`Can't connnect to kubernetes: Unauthorized` error when using aws-iam-authenticator
coryodaniel opened this issue · 7 comments
I have been using this tool (and its fantastic) for the past week or so. I recently moved to the aws-iam-authenticator and it now returns the error above.
I saw an older related ticket and fix (#2). It seem to just be adding the GCP auth pluging.
aws-iam-authenticator is handled through exec
so maybe just adding the following will work?
https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go
I'm curious if there is a way for it to work with all supported authentication strategies. Based on the files in that auth
directory, I assume people using OIDC have the same issue?
Version: 0.6.0 (e2ee089)
Apologies, I can see this is fixed in master!
Hi @coryodaniel, thanks for the report!
It's currently loading all of the builtin plugins .
Adding aws-iam-authenticator
might be as simple as importing the right package, but I have a feeling that the k8s.io libs that kail
-- and kcache, the lib that powers it -- are severely out of date.
Hmm, it's working for you? Nice!
Yeah its working great, any chance of building a 0.6.1 with the suppoert for exec
?
The only difference between 0.6.0
and master is one small doc change.
I wonder what's going on here? Maybe it's a golang version issue? The binary is built with 1.9
.
I'm running go version go1.10 darwin/amd64
if I build from master it works!
Heads up, I am absolutely no Go jedi!
Is there any output that could be helpful?
I also ran into this issue with the 0.6.0 release when trying to communicate with an AWS EKS cluster:
kail: error: Can't connnect to kubernetes: namespaces is forbidden: User "system:anonymous" cannot list namespaces at the cluster scope
I was able to get things working locally by updating the k8s.io/client-go package and its dependencies to 1.11.2, which has support for the exec
credential provider, and building locally (go1.10 darwin/amd64):
govendor sync
govendor fetch k8s.io/client-go/...@kubernetes-1.11.2 \
k8s.io/api/...@kubernetes-1.11.2 \
k8s.io/apimachinery/...@kubernetes-1.11.2
# required by k8s.io/apimachinery (https://github.com/kubernetes/apimachinery/issues/46)
govendor fetch github.com/json-iterator/go@1.1.4
# bumped to fix a build error with k8s.io/client-go's azure auth
# see https://github.com/kubernetes-incubator/service-catalog/blob/master/Gopkg.toml#L59-L64
# and https://github.com/heptio/ark/blob/master/Gopkg.toml#L54-L58 for others who had to do this
govendor fetch github.com/Azure/go-autorest/...@1ff28809256a84bb6966640ff3d0371af82ccba4
make
Hope this helps!