Kubernetes -- client-go

client-go is the Go client for Kubernetes.

Authentication

I use EKS at work. Below is the section of my ./kube/config file,

- name: arn:aws:eks:us-east-2:597088060484:cluster/staging
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-2
      - eks
      - get-token
      - --cluster-name
      - staging
      - --output
      - json
      command: aws
      env:
      - name: AWS_PROFILE
        value: staging-admin
      interactiveMode: IfAvailable
      provideClusterInfo: false

Note, these configurations are auto generated by aws eks update-kubeconfig. How does EKS authentication work in this case? From the config above, it seems that kubectl runs aws eks get-token using aws profile staging-admin. Let’s do it

$ AWS_PROFILE=staging-admin aws --region us-east-2 eks get-token --cluster-name staging
{
    "kind": "ExecCredential",
    "apiVersion": "client.authentication.k8s.io/v1beta1",
    "spec": {},
    "status": {
        "expirationTimestamp": "2025-03-08T00:29:16Z",
        "token": "k8s-aws-v1...."
    }
}

It makes sense. You first generate a token belonging to an aws profile, and then use this token to authenticate with EKS. The corresponding code in client-go is here. Then this token is used as bearer token and added to the http header. Therefore, what permission does the kubectl have depends on the aws profile used to get the token.