Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam-authenticator for baremetal variant #2823

Closed
rpkelly opened this issue Feb 23, 2023 Discussed in #2809 · 8 comments
Closed

aws-iam-authenticator for baremetal variant #2823

rpkelly opened this issue Feb 23, 2023 Discussed in #2809 · 8 comments
Labels
area/metal Bare metal support

Comments

@rpkelly
Copy link
Contributor

rpkelly commented Feb 23, 2023

Discussed in #2809

Originally posted by StefanTheWiz February 15, 2023
Hi!

I'm trying to use AWS EKS as the control plane with bottlerocket baremetal nodes.
I was wondering if there was a particular reason why aws-iam-authenticator is not included in baremetal variant?

Based on the README, I was kinda expecting that it would be included (for instance for using IAM Roles Anywhere).

To start, we're focusing on the use of Bottlerocket as a host OS in AWS EKS Kubernetes clusters and Amazon ECS clusters.

As an experiment, I've built a version of baremetal that has the aws-iam-authenticator (diff here).
However, the update process might remove the authenticator, which might mean maintaining our own TUF repo and that would be a tough sell.
@rpkelly rpkelly added the area/metal Bare metal support label Feb 23, 2023
@rpkelly
Copy link
Contributor Author

rpkelly commented Feb 23, 2023

Documentation currently says this concerning authentication:

settings.kubernetes.authentication-mode: Which authentication method the kubelet should use to connect to the API server, and for incoming requests. Defaults to aws for AWS variants, and tls for other variants.

It does not currently mention if aws is not supported in those other variants, just that it's not the default.

@bcressey
Copy link
Contributor

bcressey commented Mar 1, 2023

The mechanics of adding the package are straightforward, but I need a better understanding of the security implications of this to form an opinion on whether this is a good idea. I'll reach out to some folks internally.

@StefanTheWiz
Copy link

The mechanics of adding the package are straightforward, but I need a better understanding of the security implications of this to form an opinion on whether this is a good idea. I'll reach out to some folks internally.

Hi. Any updates on this? :)

@StefanTheWiz
Copy link

Still a blocker... 👎

@stmcginnis
Copy link
Contributor

Sorry for the delay on updates here. I know there are some possible security concerns with including aws-iam-authenticator for metal variants. I know there were some reviews being requested with some AWS security folks to provide more details, but unfortunately I don't have an update on where that process stands. I will reach out to some folks and see if we can get any updates.

@yeazelm yeazelm mentioned this issue Aug 22, 2023
Merged
@cbgbt
Copy link
Contributor

cbgbt commented Aug 22, 2023

@StefanTheWiz thanks for your patience here. @yeazelm has merged aws-iam-authenticator which should be available in Bottlerocket 1.15.0, tracked in #3169

Would you mind giving this a shot and checking that it resolves your issues?

@yeazelm
Copy link
Contributor

yeazelm commented Sep 19, 2023

This was released in the 1.15.0 release

@yeazelm yeazelm closed this as completed Sep 19, 2023
@StefanTheWiz
Copy link

Thanks! I'll check it out soon and let you know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/metal Bare metal support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bcressey @rpkelly @cbgbt @stmcginnis @StefanTheWiz @yeazelm