Skip to content

fix: support EKS member impersonation#339

Open
vgocoder wants to merge 1 commit into
1Panel-dev:masterfrom
vgocoder:fix/eks-member-impersonation
Open

fix: support EKS member impersonation#339
vgocoder wants to merge 1 commit into
1Panel-dev:masterfrom
vgocoder:fix/eks-member-impersonation

Conversation

@vgocoder

Copy link
Copy Markdown

Summary

  • Avoid client-certificate CSR waits for imported token/exec kubeconfigs that can authenticate with the original credential and impersonate members instead.
  • Preserve certificate-based member auth where CSR signing is available, while falling back to impersonation when a member binding has no certificate.
  • Reuse the same impersonation-aware access setup across cluster access, proxy, and webkubectl config generation.

Why

Some managed Kubernetes services, including EKS, accept and approve kubernetes.io/kube-apiserver-client CSRs but do not populate status.certificate. KubePi currently waits for the certificate and returns a 500 after the CSR timeout when creating a cluster member.

Test Plan

  • go test ./internal/api/v1/cluster ./internal/service/v1/clusteraccess ./internal/api/v1/proxy ./internal/api/v1/webkubectl

Manual Verification

  • Reproduced on an EKS cluster: CSR became Approved with empty status.certificate.
  • Verified patched KubePi creates an EKS cluster member in ~1s and the generated EKS RBAC allows the impersonated user to list namespaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant