[k8s] Support exec based auth kubeconfigs on controllers #4379

romilbhardwaj · 2024-11-17T01:23:34Z

GKE and EKS rely on exec based auth in the kubeconfig to authenticate with the k8s API server. This is currently not supported on SkyPilot controllers:

skypilot/sky/provision/kubernetes/utils.py

Lines 911 to 915 in ed4329a

    
               Using exec-based authentication is problematic when used in conjunction 
        
               with kubernetes.remote_identity = LOCAL_CREDENTIAL in ~/.sky/config.yaml. 
        
               This is because the exec-based authentication may not have the relevant 
        
               dependencies installed on the remote cluster or may have hardcoded paths 
        
               that are not available on the remote cluster.

The current suggested workaround is to create a kubeconfig that uses token based auth with a service account (generate_kubeconfig.sh).

This workaround introduces friction for users, and may not be be feasible in environments where users cannot create service accounts.

We should support exec based auth, maybe starting with supporting GKE and EKS. This would require installing relevant dependencies and copying over the cloud credentials.

romilbhardwaj mentioned this issue Nov 17, 2024

[k8s] Support in-cluster and kubeconfig auth simultaneously #4188

Merged

1 task

romilbhardwaj added the k8s Kubernetes related items label Nov 26, 2024

romilbhardwaj added the help wanted Extra attention is needed label Dec 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[k8s] Support exec based auth kubeconfigs on controllers #4379

[k8s] Support exec based auth kubeconfigs on controllers #4379

romilbhardwaj commented Nov 17, 2024

[k8s] Support exec based auth kubeconfigs on controllers #4379

[k8s] Support exec based auth kubeconfigs on controllers #4379

Comments

romilbhardwaj commented Nov 17, 2024