K8s client authentication

Have been working on some serverless framework recently, which i have put onto EKS.

most of the stuff worked, except the cli, which leveraged on k8s client-go library to authen is not able to do so with EKS. (working well with Azure AKS and GCP).

turns out the issue was with k8s client-go library, which doesn’t deal with aws-iam-authenticator. as a work around, the patch is to apply the service account as a bearer token.

//command to get the token
kubectl describe secret account -n namespace | grep -E '^token' | cut -f2 -d':' | tr -d " "

then in the client-go, patch the token into the bearer header:

//retrieve the token either from secret file or env var
//token, err := ioutil.ReadFile("~/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
//token := os.Getenv("BEARER_TOKEN")

//add the header if its not yet there
r.headers.Set("Authorization", "Bearer xxx")

//before the real http call
resp, err := client.Do(req)

refer to:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s