lens icon indicating copy to clipboard operation
lens copied to clipboard

Published 20 hours ago verified publisher icon lensapp

Add support for interactive connection to the k8s cluster.

Open nripendra opened this issue 4 years ago • 6 comments

What would you like to be added: Add support for interactive connection to the k8s cluster.

Why is this needed: Currently trying to connect to aws k8s cluster with 2FA enabled cannot connect. It shows following message

Connecting ...
Authentication proxy started
Enter token for arn:aws:iam::xxxxx:mfa/xxxxxx: 2020/07/19 16:47:23 http: proxy error: getting credentials:
exec: exit status 1

For now workaround for me is to first execute CLI command like kubectl get pods and enter 2FA code there. Once connected from the CLI, lens can connect to the cluster. It would have been great if these authentication inputs were handled by lens itself.

Environment you are Lens application on:

  • Kubernetes distribution: AWS
  • Desktop OS: Mac Osx Catalina (10.15.5)

nripendra avatar Jul 19 '20 21:07 nripendra

Same problem for me. We use https://github.com/gyselroth/kube-ldap-client-go-exec-plugin to prompt for AD credentials. It would be great if Lens could at least expose a shell to enter credentials when adding a new cluster. We can't use the workaround above because we have too many clusters...

antoineozenne avatar Jan 14 '21 09:01 antoineozenne

Could this feature be implemented?

antoineozenne avatar May 14 '21 13:05 antoineozenne

I think this is sort of a duplicate of #208. I recommend using Leapp to handle the authentication aspects of cloud computing for all your applications. See some details as to why in general and for Lens in particular in #208, and in particular this comment about the solution I propose.

Nuru avatar Aug 31 '21 03:08 Nuru

Same issue here, can't use LENS because I need to 2FA assume a role into AWS before using it. Please fix, Lens is unusable from a security/best practices standpoint without this.

I think a simple way to allow this would be to allow a pre-login script to be executed in an pop-up interactive terminal window, and only after it exits with a success exit code would it then try to use that set of environment variables to run Lens through. This feels like it wouldn't be tons of work to implement.

EDIT: The recommended workaround from the other Issue on this matter does seem to work, using a CLI script (awsume/aws-mfa/etc) to setup your env vars and fully 2fa, and then open /Applications/Lens.app and choosing the appropriate cluster does seem to work. Although, not perfect/ideal in that I have to fully quit Lens, re-2fa and re-launch Lens to change clusters (I manage a couple dozen clusters). So, a bit painful, but at least one way to work for anyone else who lands here. Makes it hard to manage multiple clusters for the same client. A workaround I've made for this, is to have multiple copies of Lens in my Applications folder, and run one per-cluster. Seems to do the trick, kinda confusing switching through though.

AndrewFarley avatar Jan 10 '22 02:01 AndrewFarley

@AndrewFarley While I continue to recommend Leapp to manage your AWS and Azure credentials, including MFA, I added a better script-based solution to "the other issue" that lets you access all your clusters without having to switch/relaunch Lens.

Nuru avatar Feb 28 '22 03:02 Nuru