aws-iam-authenticator VS rancher

curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64 chmod +x ./aws-iam-authenticator mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc

I will be setting up vcluster to work with aws-iam-authenticator. This should work just by following the readme, so I'll be spending extra time automating the setup.

Edit: Because I need to do this for more than one cluster and am creating clusters programmatically (AWS EKS API + CloudFormation/eksctl), I would like to minimize the overhead of creating ServiceAccounts across many cluster contexts, across many AWS accounts. Ideally, the only authentication step involved in creating my clientset is using aws-iam-authenticator to get a token using cluster data (name, region, CA cert, etc). There hasn't been a release of aws-iam-authenticator for a while, but the contents of master allow for the use of a third-party role cross-account role and external ID to be passed. IMO, this is cleaner than using a ServiceAccount (and IRSA) because there are other AWS services the application (the backend API which creates and applies add-ons to these clusters) needs to interact with.

Access to Kubernetes clusters in Amazon EKS is controlled by the AWS IAM Authenticator for Kubernetes. The authenticator runs on the EKS control plane and depends on the aws-auth ConfigMap for configuration settings. Every time you use kubectl to perform actions on the EKS cluster, the AWS IAM Authenticator generates an STS token (AWS Security Token Service). Kubernetes uses the IAM authenticator service to verify the identity of users specified in this security token.

As someone who is a big fan of Teleport, sorry, I just don't get it.

> Teleport doesn't provide identity provider integrations beyond GitHub (e.g. Okta) in their open source project

Right, and if you're a small team (5-10 people, like you're targeting) you don't really need SSO on the infra layer. It's a nice to have, it's best practice, but the truth is, by the time you really need it (enough engineers that account management is a pain), you typically have the budget for an Enterprise license.

> They have a different architecture that involves deploying a centralized proxy service (whereas Infra verifies credentials at the destination infrastructure vs at a central proxy).

So anyway you need to deploy something central to issue certificates. And anyway, if, to quote you, "We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually.", isn't that the central proxy service? Yet the open-source version avoids it somehow?

> We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually

So you want to sell to teams that a) are too small to afford the license for a product like Teleport Enterprise, b) have enough money that they can afford a premium product above and beyond the free offering provided by their Kubernetes vendor, like https://github.com/kubernetes-sigs/aws-iam-authenticator (for EKS), c) are willing to install and maintain another agent on their cluster (infra), but aren't willing to install and maintain the central proxy point?

> we've designed Infra around an extensible REST API from the start whereas Teleport uses GRPC.

This isn't really important from a product perspective. For what it's worth, Teleport started with a REST API; they moved to gRPC because, if I recall correctly, gRPC helped them scale to support larger infrastructure better.

If you're launching a competing product to Teleport, which is now by far the most mature product in the space, then currently, at least from where I'm sitting, you aren't offering sufficient added value compared to the incumbent offerings, which also include CloudFlare Access, Checkpoint Harmony Connect SASE, Hashicorp Boundary (their offerings aren't quite Kubernetes native, but it's the same idea)...

If you’re looking for a cloud provider that caters to identity and access management, then tools like aws-iam-authenticator (AWS) and Anthos Identity Service (Google) are good places to start.

AWS IAM Authenticator.

aws-auth configmap is based on aws-iam-authenticator and has several configuration options:

Did something happen to the Apache 2 rancher? https://github.com/rancher/rancher/blob/v2.7.5/LICENSE RKE2 is similarly Apache 2: https://github.com/rancher/rke2/blob/v1.26.7%2Brke2r1/LICENS...

I follow the 4 ABCD steps bellow, but the first pod deployment never ends. What's wrong in it? Logs and result screens are at the end. Detailed configuration can be found here.

CVE-2023-22651 is rated 9.9/10 : https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g

Depends. When I came into my last company I immediately noticed the lack of reproducible environments. Brought this up a few times and was met with some resistance because "we didn't have the capacity"... Until prod went down and it took us 23 hours to bring it back up due to spaghetti terraform.

For the latest releases of rancher: https://github.com/rancher/rancher/releases When is Rancher 2.7.1 going to be released? The Rancher support matrix for 2.7.1 shows k8s v1.24.6 as the highest supported version and Azure will drop AKS v1.24 in a few months... Should this be a concern for us? What could happen if we create our cluster with Rancher for an unsupported K8s version? 1.25 for example. - Rancher 2.7.2 just got released including support for 1.25. I have however tested running unsupported versions before, unless there is major deprecations in the kubernetes API it is fine in my experience. If we move to AKS imported clusters, in case we add node pools, and upgrade the cluster, will those changes be reflected in the Rancher Platform? - Yep! If we face some issues by running an unsupported K8s version on Rancher Launched K8s clusters, is it possible to remove it from Rancher, do the stuff we need, and then import it into the platform? - Yes, however be careful and do testing before doing in prod. From top of mind: Remove cluster from rancher (if imported), if rancher created you might want to revoke ranchers SA key for the cluster first (so it can't remove it). Delete the cattle-system namespace, and any other cattle-* namespaces you don't want to keep. And do your thing. It looks like AKS is faster than Rancher regarding supported Kubernetes versions... We would like to know if Rancher will always be on track with AKS regarding the removal of K8s version support and new versions. - In my experience yes. (Been using rancher on all three clouds for a 4 years now). What are exactly the big differences between imported AKS and Rancher-launched AKS? What should we look at, and what issues can we face when using one or another? - The main difference is that rancher will not be able to upgrade the cluster for you. You will have to do that yourself.

variable "rancher" { type = object({ namespace = string version = string branch = string chart_set = list(object({ name = string value = string })) }) default = { namespace = "cattle-system" # There is a bug with destroying the cloud credentials in version 2.6.9 until 2.7.1 and will be fixed in next release 2.7.2. # See https://github.com/rancher/rancher/issues/39300 version = "2.7.0" branch = "stable" chart_set = [ { name = "replicas" value = 3 }, { name = "ingress.ingressClassName" value = "nginx-external" }, { name = "ingress.tls.source" value = "rancher" }, # There is a bug with the uninstallation of Rancher due to missing priorityClassName of rancher-webhook # The priorityClassName need to be set # See https://github.com/rancher/rancher/issues/40935 { name = "priorityClassName" value = "system-node-critical" } ] } description = "Rancher Helm chart properties." }

When I searched DuckDuckGo instead, the 12th link actually had the real answer. It's in this issue on Rancher's GitHub. Turns out the Rancher admin needs to be in all of the Keycloak groups they want to have show up in the auto-populated picklist in Rancher. Being a Keycloak admin and even creating the groups isn't good enough. Frustratingly, the "caveat" note the Rancher guy is pointing to that says this is only present in the guide to setting up Keycloak for SAML, but apparently this is also true for OIDC.

Explicitly set TLS 1.3 in Rancher, though it could be a bug in Rancher: https://github.com/rancher/rancher/issues/35654

Thanks. Yeah looks like this might work: https://github.com/rancher/rancher/releases/tag/v2.7.2-rc3