Skip to content

Extend cross-account discovery for EKS clusters#24905

Merged
tigrato merged 1 commit intomasterfrom
tigrato/kube-cross-account-discovery
Apr 27, 2023
Merged

Extend cross-account discovery for EKS clusters#24905
tigrato merged 1 commit intomasterfrom
tigrato/kube-cross-account-discovery

Conversation

@tigrato
Copy link
Copy Markdown
Contributor

@tigrato tigrato commented Apr 20, 2023
edited
Loading

This PR adds support for cross-account EKS auto-discovery. It only adds support for discovery, serving Kube cluster still requires one kube service per AWS account.

Database Access: #22866

@tigrato
Extend cross-account discovery for EKS clusters
9adbf99 
This PR adds support for cross-account EKS auto-discovery.

Database Access: #22866
@tigrato tigrato force-pushed the tigrato/kube-cross-account-discovery branch from be99a48 to 9adbf99 Compare April 20, 2023 16:15
@tigrato tigrato marked this pull request as ready for review April 20, 2023 22:02
@tigrato tigrato requested a review from GavinFrazar April 20, 2023 22:02
nklaassen
nklaassen approved these changes Apr 26, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@nklaassen nklaassen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It only adds support for discovery, serving Kube cluster still requires one kube service per AWS account.

I'm curious what is the purpose if you still need a kube service per account, couldn't that kube service discover its own local clusters?

@tigrato
Copy link
Copy Markdown
Contributor Author

tigrato commented Apr 27, 2023
edited
Loading

It only adds support for discovery, serving Kube cluster still requires one kube service per AWS account.

I'm curious what is the purpose if you still need a kube service per account, couldn't that kube service discover its own local clusters?

@nklaassen

Kubernetes discovery does not happen on the kubernetes agent.

Teleport 10 introduced discovery_service for EC2 discovery and the product team decided to move all discoveries into this new service.

The discovery service scans the cloud providers and creates kube_cluster objects. The agents watch them and serve.

The kube agent will support multi AWS accounts but we are waiting on product decision/rfd to extend discovery (importing rules) and eventually allow decoupling of discovery and agents permissions (the current database implementation requires that discovery_service and database_service must run with the same IAM role).

@tigrato tigrato added this pull request to the merge queue Apr 27, 2023
Merged via the queue into master with commit d6af208 Apr 27, 2023
@tigrato tigrato deleted the tigrato/kube-cross-account-discovery branch April 27, 2023 10:13
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Apr 27, 2023

@tigrato See the table below for backport results.

Branch Result
branch/v13 Create PR

@tigrato tigrato mentioned this pull request Apr 27, 2023
Merged
@nklaassen
Copy link
Copy Markdown
Contributor

nklaassen commented Apr 27, 2023

Ahhh thank you, makes sense

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nklaassen nklaassen nklaassen approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

+1 more reviewer

@tobiaszheller tobiaszheller tobiaszheller approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tigrato @nklaassen @tobiaszheller @GavinFrazar