[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Konrad Scherer commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Something to check is the EKS user configuration and make sure the credentials available to the Jenkins user are properly configured with a Kubernetes role in EKS: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html Only the credentials that created the EKS cluster have a proper Kubernetes role by default. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.7444.1576285200670%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Marcin Romaszewicz commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Since originally filing this bug, I've been using service account based kubeconfig files without issue against EKS. It's easier than using the aws-iam-authenticator, since all you do is bake in a user token into your kubeconfig, and you can constrain it to namespaces or whatever. Doing the same with IAM credentials is more annoying. Try that route instead of directly using your IAM role for EKS. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.7381.1576274820323%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title
Tallis Vanek edited a comment on JENKINS-52593
Re: Support EKS authentication, or specifying a kubeconfig directly
Thanks for the summary Konrad [~kscherer] , I was able to follow along with my setup.My Jenkins master is trying to authenticate with the entire kube config tucked away in a secret. Also, I can see that my jenkins user on the master is able to run the token 'aws eks get-token' successfully.I am however running into the "Message: Unauthorized! Token may have expired! " issue, even with my Jenkins master configured to use the correct java opt{code:java}/etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized -Dorg.csanchez.jenkins.plugins.kubernetes.clients.cacheExpiration=60 -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war ...{code}I'm wondering what else can be involved, and how I can verify that the cache is actually the issue. Do you have any ideas?Some info:{code:java}openjdk version "1.8.0_222"ami linux: 4.14.152-127.182.amzn2.x86_64jenkins kube plugin: org.csanchez.jenkins.plugins:kubernetes:1.22.0Jenkins: 2.208 kubectl: v1.17.0 / v1.14.8-eks-b8860faws-cli/1.16.303 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.39{code}Thanks in advance.
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
To view this discussion on the web visit
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Tallis Vanek commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Thanks for the summary Konrad, I was able to follow along with my setup. My Jenkins master is trying to authenticate with the entire kube config tucked away in a secret. Also, I can see that my jenkins user on the master is able to run the token 'aws eks get-token' successfully. I am however running into the "Message: Unauthorized! Token may have expired! " issue, even with my Jenkins master configured to use the correct java opt /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized -Dorg.csanchez.jenkins.plugins.kubernetes.clients.cacheExpiration=60 -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war ... I'm wondering what else can be involved, and how I can verify that the cache is actually the issue. Do you have any ideas? Some info: openjdk version "1.8.0_222" ami linux: 4.14.152-127.182.amzn2.x86_64 jenkins kube plugin: org.csanchez.jenkins.plugins:kubernetes:1.22.0 Jenkins: 2.208 kubectl: v1.17.0 / v1.14.8-eks-b8860f aws-cli/1.16.303 Python/2.7.16 Linux/4.14.152-127.182.amzn2.x86_64 botocore/1.13.39 Thanks in advance. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title
Konrad Scherer edited a comment on JENKINS-52593
Re: Support EKS authentication, or specifying a kubeconfig directly
I recently got Jenkins working with EKS and I feel your pain. Here is what I ended up cobbling together.I also installed python3, pip and awscli into my Jenkins container. I put the aws credentials directly in /home/jenkins/.aws/config though I read later you can have a Role on the EC2 instance and awscli can be configured to retrieve temp credentials for that role so no credentials need to stored on the instance.I was able to create the kubeconfig file and run the 'aws eks get-token' command but I couldn't figure out how to configure Jenkins. I was saved by a mailing list post and Google: [https://groups.google.com/d/msg/jenkinsci-users/8YpQL3eG-Zg/tznSHvkYAQAJ]I also added "{{-Dorg.csanchez.jenkins.plugins.kubernetes.clients.cacheExpiration=60"}} to the Jenkins Master startup options as mentioned in [https://github.com/jenkinsci/kubernetes-plugin#running-with-a-remote-kubernetes-cloud-in-aws-eks]The kubeconfig needs to added to Jenkins as a "File Secret" in the Credentials section. Then in the Kubernetes plugin configuration, the credentials option must be set to that secret. The rest of the fields can be ignored. I hope this will helps
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
To view this discussion on the web visit
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Konrad Scherer commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly I recently got Jenkins working with EKS and I feel your pain. Here is what I ended up cobbling together. I also installed python3, pip and awscli into my Jenkins container. I put the aws credentials directly in /home/jenkins/.aws/config though I read later you can have a Role on the EC2 instance and awscli can be configured to retrieve temp credentials for that role so no credentials need to stored on the instance. I was able to create the kubeconfig file and run the 'aws eks get-token' command but I couldn't figure out how to configure Jenkins. I was saved by a mailing list post and Google: https://groups.google.com/d/msg/jenkinsci-users/8YpQL3eG-Zg/tznSHvkYAQAJ I also added "-Dorg.csanchez.jenkins.plugins.kubernetes.clients.cacheExpiration=60" to the Jenkins Master startup options as mentioned in https://github.com/jenkinsci/kubernetes-plugin#running-with-a-remote-kubernetes-cloud-in-aws-eks The kubeconfig needs to added to Jenkins as a "File Secret" in the Credentials section. Then in the Kubernetes plugin configuration, the credentials option must be set to that secret. The rest of the fields can be ignored. I hope this will helps Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Caleb Mayeux commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Justin Patrin and junaid mukhtar jI'm in the same boat as y'all. I also haven't gotten it to work, but based on spending entirely too much time googling and looking through code changes, I think the general idea is to do something like this (this example is if you're using the public jenkins docker image): FROM jenkins/jenkins:2.176.4 USER root RUN apt-get update && apt-get install -y python3-pip vim RUN pip3 install awscli USER jenkins Then inside the container you exec in and run the command "aws configure" and put in the access and secret key from IAM. Then you create a file ~/.kube/config and fill it out as per https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html Test out that the command as per that config file works, i.e. run "aws eks get-token --cluster-name whateverYouNamedYourCluster" and make sure it spits out a json that has a token in it. That's what I've cobbled together based on looking at this change https://github.com/fabric8io/kubernetes-client/pull/1224/commits/ef2c87472d87e144da09190e1896a9dcbf6208c4 and looking at the readme for the kubernetes client here: https://github.com/fabric8io/kubernetes-client Like I said, this hasn't worked for me yet, but I feel like I'm close. If this helps you solve it, please post how to do it here for me and anyone else who runs into this issue. We should probably open an issue to update the plugin readme on this as well. If we can figure out how to get it to work we could even make that PR. Also if suryatej yaramada or Carlos Sanchez wanted to weigh in on how to configure using this I'd be much obliged. Thanks! Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Justin Patrin commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly suryatej yaramada Can you give some details about this? What is the configuration of the service account? How is it connected to jenkins? How are you setting up that Credential? Are you also setting up a kubeconfig somewhere? Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.18503.1571855700473%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title suryatej yaramada commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Right now we are creating a service account and allowing access to EKS from Jenkins to configure kubernetes-plugin Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.18486.1571850420616%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title suryatej yaramada updated an issue Jenkins / JENKINS-52593 Support EKS authentication, or specifying a kubeconfig directly Change By: suryatej yaramada Attachment: Screenshot from 2019-10-23 13-05-42.png Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.18478.1571850420480%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title
Justin Patrin commented on JENKINS-52593
Re: Support EKS authentication, or specifying a kubeconfig directly
The documentation does not explain how to configure the kubernetes plugin to use EKS. It just mentions aws-iam-authenticator, nothing about where it needs to be or what values need to be put into the cloud configuration. I've assigned an IAM role with full EKS permissions to the server but the credentials dropdown won't let me select a credential with the IAM role and won't allow me to select an AWS access/secret key. Turning off the https certificate check gives me an error about the system:anonymous user not having permissions. What do I need to do to get the kubernetes plugin to authenticate properly to EKS?
Error testing connection https://.gr7.us-west-2.eks.amazonaws.com: Failure executing: GET at: https://.gr7.us-west-2.eks.amazonaws.com/api/v1/namespaces/default/pods. Message: pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=pods, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "default", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
Add Comment
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title junaid mukhtar commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Carlos Sanchez do you have any howto or a guide on how to do it? I am struggling to connect Jenkins with EKS cluster via the kubernetes plugin. Any help would be highly appreciated Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.192436.1531774635000.5456.1567504800356%40Atlassian.JIRA.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Carlos Sanchez closed an issue as Fixed https://github.com/jenkinsci/kubernetes-plugin/pull/434 Jenkins / JENKINS-52593 Support EKS authentication, or specifying a kubeconfig directly Change By: Carlos Sanchez Status: Open Closed Resolution: Fixed Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Carlos Sanchez commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly the kubernetes-client library has been upgraded in the latest version Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Niels Alebregtse edited a comment on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly I just wanted to give a heads-up here that the kubernetes-client library has been updated to use the aws-iam-authenticator configuration from the kubeconfig file (see [here|https://github.com/fabric8io/kubernetes-client/pull/1224]). ] ). So the easiest fix now would be to upgrade to a more recent version of the kubernetes-client (e.g. version 4.1.0). Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Niels Alebregtse edited a comment on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly I just wanted to give a heads-up here that the kubernetes-client library has been updated to use the aws-iam-authenticator configuration from the kubeconfig file (see [here| [ https://github.com/fabric8io/kubernetes-client/pull/1224] |https://github.com/fabric8io/kubernetes-client/pull/1224] ).] ). So the easiest fix now would be to upgrade to a more recent version of the kubernetes-client (e.g. version 4.1.0). Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title Niels Alebregtse commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly I just wanted to give a heads-up here that the kubernetes-client library has been updated to use the aws-iam-authenticator configuration from the kubeconfig file (see [here|https://github.com/fabric8io/kubernetes-client/pull/1224|https://github.com/fabric8io/kubernetes-client/pull/1224]).] ). So the easiest fix now would be to upgrade to a more recent version of the kubernetes-client (e.g. version 4.1.0). Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-52593) Support EKS authentication, or specifying a kubeconfig directly
Title: Message Title suryatej yaramada commented on JENKINS-52593 Re: Support EKS authentication, or specifying a kubeconfig directly Hi, Can I know if we need to pass access keys and secret keys here to get authenticated with EKS clusters? Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
