-
Notifications
You must be signed in to change notification settings - Fork 1.1k
fluxctl snap cannot exec auth helpers (ex: aws-iam-authenticator) #2523
Comments
Related: ^ we use If classic confinement is not possible, perhaps we could provide a best-effort list of up-to-date auth token binaries. We'll need to add |
I am also having this problem with DigitalOcean Kubernetes. Kube config excerpt:
Error message:
Does anyone have a workaround for now? |
Found a workaround. I installed fluxctl v1.14.2 and all is well:
|
Mh. Is your 1.14.2 fluxctl installed from the snap? In other news, I pinged the Snap folks regarding classic confinement: https://forum.snapcraft.io/t/fluxctl-personal-files-was-fluxctl-snap-wants-to-be-classic/11073/27 |
To everyone who's affected by this bug, please test the snap I just uploaded to the |
Describe the bug
It's not possible to auth with
KUBECONFIG
's that specify an exec for auth tokens.This is true in the case of EKS, GKE, and likely many other IaaS/KaaS providers.
To Reproduce
KUBECONFIG
to point to an EKS cluster /w fluxd runningfluxctl
snapfluxctl sync
Expected behavior
It's unreasonable to expect that the snap could have every binary needed to perform exec's for auth tokens for every single cluster provider.
The fluxctl snap should be able to exec other binaries on the system.
It likely needs to respect the user's
PATH
as well.This mirror's kubectl's needs.
I'm not sure if there are more precise ways to accomplish this level of access.
kubectl
uses classic confinement.I believe we also need to have
fluxctl
be a classic snap for similar reasons.Logs
Versions
fluxd: docker.io/fluxcd/flux:1.15.0
fluxctl: v1.15.1 (https://snapcraft.io/fluxctl)
/cc @dholbach
The text was updated successfully, but these errors were encountered: