Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeconfig exec authentication when connecting with --docker from a WSL #3606

Merged
merged 1 commit into from
Jun 3, 2024
Merged

Kubeconfig exec authentication when connecting with --docker from a WSL #3606

merged 1 commit into from
Jun 3, 2024

Conversation

thallgren
Copy link
Member

Clusters like Amazon EKS often use a special authentication binary that is declared in the kubeconfig using an exec authentication strategy. This binary is normally not available inside a container. Consequently, a modified kubeconfig is used when telepresence connect --docker executes, appointing a kubeauth binary which instead retrieves the authentication from a port on the Docker host that communicates with another process outside of Docker. This process then executes the original exec command to retrieve the necessary credentials.

This setup was problematic when using WSL, because even though telepresence connect --docker was executed on a Linux host, the Docker host available from host.docker.internal that the kubeauth connected to was the Windows host running Docker Desktop. The fix for this was to use the local IP of the default route instead of host.docker.internal when running under WSL.

@thallgren thallgren added the ok to test Applied by maintainers when a PR is ready to have tests run on it label Jun 3, 2024
@github-actions github-actions bot removed the ok to test Applied by maintainers when a PR is ready to have tests run on it label Jun 3, 2024
@thallgren thallgren linked an issue Jun 3, 2024 that may be closed by this pull request
Connecting in Windows WSL with --docker option does not succeed #3603
Closed
@thallgren
Kubeconfig exec authentication when connecting with --docker from a WSL
54233bc 
Clusters like Amazon EKS often use a special authentication binary that
is declared in the kubeconfig using an `exec` authentication strategy.
This binary is normally not available inside a container. Consequently,
a modified kubeconfig is used when `telepresence connect --docker`
executes, appointing a `kubeauth` binary which instead retrieves the
authentication from a port on the Docker host that communicates with
another process outside of Docker. This process then executes the
original `exec` command to retrieve the necessary credentials.

This setup was problematic when using WSL, because even though
`telepresence connect --docker` was executed on a Linux host, the Docker
host available from `host.docker.internal` that the `kubeauth` connected
to was the Windows host running Docker Desktop. The fix for this was to
use the local IP of the default route instead of `host.docker.internal`
when running under WSL.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
@thallgren thallgren force-pushed the thallgren/wsl-docker-kubeauth branch from d507b1f to 54233bc Compare June 3, 2024 11:33
@thallgren thallgren added the ok to test Applied by maintainers when a PR is ready to have tests run on it label Jun 3, 2024
@github-actions github-actions bot removed the ok to test Applied by maintainers when a PR is ready to have tests run on it label Jun 3, 2024
@thallgren thallgren merged commit 52b5ce0 into release/v2 Jun 3, 2024
17 checks passed
@thallgren thallgren deleted the thallgren/wsl-docker-kubeauth branch June 3, 2024 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Connecting in Windows WSL with --docker option does not succeed
1 participant
@thallgren