Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--backend-mode behavior unclear #297

Closed
jeffhubLR opened this issue Mar 5, 2020 · 3 comments · Fixed by #303
Closed

--backend-mode behavior unclear #297

jeffhubLR opened this issue Mar 5, 2020 · 3 comments · Fixed by #303
Assignees
@wongma7

Comments

@jeffhubLR
Copy link

jeffhubLR commented Mar 5, 2020
edited
Loading

Version: aws-iam-authenticator 0.5.0

After installing the new kops 1.17.0-beta.1, aws-iam-authenticator stopped working with the previous config. That's already pretty well covered in this issue:
#288

Documentation here:
https://github.com/kubernetes-sigs/aws-iam-authenticator#configure-iamidentitymapping-custom-resource-definitions
seems to indicate that a --backend-mode setting of File,CRD would first attempt the File method, then the CRD method.
From this line in the document:
"The --backend-mode flag determines which of these methods is enabled and their order of precedence (first match wins)."
However there isn't really definition around what a "match" means (I would assume that would mean that a configuration was found), nor the default backend-mode if none is provided.

With the CRD installed (because kops automatically installs it during cluster creation if aws-authenticator is enabled), but no entries in the CRD:

> kubectl get IAMIdentitymapping                                                                                                                                                                                                            
No resources found in default namespace.

And a valid ConfigMap (which requires the usage of the "File" backend-mode setting, not the "ConfigMap" setting, which is confusing but also not the point of this issue):

> kubectl get configmap -n kube-system aws-iam-authenticator
NAME                    DATA   AGE
aws-iam-authenticator   1      5d19h

The startup output of aws-iam-authenticator is as follows (--backend-mode=File,CRD)

time="2020-03-05T15:51:37Z" level=info msg="creating event broadcaster"
ime="2020-03-05T15:51:37Z" level=info msg="setting up event handlers"
time="2020-03-05T15:51:37Z" level=info msg="starting mapper \"CRD\""
time="2020-03-05T15:51:37Z" level=info msg="starting aws iam authenticator controller"
time="2020-03-05T15:51:37Z" level=info msg="waiting for informer caches to sync"

Note that there is NO output for it detecting and configuring the File backend. Now if the --backend-mode is changed to be only "--backend-mode=File", this is the startup output (no changes at all to the configmap or CRD entries):

time="2020-03-05T16:02:58Z" level=info msg="starting mapper \"File\""
time="2020-03-05T16:02:58Z" level=info msg="mapping IAM role" groups="[system:masters]" role="arn:aws:iam::xxxxxxxxx:role/xxxxxx" username="aws:accountid:{{AccountID}}:session:{{SessionName}}"
time="2020-03-05T16:02:58Z" level=info msg="loaded existing keypair" certPath=/var/aws-iam-authenticator/cert.pem keyPath=/var/aws-iam-authenticator/key.pem
time="2020-03-05T16:02:58Z" level=info msg="listening on https://127.0.0.1:21362/authenticate"
time="2020-03-05T16:02:58Z" level=info msg="reconfigure your apiserver with `--authentication-token-webhook-config-file=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml` to enable (assuming default hostPath mounts)"

Is the expectation that, if the CRD exists in the cluster (but no entries in the CRD exist), that CRD is still used as the backend?

Also, documentation on the default backend-mode would be beneficial.
@wongma7 wongma7 self-assigned this Mar 13, 2020
@wongma7
Copy link
Contributor

wongma7 commented Mar 13, 2020

I've confirmed that enabling the CRD mode blocks subsequent modes from being loaded, and by default it's the first mode so that's the cause of breakage. Absolutely not intentional, I will fix it and push a new release.

Totally agree about the need for more documentation.

Also about the naming of the flags. Documentation would help if the meaning of each "mode" were thoroughly explained...but obviously ConfigMap and File are ambiguous. Open to suggestions but I'm going to rename ConfigMap to EKSConfigMap because it originated in EKS and so it should be clear to kops users that they can safely ignore it. Maybe File to FileConfigMap which is not a great name but contrasts well enough with EKSConfigMap.

@jeffhubLR
Copy link
Author

Thanks for the response, Matt. I'll pull down and test once you have a new release.

EKSConfigMap is pretty clear, I agree. I sadly don't have any suggestions re: FileConfigMap, but at least it includes ConfigMap which is more explanatory than File.

@wongma7 wongma7 mentioned this issue Mar 14, 2020
Merged
@wongma7
Copy link
Contributor

wongma7 commented Mar 14, 2020

I've opened a PR to fix this, please take a look at https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/303/files#diff-04c6e90faac2675aa89e2176d2eec7d8R85

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wongma7 wongma7

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@wongma7 @jeffhubLR