T4K UI Native Authentication (GKE/EKS)

Trilio for Kubernetes (T4K) UI supports authentication through kubeconfig files which contain a token, certificate, auth-provider, etc. However, for some Kubernetes cluster distributions, the kubeconfig may contain a cloud-specific exec action or auth-provider configuration to fetch the authentication token with the help of a credentials file, which is not supported by default.

When using kubeconfig on the local system, the cloud-specific action/config in the user section of the kubeconfig will look for a credentials file at a specific location to generate an authentication token. Because the T4K backend is deployed in a Cluster Pod, this credentials file is not available in the Pod. T4K provides cloud distribution-specific support to handle and generate tokens from these credentials files.

Google Kubernetes Engine (GKE)

Default kubeconfig

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRU3B5cVp4QzU4NFFEbVFYdz
      server: https://34.138.168.200
    name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
contexts:
  - context:
      cluster: gke_amazing-chalice-243510_us-east1-b_dev-cluster
      user: gke_amazing-chalice-243510_us-east1-b_dev-cluster
    name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
current-context: gke_amazing-chalice-243510_us-east1-b_dev-cluster
kind: Config
preferences: {}
users:
  - name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
    user:
      auth-provider:
        config:
          cmd-args: config config-helper --format=json
          cmd-path: /home/trilio/google-cloud-sdk/bin/gcloud
          expiry-key: '{.credential.token_expiry}'
          token-key: '{.credential.access_token}'
        name: gcp

Credentials

For GKE clusters, the local binary gcloud reads a SQLite credentials file named credentials.db located at $HOME/.config/gcloud to generate an authentication token. All parameters required to generate the token exist in the same credentials.db file. When logging into the T4K UI deployed in a GKE cluster, a user is expected to provide the credentials.db file from $HOME/.config/gcloud to pass authentication.

Amazon Elastic Kubernetes Service (EKS)

Default kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFR
    server: https://6C74ACD3CA40CFCB719CF3464423ADA9.gr7.us-east-1.eks.amazonaws.com
  name: vinod-eks.us-east-1.eksctl.io
contexts:
- context:
    cluster: vinod-eks.us-east-1.eksctl.io
    user: [email protected]@vinod-eks.us-east-1.eksctl.io
  name: [email protected]@vinod-eks.us-east-1.eksctl.io
current-context: [email protected]@vinod-eks.us-east-1.eksctl.io
kind: Config
preferences: {}
users:
- name: [email protected]@vinod-eks.us-east-1.eksctl.io
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - eks
      - get-token
      - --cluster-name
      - vinod-eks
      - --region
      - us-east-1
      command: aws
      env:
      - name: AWS_STS_REGIONAL_ENDPOINTS
        value: regional

Credentials

For EKS clusters, the local binary aws (aws-cli) reads a credentials file named credentials located at $HOME/.aws to generate an authentication token. One additional parameter — the EKS cluster name — is required to generate a token and will be requested once at login. When logging into the T4K UI deployed in an EKS cluster, a user is expected to provide the credentials file from ~/.aws to pass authentication.

PreviousFetch DigitalOcean Kubernetes Cluster kubeconfig for T4K UI Authentication NextForce Update T4K Operator in Rancher Marketplace

Last updated 2 months ago

Was this helpful?

Google Kubernetes Engine (GKE)

Default kubeconfig

Credentials

Using credentials for login

Amazon Elastic Kubernetes Service (EKS)

Default kubeconfig

Credentials

Using credentials for login