search

k0sproject / k0s

k0s - The Zero Friction Kubernetes
https://docs.k0sproject.io
Other
3.81k stars 368 forks source link

Support aws-iam-authenticator #4662

Open ianb-mp opened 5 months ago

ianb-mp commented 5 months ago

Is your feature request related to a problem? Please describe.

No response

Describe the solution you would like

It would be good to support aws-iam-authenticator to provide another option for api auth.

AFAIK it is not currently possible to deploy this addon due to k0s's control plane isolation. For example, aws-iam-authenticator requires a nodeSelector for the nodes running kube-apiserver.

Describe alternatives you've considered

No response

Additional context

No response

twz123 commented 5 months ago

If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?

juanluisvaladas commented 5 months ago

Hi, In addition that, I think you'll need to label the node manually:

$ kubectl label node/controller-0.k0s.lab  node-role.kubernetes.io/master=""
node/controller-0.k0s.lab labeled
$ k0s kc get node --show-labels controller-0.k0s.lab
NAME                   STATUS   ROLES                  AGE     VERSION       LABELS
controller-0.k0s.lab   Ready    control-plane,master   3d23h   v1.30.1+k0s   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=controller-0.k0s.lab,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=true,node-role.kubernetes.io/master=,node.k0sproject.io/role=control-plane

This annotation is deprecated so I don't know if it makes sense to label the node automatically anymore.

ianb-mp commented 4 months ago

If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?

No, I haven't tried that. I saw the FAQ entry which recommends against this for prod so I'd discounted it. I'm using OIDC for now, but may come back to IAM authenticator later.

twz123 commented 4 months ago

I'd also check out if it's actually a requirement to run on controller nodes. I had a quick glance on the repo, and it's not directly obvious to me as to why this shouldn't be working if you'd rewrite the controller-pinned DaemonSet into a regular Deployment.