✨ feat: Support setting EKS authentication mode #5578
Conversation
k8s-ci-robot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @joshfrench! |
k8s-ci-robot
added
needs-ok-to-test
|
Hi @joshfrench. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
@joshfrench
Thank you for working on this.This will unblock my work for EKS Hybrid Node Cluster #5245.
Just few suggestion/question. Otherwise LGTM.
| type AccessConfig struct { | ||
| // AuthenticationMode specifies the desired authentication mode for the cluster | ||
| // Defaults to CONFIG_MAP | ||
| // +kubebuilder:default=CONFIG_MAP | ||
| // +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP | ||
| AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"` | ||
| } | ||
|
|
There was a problem hiding this comment.
As we are creating a AccessConfig, I suggest we add bootstrapClusterCreatorAdminPermissions as well,
If we do not plan to support this field, do we really need the AccessConfig struct?
There was a problem hiding this comment.
bootstrapClusterCreationAdminPermissions can only be set at cluster creation; the UpdateAccessConfigRequest API doesn't allow changing this. I don't have a strong opinion on adding the new field vs. removing the struct, but we'll need to account for that.
(For additional context, #5583 adds AccessEntry definitions to this struct but now I'm second-guessing where those should live.)
There was a problem hiding this comment.
Here is what I think,
We have spec.iamAuthenticatorConfig in ManagedControlPlane. This is used for adding entries in aws-auth configmap.
Similary, we should have separate spec.AccessEntries for role/user mapping and spec.authenticationMode to specify access mode. Because, the default value for mode is CONFIG_MAP which would be required for creating mapping from [spec.iamAuthenticatorConfig].
@joshfrench Let me know what you think?
Also, bootstrapClusterCreatorAdminPermissions can be part of AuthenticationMode struct and have default value true as in CONFIG_MAP mode, regardless of the value, clusterCreator will have admin permissions.
@AndiDog Please share your thoughts.
There was a problem hiding this comment.
@punkwalker Agreed that spec.AccessEntries should be a separate field (still planning to handle that in a separate PR.)
To clarify, you are suggesting we add bootstrapClusterCreatorAdminPermissions to AccessConfig and default it to true?
type AccessConfig struct {
// +kubebuilder:default=CONFIG_MAP
// +kubebuilder:validation:Enum=CONFIG_MAP;API;API_AND_CONFIG_MAP
AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`
// +kubebuilder:default=true
BootstrapClusterCreatorAdminPermissions bool `json:"bootstrapClusterCreatorAdminPermissions"`
}That feels right to me, since it matches the shape of the EKS API.
My question was what we should do if the user changes bootstrapClusterCreatorAdminPermissions on an existing cluster. The UpdateAccessConfig API doesn't allow it, because it makes no sense once the cluster has been boostrapped already. The only valid use of UpdateAccessConfig is to change the authentication mode.
So if a user changes bootstrapClusterCreationAdminPermissions on an existing cluster we could:
- Ignore
bootstrapClusterCreatorAdminPermissionsentirely and only submit the request if it changes the authentication mode - Submit the request if it changes the authentication mode and log a warning if
bootstrapClusterCreatorAdminPermissionsalso changes - Fail validation and return an error if
bootstrapClusterCreationAdminPermissionschanges, regardless of whether the authentication mode also changes
1 feels bad, 2 is low friction, 3 is the most explicit. Thoughts?
There was a problem hiding this comment.
To clarify, you are suggesting we add bootstrapClusterCreatorAdminPermissions to AccessConfig and default it to true?
Yes.
2 feels a golden midway instead of failing. But it should be documented explicitly in the CR.
pkg/cloud/services/eks/cluster.go
Outdated
| expectedAuthenticationMode := string(s.scope.ControlPlane.Spec.AccessConfig.AuthenticationMode) | ||
| currentAuthenticationMode := string(accessConfig.AuthenticationMode) |
There was a problem hiding this comment.
Do we need this type conversion? Should be enough to compare the values as we already have a Type for AuthenticationMode.
There was a problem hiding this comment.
one of these is from the AWS ekstypes pkg, the other from our own v1beta2
|
@punkwalker Thanks for the feedback, I'll be able to circle back to this next week. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
do-not-merge/contains-merge-commits
needs-rebase
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Added |
|
|
||
| var ( | ||
| // EKSAuthenticationModeConfigMap indicates that only `aws-auth` ConfigMap will be used for authentication | ||
| EKSAuthenticationModeConfigMap = EKSAuthenticationMode("CONFIG_MAP") |
There was a problem hiding this comment.
It would be good if we used values like:
- configmap
- api
- configmap_and_api
We generally try not to have direct copies of the values like this as all caps is a bit jarring in the manifests. It would mean we'd need to add a "conversion" function.
There was a problem hiding this comment.
@joshfrench Would you get a chance to make this change so we can merge this PR?
|
/test ? |
|
LGTM label has been added. Git tree hash: d0deb3bdc08d5d856d6d5cc699e75ee0c02a7196
|
|
All the changes look fine to me and the e2e failure looks entirely unrelated and due to infra flakes |
|
/test ? |
|
@faiq: The following commands are available to trigger required jobs: The following commands are available to trigger optional jobs: Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
@joshfrench can you look into the eks test failures? |
@faiq |
Because of the squashed commits and hidden comments I didn't see that a previous run had passed... regardless we should make sure that the flake isn't caused by any of the changes made here and is still worth a look. Regading the VPC issue, I think they're entirely unrelated |
|
The e2e-eks test currently failing have all passed previously, even after the squash commit. I'm not sure how to interpret these failures as other than infrastructure-related, they're all some flavor of timeout: |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
Timeouts in different tests this run. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
/retest |
|
@richardcase if you are happy with this, are you able to approve? |
|
/test pull-cluster-api-provider-aws-test |
@damdo - we need the tests to be passing first. |
|
Tests are very flaky ATM: https://prow.k8s.io/job-history/gs/kubernetes-ci-logs/pr-logs/directory/pull-cluster-api-provider-aws-test Let's keep trying then |
|
/test pull-cluster-api-provider-aws-test |
|
Ah looking deeper at this it looks like is is not a flake after all: |
controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go
Outdated
Show resolved
Hide resolved
…st.go Co-authored-by: Damiano Donati <[email protected]>
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
|
/test pull-cluster-api-provider-aws-test |
|
Thanks @joshfrench @richardcase they are passing now :) |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
test/e2e/data/eks/cluster-template-eks-auth-api-and-config-map.yaml
Outdated
Show resolved
Hide resolved
test/e2e/data/eks/cluster-template-eks-auth-bootstrap-disabled.yaml
Outdated
Show resolved
Hide resolved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Support setting EKS AuthenticationMode.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Partially addresses #4854
Special notes for your reviewer:
This PR just finishes the work started in #5108 by rebasing, removing the API changes to v1beta1, and fixing the fuzzy tests. There were two seemingly unrelated changes in the original PR that I've removed:
Checklist:
Release note: