kube-auth

command module

v0.0.0-...-a87f97c Latest Latest Go to latest Published: Jul 28, 2021 License: Apache-2.0 Imports: 30 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Houzz/kube-auth

README ¶

Kubernetes Authentication

Kube-auth helps engineers get a well-done kube config for accessing Kubernetes clusters via Kubectl.

Use Cases

Initialize setup of the toolset by generating kube config and authentication
Redo authentication when the google groups a developer belongs to has been updated
Redo authentication when the developer was authenticated against the issuer in another place, e.g. Oauth2 Proxy for accessing Kubernetes Dashboard
Add more clusters which need to access to for new workloads

Workflows

Leads engineers to authentication process for credentials
Sources clusters information from AWS S3
Assembles contexts with cluster and user information
Update kube config

Attribution

This project is customized based on k8s-auth-example.

Prerequisites

See the first two prerequisites of the toolset.

Usage

⚠ Run the below command in a clean shell, i.e. no prompt about k8s cluster and namespace introduced by kubie should appear.

kube-auth --env <stg|prod> --fxnl <batch|saas|main|mgmt|test|all>

The app is going to open a webpage on the browser jumping to Google Authentication. Use the company email to log in, you are all set when the success message shows up. By default, the path to kube config is ~/.kube/config.

Here are some common scenarios:

Example 1: A developer who has workloads, like RQ worker, running in the batch cluster of both staging and production.

kube-auth --env stg --fxnl batch
kube-auth --env prod --fxnl batch

Example 2: A developer who is working on Kafka consumers running in the batch cluster and CRM running in the saas cluster.

kube-auth --env stg --fxnl batch --fxnl saas
kube-auth --env prod --fxnl batch --fxnl saas

Example 3: A developer who accessed dashboard of stg-batch 15 mins ago, and gets refresh token in kube config rotated when using kubectl

kube-auth --env stg

Example 4: A developer who was added to a new group by his/her manager for some permissions in prod-batch cluster.

kube-auth --env prod

Example 5: A k8s admin who needs to manage all clusters. Run

kube-auth --env stg --fxnl all
kube-auth --env prod --fxnl all

Example 6: An intern who only needs to experiment in the staging batch cluster.

kube-auth --env stg --fxnl batch.

ℹ Tips : Run kube-auth --help for usage information of the app if you are not sure how to use the app.

Questions

Q1. When I run `kube-auth --env stg --fxnl main`, my command line prints `Error: Failed to download from s3://houzz-conf-staging/credential/k8s/auth/kube-auth.json`. How do I solve this?

Ans: Please ensure that both your ~/.aws/config and ~/.aws/credentials had the information set under the [staging] profile. e.g. a credentials file with

[staging]
aws_access_key_id=*******
aws_secret_access_key=*******

If your credentials are correct, check from the AWS webconsole that you can access the s3://houzz-conf-staging bucket.

Note: accounts in the developers group are prevented from accessing this bucket. Please consult with your friendly infrastructure team if you need access.

For production auth, you’ll need the info under a [production] profile in the config.

Q2. Kube-auth returns successfully, but kubie won't list the new context

If you run kube-auth overwrite your kubeconfig according to the $KUBECONFIG environment variable (by default ~/.kube/config). Kubie overrides this environment variable for your current context, and kube-auth won't update your global configuration:

[stg-batch|default] 13:42 > kube-auth --env prod --fxnl batch 
2021/07/28 13:42:49 listening on http://127.0.0.1:15555
Writing config to /var/folders/_9/9gbzk_8j35g1gdp0c0pqtmq40000gn/T/kubie-configzkvIKU.yaml
Login Succeeded as john.doe@houzz.com

If you see the configuration is written to a temporary directory under /var/folders/ instead of ~/.kube/config, exit out of the kubie shell and re-run kube-auth

Communication

Found a bug? Please open an issue.
Have a feature request. Please open an issue.
If you want to contribute, please submit a pull request

Contributing

Please see our Contributing guidelines.

License

This project is licensed under Apache 2.0 and a copy of the license is available here.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL