twz123
commented
1 week ago If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?
Open ianb-mp opened 1 week ago
twz123
commented
1 week ago If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?
juanluisvaladas
commented
5 days ago Hi, In addition that, I think you'll need to label the node manually:
$ kubectl label node/controller-0.k0s.lab node-role.kubernetes.io/master=""
node/controller-0.k0s.lab labeled
$ k0s kc get node --show-labels controller-0.k0s.lab
NAME STATUS ROLES AGE VERSION LABELS
controller-0.k0s.lab Ready control-plane,master 3d23h v1.30.1+k0s beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=controller-0.k0s.lab,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=true,node-role.kubernetes.io/master=,node.k0sproject.io/role=control-planeThis annotation is deprecated so I don't know if it makes sense to label the node automatically anymore.
ianb-mp
commented
1 day ago If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?
No, I haven't tried that. I saw the FAQ entry which recommends against this for prod so I'd discounted it. I'm using OIDC for now, but may come back to IAM authenticator later.
Is your feature request related to a problem? Please describe.
No response
Describe the solution you would like
It would be good to support aws-iam-authenticator to provide another option for api auth.
AFAIK it is not currently possible to deploy this addon due to k0s's control plane isolation. For example, aws-iam-authenticator requires a nodeSelector for the nodes running kube-apiserver.
Describe alternatives you've considered
No response
Additional context
No response