Have been working on some serverless framework recently, which i have put onto EKS.
most of the stuff worked, except the cli, which leveraged on k8s client-go library to authen is not able to do so with EKS. (working well with Azure AKS and GCP).
turns out the issue was with k8s client-go library, which doesn’t deal with aws-iam-authenticator. as a work around, the patch is to apply the service account as a bearer token.
//command to get the token
kubectl describe secret account -n namespace | grep -E '^token' | cut -f2 -d':' | tr -d " "
then in the client-go, patch the token into the bearer header:
//retrieve the token either from secret file or env var
//token, err := ioutil.ReadFile("~/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
//token := os.Getenv("BEARER_TOKEN")
//add the header if its not yet there
r.headers.Set("Authorization", "Bearer xxx")
//before the real http call
resp, err := client.Do(req)