fix: support EKS member impersonation#339
Conversation
|
Thanks for the contribution. The overall direction of this PR makes sense, and it can address the issue where member creation times out when some clusters, such as EKS, approve the CSR but do not return a certificate. However, the current implementation reuses the server-side impersonation configuration for the webkubectl kubeconfig download flow. Since webkubectl sends the generated kubeconfig to the member terminal, if that kubeconfig contains the original token or exec credentials used to import the cluster, a member could remove the impersonation fields and bypass KubePi's member RBAC restrictions. I recommend separating the handling of server-side internal access from the webkubectl downloadable kubeconfig flow, and ensuring that original cluster credentials are not exposed to members before merging this PR. |
Summary
Why
Some managed Kubernetes services, including EKS, accept and approve
kubernetes.io/kube-apiserver-clientCSRs but do not populatestatus.certificate. KubePi currently waits for the certificate and returns a 500 after the CSR timeout when creating a cluster member.Test Plan
go test ./internal/api/v1/cluster ./internal/service/v1/clusteraccess ./internal/api/v1/proxy ./internal/api/v1/webkubectlManual Verification
Approvedwith emptystatus.certificate.