exec: executable aws not found
I downloaded the deb
package from the releases, this one works perfectly fine with the auth plugins.
It's a well-known issue of Linux jailed apps installed using snap
or flatpak
, they cannot access anything out of their "jail". As the cloud providers' auth plugins are typically installed this way, it would be great if you standardize on non-jailed apps (like deb
and rpm
packages) i.s.o. flatpak
.
@yolossn How is it possible that the eks auth seems to be reported working in the case of the deb? (I thought we don't do anything with the exec part of the kubeconfig)
@tsipo , we'll look into finding a solution for flatpak.
@joaquimrocha We actually don't actively deal with the exec part, based on @tsipo comment I looked into it and to my surprise it worked in certain exec configurations and didn't work in others. On further investigation found that the kubernetes/client-go changes that we made is handling it internally for certain cases where interactive browser flow for authenticating is not required.
For example the kubelogin exec command used by AKS clusters support many methods like devicecode
, interactive
, spn
, ropc
, msi
, azurecli
, workloadidentity
. The devicecode
login method expects the user to open a link and paste the provided code and in case of azurecli
the token fetch is handled by az
. The kubernetes/client-go
is internally able to handle non-interactive token fetching methods like the azurecli
one.
This seems to also affect the windows client as I cannot use the desktop app to login to my EKS cluster from the desktop, but the in-cluster service works fine.
I have the same issue with DigitalOcean authentication.
@joaquimrocha is there already a github issue to track the general problem of exec-based authentication from the Flatpak?
I guess the possible approaches to avoid shipping all the possible cli tools involve using extensions, one for each tool, or use flatpak-spawn
somehow to call out to the host.
@em- , I don't think we have an issue just for flatpak, but we should tackle that when we add support for the kubectl exec.
@gtirloni , I am trying to fix this. If you can help us test it, it'd be highly appreciated. See this comment for instructions.
@joaquimrocha Let me know when I can help test. I need to connect to EKS clusters on macos. My kubeconfig entries use the client.authentication exec w/ aws eks get-token, like the one in the description.
I will prepare a build for everyone to try.
@joebowbeer and everyone, here is a build of Headlamp which should work with EKS. Please find the DMGs at the bottom of this action run (you need to be logged in to Github): https://github.com/headlamp-k8s/headlamp/actions/runs/10672802557
@joaquimrocha Thanks! Your dmg works for me on macos, and so does release 0.25.1
Aside: I wish the cluster name column could be expanded, and custom names/avatars could be assigned to clusters, as my cluster names are very long and are chopped off in all the cluster views. However, if I hide all the columns except cluster name, then I can make out their full names.
Aside: I wish the cluster name column could be expanded, and custom names/avatars could be assigned to clusters, as my cluster names are very long and are chopped off in all the cluster views. However, if I hide all the columns except cluster name, then I can make out their full names.
It's a good idea. And we should maybe wrap those names, so all of them are visible.
Aside: I wish the cluster name column could be expanded, and custom names/avatars could be assigned to clusters, as my cluster names are very long and are chopped off in all the cluster views. However, if I hide all the columns except cluster name, then I can make out their full names.
It's a good idea. And we should maybe wrap those names, so all of them are visible.
Sorry to hijack the discussion, but I wanted to clarify a couple things:
In order to access the Kubernetes API of an EKS cluster, it's necessary to use the
aws eks get-token
command.This is usually configured in the kubeconfig file:
However, the Flatpak does not have access to the host's filesystem by default. This can be granted with
filesystem=host
but there are other issues.The awscli executable is installed in
/usr/bin/aws
on the host but/usr/bin
inside the Flatpak is different. To access the host's awscli one has to execute/var/run/host/usr/bin/aws
, so adding/var/run/host/usr/bin
to the PATH inside the Flatpak is necessary. But there are other issues.The awscli tool is a Python application that loads other Python modules. The Python interpreter won't be able to find the host's dist-packages directory. It's necessary to add
/var/run/host/usr/lib/python3/dist-packages
to thePYTHONPATH
environment variable inside the Flatpak. But there are other issues.The awscli tool uses a native module called
awscrt
that is compiled for Python 3.11 but the Flatpak packages Python 3.10. When the interpreter tries to loadawscli.checksums
, it does not have permission to write to the__pycache__
directory:Setting
PYTHONDONTWRITEBYTECODE=1
resolves the error but the module still can't be loaded (probably related to the binary .so that needs to be loaded).It seems a better solution would be for Headlamp to pack all the tools required to authenticate to EKS/AKS/GKE into the Flatpak.