boz/kail

`Can't connnect to kubernetes: Unauthorized` error when using aws-iam-authenticator

coryodaniel opened this issue · 7 comments

I have been using this tool (and its fantastic) for the past week or so. I recently moved to the aws-iam-authenticator and it now returns the error above.

I saw an older related ticket and fix (#2). It seem to just be adding the GCP auth pluging.

aws-iam-authenticator is handled through exec so maybe just adding the following will work?

https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go

I'm curious if there is a way for it to work with all supported authentication strategies. Based on the files in that auth directory, I assume people using OIDC have the same issue?

Version: 0.6.0 (e2ee089)

Apologies, I can see this is fixed in master!

boz commented

Hi @coryodaniel, thanks for the report!

It's currently loading all of the builtin plugins .

Adding aws-iam-authenticator might be as simple as importing the right package, but I have a feeling that the k8s.io libs that kail -- and kcache, the lib that powers it -- are severely out of date.

Hmm, it's working for you? Nice!

Yeah its working great, any chance of building a 0.6.1 with the suppoert for exec?

boz commented

The only difference between 0.6.0 and master is one small doc change.

I wonder what's going on here? Maybe it's a golang version issue? The binary is built with 1.9.

I'm running go version go1.10 darwin/amd64 if I build from master it works!

Heads up, I am absolutely no Go jedi!

Is there any output that could be helpful?

I also ran into this issue with the 0.6.0 release when trying to communicate with an AWS EKS cluster:

kail: error: Can't connnect to kubernetes: namespaces is forbidden: User "system:anonymous" cannot list namespaces at the cluster scope

I was able to get things working locally by updating the k8s.io/client-go package and its dependencies to 1.11.2, which has support for the exec credential provider, and building locally (go1.10 darwin/amd64):

govendor sync
govendor fetch k8s.io/client-go/...@kubernetes-1.11.2 \
               k8s.io/api/...@kubernetes-1.11.2 \
               k8s.io/apimachinery/...@kubernetes-1.11.2
# required by k8s.io/apimachinery (https://github.com/kubernetes/apimachinery/issues/46)
govendor fetch github.com/json-iterator/go@1.1.4
# bumped to fix a build error with k8s.io/client-go's azure auth
# see https://github.com/kubernetes-incubator/service-catalog/blob/master/Gopkg.toml#L59-L64
# and https://github.com/heptio/ark/blob/master/Gopkg.toml#L54-L58 for others who had to do this
govendor fetch github.com/Azure/go-autorest/...@1ff28809256a84bb6966640ff3d0371af82ccba4
make

Hope this helps!

boz commented

Thanks, @dgarbus, that's really helpful.