k0s
k0s copied to clipboard
k0sproject
Support aws-iam-authenticator
Is your feature request related to a problem? Please describe.
No response
Describe the solution you would like
It would be good to support aws-iam-authenticator to provide another option for api auth.
AFAIK it is not currently possible to deploy this addon due to k0s's control plane isolation. For example, aws-iam-authenticator requires a nodeSelector for the nodes running kube-apiserver.
Describe alternatives you've considered
No response
Additional context
No response
If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?
Hi, In addition that, I think you'll need to label the node manually:
$ kubectl label node/controller-0.k0s.lab node-role.kubernetes.io/master=""
node/controller-0.k0s.lab labeled
$ k0s kc get node --show-labels controller-0.k0s.lab
NAME STATUS ROLES AGE VERSION LABELS
controller-0.k0s.lab Ready control-plane,master 3d23h v1.30.1+k0s beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=controller-0.k0s.lab,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=true,node-role.kubernetes.io/master=,node.k0sproject.io/role=control-plane
This annotation is deprecated so I don't know if it makes sense to label the node automatically anymore.
If this requires to run on the controllers as a DaemonSet, the only caveat I see is that the k0s controllers need to be run with --enable-worker. Did you try that out?
No, I haven't tried that. I saw the FAQ entry which recommends against this for prod so I'd discounted it. I'm using OIDC for now, but may come back to IAM authenticator later.
I'd also check out if it's actually a requirement to run on controller nodes. I had a quick glance on the repo, and it's not directly obvious to me as to why this shouldn't be working if you'd rewrite the controller-pinned DaemonSet into a regular Deployment.