aws-iam-authenticator VS client-go

curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64 chmod +x ./aws-iam-authenticator mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc

I will be setting up vcluster to work with aws-iam-authenticator. This should work just by following the readme, so I'll be spending extra time automating the setup.

Edit: Because I need to do this for more than one cluster and am creating clusters programmatically (AWS EKS API + CloudFormation/eksctl), I would like to minimize the overhead of creating ServiceAccounts across many cluster contexts, across many AWS accounts. Ideally, the only authentication step involved in creating my clientset is using aws-iam-authenticator to get a token using cluster data (name, region, CA cert, etc). There hasn't been a release of aws-iam-authenticator for a while, but the contents of master allow for the use of a third-party role cross-account role and external ID to be passed. IMO, this is cleaner than using a ServiceAccount (and IRSA) because there are other AWS services the application (the backend API which creates and applies add-ons to these clusters) needs to interact with.

Access to Kubernetes clusters in Amazon EKS is controlled by the AWS IAM Authenticator for Kubernetes. The authenticator runs on the EKS control plane and depends on the aws-auth ConfigMap for configuration settings. Every time you use kubectl to perform actions on the EKS cluster, the AWS IAM Authenticator generates an STS token (AWS Security Token Service). Kubernetes uses the IAM authenticator service to verify the identity of users specified in this security token.

As someone who is a big fan of Teleport, sorry, I just don't get it.

> Teleport doesn't provide identity provider integrations beyond GitHub (e.g. Okta) in their open source project

Right, and if you're a small team (5-10 people, like you're targeting) you don't really need SSO on the infra layer. It's a nice to have, it's best practice, but the truth is, by the time you really need it (enough engineers that account management is a pain), you typically have the budget for an Enterprise license.

> They have a different architecture that involves deploying a centralized proxy service (whereas Infra verifies credentials at the destination infrastructure vs at a central proxy).

So anyway you need to deploy something central to issue certificates. And anyway, if, to quote you, "We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually.", isn't that the central proxy service? Yet the open-source version avoids it somehow?

> We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually

So you want to sell to teams that a) are too small to afford the license for a product like Teleport Enterprise, b) have enough money that they can afford a premium product above and beyond the free offering provided by their Kubernetes vendor, like https://github.com/kubernetes-sigs/aws-iam-authenticator (for EKS), c) are willing to install and maintain another agent on their cluster (infra), but aren't willing to install and maintain the central proxy point?

> we've designed Infra around an extensible REST API from the start whereas Teleport uses GRPC.

This isn't really important from a product perspective. For what it's worth, Teleport started with a REST API; they moved to gRPC because, if I recall correctly, gRPC helped them scale to support larger infrastructure better.

If you're launching a competing product to Teleport, which is now by far the most mature product in the space, then currently, at least from where I'm sitting, you aren't offering sufficient added value compared to the incumbent offerings, which also include CloudFlare Access, Checkpoint Harmony Connect SASE, Hashicorp Boundary (their offerings aren't quite Kubernetes native, but it's the same idea)...

If you’re looking for a cloud provider that caters to identity and access management, then tools like aws-iam-authenticator (AWS) and Anthos Identity Service (Google) are good places to start.

AWS IAM Authenticator.

aws-auth configmap is based on aws-iam-authenticator and has several configuration options:

The Kubernetes clients (e.g., Go client) support developers with both methods to connect to a cluster, as we can see in the following examples.

My suggestion would be to start looking at things like https://github.com/kubernetes/client-go first in order to get a feel for the API and how data plane k8s components interact with the apiserver (it's the same thing that kubelet uses). Then move on to trying to build your own k8s operator to get a feel for how people expand and customize k8s functionality without having to modify upstream at all. IMO the codebase itself is too messy and in constant flux to make too much sense of it unless you are planning to contribute to upstream.

GitHub related issue https://github.com/kubernetes/client-go/issues/735

CUE is cool and all but as soon as I start writing real code structures I want to reach for client-go.

I'm... really not sure I agree with this, from a philosophical point of view. It feels like this is making "eh, we'll just upgrade our Go version next quarter" too easy; ultimately some responsibility toward updating your application's Go version to work with what new dependencies require should fall on Us, the application developers. Sure, we're bad at it. Everyone's lived through running years-old versions of some toolchain. But I think this just makes the problem worse, not better.

Its compounded by the problem that, when you're setting up a new library, the `go` directive in the mod file defaults to your current toolchain; most likely a very current one. It would take a not-insignificant effort on the library author's part to change that to assert the true-minimum version of Go required, based on libraries and language features and such. That's an effort most devs won't take on.

I'd also guess that many developers, up-to this point if not indefinitely because education is hard, interpreted that `go` directive to mean more-of "the version of go this was built with"; not necessarily "the version of go minimally required". There are really major libraries (kubernetes/client-go [1]) which assert a minimum go version of 1.20; the latest version (see, for comparison, the aws-sdk, which specifies a more reasonable go1.11 [2]). I haven't, you know, fully audited these libraries, but 1.20 wasn't exactly a major release with huge language and library changes; do they really need 1.20? If devs haven't traditionally operated in this world where keeping this value super-current results in actually significant downstream costs in network bandwidth (go1.20 is 100mb!) and CI runtime, do we have confidence that the community will adapt? There's millions of Go packages out there.

Or, will a future version of Go patch a security update, not backport it more than one version or so, and libraries have to specify the newest `go` directive version, because manifest security scanning and policy and whatever? Like, yeah, I get the rosy worldview of "your minimum version encodes required language and library features", but its not obvious to me that this is how this field is, or even will be, used.

Just a LOT of tertiary costs to this change which I hope the team has thought through.

[1] https://github.com/kubernetes/client-go/blob/master/go.mod#L...

[2] https://github.com/aws/aws-sdk-go/blob/main/go.mod

I looked at dynamic package, but it seems like it needs GroupVersionResource, which is different for, say, Service objects and Deployment objects. Also when I pass schema.GroupVersionResource{Group: "apps", Version: "v1"} it doesn't find anything, when I pass schema.GroupVersionResource{Version: "v1"} it finds only namespace object and also doesn't looks for labels, though I provided label options:

I'm writing a script that uses the k8s.io/client-go library (godocs here) to manipulate Deployments. In particular, I want to add a label selector to every Deployment in my cluster. Deployment label selectors are immutable. So my approach is to:

Actually, kubebuilder is not using the standard Go libraries, but one using reflection to dynamically resolve the client based on the type you hand it (which is arguably better). The "official" client is k8s.io/client-go.

Then on June 18th, 2022, I got a chance to meet our mentors and the other mentee of OpenELB (the mentee and the mentors of OpenFunction were also there). There I was informed about how to start working on the project, so I started learning about using the Kubernetes API client. After experimenting with the official Kubernetes Client, I learned that it's not very feasible to use that for dealing with CRDs (custom resource definitions), so I explored the controller-runtime client as per what I found in many sources, and found that it was a great fit for the backend of our project. During that time, I also built a simple project to see if everything would work as expected or not (as this was the first time I dealt with a Kubernetes client, I considered that debugging would be easier in a smaller project).