eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard

Published 20 hours ago verified publisher icon eksctl-io

eksctl support for writing out OIDC enabled kubeconfig file

Open leonchik1976 opened this issue 3 years ago • 9 comments

When EKS associated with Identity Provider (for example OKTA), kubectl can be used by adding flag --user=oidc, such option not exists for eksctl, and thus eksctl can't be used with OIDC enabled EKS cluster

leonchik1976 avatar Nov 17 '22 10:11 leonchik1976

Hello leonchik1976 :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

github-actions[bot] avatar Nov 17 '22 10:11 github-actions[bot]

OIDC section in KUBECONFIG file:

  • name: oidc user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - oidc-login - get-token - --oidc-issuer-url= - --oidc-client-id= - --oidc-extra-scope=email - --oidc-extra-scope=offline_access - --oidc-extra-scope=profile - --oidc-extra-scope=openid command: kubectl env: null interactiveMode: IfAvailable provideClusterInfo: false

leonchik1976 avatar Nov 17 '22 10:11 leonchik1976

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Dec 18 '22 01:12 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Dec 23 '22 01:12 github-actions[bot]

@leonchik1976 looks like you're looking for a way to ask eksctl commands to use OIDC authentication instead of IAM-based authentication for communicating with the API server. This feature is not supported in eksctl. The identityProviders feature only associates an OIDC identity provider with an EKS cluster. Subsequent eksctl commands that interact with the API server will still use IAM-based authentication.

We can look into adding support for supplying a kubeconfig file and a context/user that eksctl uses to authenticate with the API server, bypassing the existing STS-based authentication mechanism.

cPu1 avatar Aug 10 '23 09:08 cPu1

Yes, that would be great

leonchik1976 avatar Aug 10 '23 16:08 leonchik1976

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Oct 29 '23 01:10 github-actions[bot]

https://github.com/eksctl-io/eksctl/blob/main/examples/27-oidc-provider.yaml

mikestef9 avatar Jan 30 '24 19:01 mikestef9

https://github.com/eksctl-io/eksctl/blob/main/examples/27-oidc-provider.yaml

It doesn't seems it related to original issue for OIDC authentication for EKS Cluster

leonchik1976 avatar Jan 31 '24 09:01 leonchik1976