Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication with AWS broke with version 1.24 #1210

Closed
azacchino opened this issue May 4, 2022 · 11 comments
Closed

Authentication with AWS broke with version 1.24 #1210

azacchino opened this issue May 4, 2022 · 11 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@azacchino
Copy link

azacchino commented May 4, 2022
edited
Loading

What happened:

After update kubectl to 1.24 from 1.23 i get the message

Unable to connect to the server: getting credentials: decoding stdout: no kind "ExecCredential" is registered for version "client.authentication.k8s.io/v1alpha1" in scheme "pkg/client/auth/exec/exec.go:62"

when I try to perform any operation.

What you expected to happen:

ex: list pods

How to reproduce it (as minimally and precisely as possible):

.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DA
    server: https://XXXXXXXXXXXXXXXXXXXXX.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
    user: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
  name: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
current-context: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:XXXXXXXXX/cluster/test_cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - test_cluster
      command: aws

Anything else we need to know?:

Environment:

  • Kubernetes client and server versions (use kubectl version): client 1.24 Server: 1.22
$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-03T13:46:05Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Unable to connect to the server: getting credentials: decoding stdout: no kind "ExecCredential" is registered for version "client.authentication.k8s.io/v1alpha1" in scheme "pkg/client/auth/exec/exec.go:62"
  • Cloud provider or hardware configuration: AWS EKS
  • OS (e.g: cat /etc/os-release Ubuntu 20.04.4 LTS
@azacchino azacchino added the kind/bug Categorizes issue or PR as related to a bug. label May 4, 2022
@k8s-ci-robot
Copy link
Contributor

@azacchino: This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label May 4, 2022
@code-is-art
Copy link

code-is-art commented May 4, 2022
edited
Loading

I am getting something similarly related switching from v1.23.6 to https://storage.googleapis.com/kubernetes-release/release/stable.txt which currently is v1.24.0.

aws eks update-kubeconfig --name ${EKS_CLUSTER_NAME} --region ${REGION}
kubectl version

I get

error: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"

@code-is-art code-is-art mentioned this issue May 4, 2022
Closed
@ismarslomic
Copy link

Same issue here

@appdog
Copy link

appdog commented May 5, 2022
edited
Loading

Probably related to this deprecation https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation

The client.authentication.k8s.io/v1alpha1 ExecCredential has been removed. If you are using a client-go credential plugin that relies on the v1alpha1 API please contact the distributor of your plugin for instructions on how to migrate to the v1 API. (kubernetes/kubernetes#108616, @margocrawf)

@al-cheb al-cheb mentioned this issue May 5, 2022
Closed
8 tasks
@robertorosas
Copy link

Running into the same scenario on our EKS deployments from Github Actions:

{Version:kustomize/v4.5.4 GitCommit:cf3a452ddd6f83945d39d582243b8592ec627ae3 BuildDate:2022-03-28T23:12:45Z GoOs:linux GoArch:amd64}
Unable to connect to the server: getting credentials: decoding stdout: no kind "ExecCredential" is registered for version "client.authentication.k8s.io/v1alpha1" in scheme "pkg/client/auth/exec/exec.go:62"

I was able to recreate by locally upgrading to kubectl 1.24 and running kubectl version:
error: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"

@vrodriguezcl
Copy link

vrodriguezcl commented May 5, 2022
edited
Loading

Same issue here. :(.
Any walkaround of how to temporary solve this ?

@roccoblues
Copy link

I've you're using homebrew on a Mac you can downgrade with:

brew unlink kubernetes-cli
brew install [email protected]
brew link [email protected] --force

@bigLucas
Copy link

bigLucas commented May 9, 2022

We have a fix on aws cli for this bug:
aws/aws-cli#6920 (comment)

@ismarslomic
Copy link

ismarslomic commented May 9, 2022
edited
Loading

I can confirm that this issue is fixed in kubernetes-cli v1.24.0 and awscli v2.6.3 (installed on mac with homebrew). Just make sure that apiVersion in your cube config files is switched

from apiVersion: client.authentication.k8s.io/v1alpha1
to apiVersion: client.authentication.k8s.io/v1beta1

@timfallmk timfallmk mentioned this issue May 10, 2022
Closed
@ardaguclu
Copy link
Member

This issue has been tracked in aws/aws-cli#6920 and it looks that this is not a bug regarding kubectl.

Thus, I'm closing that issue. If you think, there still is something related to kubectl, feel free re-open this issue again.

/close

@k8s-ci-robot
Copy link
Contributor

@ardaguclu: Closing this issue.

In response to this:

This issue has been tracked in aws/aws-cli#6920 and it looks that this is not a bug regarding kubectl.

Thus, I'm closing that issue. If you think, there still is something related to kubectl, feel free re-open this issue again.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@roccoblues @appdog @ismarslomic @robertorosas @azacchino @ardaguclu @k8s-ci-robot @bigLucas @code-is-art @vrodriguezcl