Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubelet Credential Provider Support #2310

Closed
junshun opened this issue Jul 28, 2022 · 4 comments · Fixed by #2553
Closed

Kubelet Credential Provider Support #2310

junshun opened this issue Jul 28, 2022 · 4 comments · Fixed by #2553
Assignees
@stmcginnis
Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/enhancement New feature or request
Milestone
1.11.0

Comments

@junshun
Copy link

junshun commented Jul 28, 2022

What I'd like:
Allow credential-provider settings to be passed into a credential helper. In this case I would like to use IAM Roles Anywhere with ecr-credential-provider. For this particular case it would require an api setting

settings.eks.ecr-credential-provider-iam-roles-anywhere
enabled = true
profile-arn = "..."
role-arn = "..."
trust-anchor-arn = "..."

These values would get piped down into a configuration file for kubelet credential provider.

If this setting is enabled the feature gate in #1702 could just be enabled for the kubelet, as those are needed for kubelet-credential-provider.
@somnusfish somnusfish pinned this issue Jul 28, 2022
@somnusfish somnusfish unpinned this issue Jul 28, 2022
@somnusfish
Copy link

thanks for bringing this up, we'll take a look at it.

@somnusfish
Copy link

Previous related discussion #1702, #1227 .

@somnusfish somnusfish added type/enhancement New feature or request area/kubernetes K8s including EKS, EKS-A, and including VMW labels Jul 28, 2022
@stmcginnis stmcginnis self-assigned this Aug 2, 2022
@kdaula kdaula added this to the 1.10.0 milestone Aug 2, 2022
@stmcginnis stmcginnis mentioned this issue Aug 15, 2022
Closed
@stmcginnis stmcginnis mentioned this issue Aug 24, 2022
Merged
14 tasks
@stmcginnis
Copy link
Contributor

Status update on this work... I think I have most things in place with #2377, but having some trouble validating things.

I've verified with the team that it looks like all the right configuration is in place, but things are not working as expected. The current theory is there is some conflict between our use of the in-tree AWS cloud provider and this newer functionality that may actually need the out-of-tree cloud provider. Still working on trying to validate that assumption.

Since there is still a bit of work to do here, it doesn't look like this will make it into the 1.10.0 release. Retargeting this to 1.11.0 and will update as we find out more.

@stmcginnis stmcginnis modified the milestones: 1.10.0, 1.11.0 Sep 29, 2022
@stmcginnis stmcginnis mentioned this issue Nov 4, 2022
Merged
Repository owner moved this from In Progress to Done in Bottlerocket Engineering Roadmap Nov 11, 2022
@stmcginnis
Copy link
Contributor

This support has merged, but I wanted to point out the final implementation is slightly different than what was originally requested in this issue. Please take a look at the current settings in the README file for settings.kubernetes.credential-providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stmcginnis stmcginnis

Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/enhancement New feature or request
Projects
Bottlerocket Engineering Roadmap
Status: Done
Milestone
1.11.0
Development

Successfully merging a pull request may close this issue.

Enable IAM Roles Anywhere with the k8s ecr-credential-provider plugin stmcginnis/bottlerocket
4 participants
@stmcginnis @somnusfish @kdaula @junshun