-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client exec auth: updates for 1.11 #8932
Closed
ericchiang
wants to merge
1
commit into
kubernetes:release-1.11
from
ericchiang:client-exec-auth-1-11
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
|
@@ -664,7 +664,7 @@ rules: | ||
|
|
||
## client-go credential plugins | ## client-go credential plugins | ||
|
|
||
{{< feature-state for_k8s_version="v1.10" state="alpha" >}} | {% assign for_k8s_version="v1.11" %}{% include feature-state-beta.md %} | ||
|
|
||
`k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an | `k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an | ||
external command to receive user credentials. | external command to receive user credentials. | ||
|
@@ -675,8 +675,6 @@ protocol specific logic, then returns opaque credentials to use. Almost all cred | ||
use cases require a server side component with support for the [webhook token authenticator](#webhook-token-authentication) | use cases require a server side component with support for the [webhook token authenticator](#webhook-token-authentication) | ||
to interpret the credential format produced by the client plugin. | to interpret the credential format produced by the client plugin. | ||
|
|
||
As of 1.10 only bearer tokens are supported. Support for client certs may be added in a future release. | |||
|
|||
### Example use case | ### Example use case | ||
|
|
||
In a hypothetical use case, an organization would run an external service that exchanges LDAP credentials | In a hypothetical use case, an organization would run an external service that exchanges LDAP credentials | ||
|
@@ -707,11 +705,13 @@ users: | ||
# Command to execute. Required. | # Command to execute. Required. | ||
command: "example-client-go-exec-plugin" | command: "example-client-go-exec-plugin" | ||
|
|
||
# API version to use when encoding and decoding the ExecCredentials | # API version to use when decoding the ExecCredentials resource. Required. | ||
# resource. Required. | # | ||
# The API version returned by the plugin MUST match the version listed here. | |||
# | # | ||
# The API version returned by the plugin MUST match the version encoded. | # Tools that support the alpha API should use an "env" field below to indicate | ||
apiVersion: "client.authentication.k8s.io/v1alpha1" | # which version the exec plugin is using. | ||
apiVersion: "client.authentication.k8s.io/v1beta1" | |||
|
|
||
# Environment variables to set when executing the plugin. Optional. | # Environment variables to set when executing the plugin. Optional. | ||
env: | env: | ||
|
@@ -745,75 +745,55 @@ the binary `/home/jane/bin/example-client-go-exec-plugin` is executed. | ||
exec: | exec: | ||
# Path relative to the directory of the kubeconfig | # Path relative to the directory of the kubeconfig | ||
command: "./bin/example-client-go-exec-plugin" | command: "./bin/example-client-go-exec-plugin" | ||
apiVersion: "client.authentication.k8s.io/v1alpha1" | apiVersion: "client.authentication.k8s.io/v1beta1" | ||
``` | ``` | ||
|
|
||
### Input and output formats | ### Input and output formats | ||
|
|
||
When executing the command, `k8s.io/client-go` sets the `KUBERNETES_EXEC_INFO` environment | The executed command is expected to print an `ExceCredential` object to `stdout`. `k8s.io/client-go` | ||
variable to a JSON serialized [`ExecCredential`]( | will then use the returned credentials in the `status` when authenticating against the Kubernetes API. | ||
https://github.com/kubernetes/client-go/blob/master/pkg/apis/clientauthentication/v1alpha1/types.go) | |||
resource. | |||
|
|||
``` | |||
KUBERNETES_EXEC_INFO='{ | |||
"apiVersion": "client.authentication.k8s.io/v1alpha1", | |||
"kind": "ExecCredential", | |||
"spec": { | |||
"interactive": true | |||
} | |||
}' | |||
``` | |||
|
|
||
When plugins are executed from an interactive session, `stdin` and `stderr` are directly | When run from an interactive session `stdin` is exposed directly to the plugin. Plugins should use a | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Replaces lines 756-758 with:
|
|||
exposed to the plugin so it can prompt the user for input for interactive logins. | [TTY check](https://godoc.org/golang.org/x/crypto/ssh/terminal#IsTerminal) to determine if it's | ||
appropriate to prompt a user interactively. | |||
|
|
||
When responding to a 401 HTTP status code (indicating invalid credentials), this object will | To use bearer token credentials, the plugin returns a token in the status of the `ExecCredential`. | ||
include metadata about the response. | |||
|
|
||
```json | ```json | ||
{ | { | ||
"apiVersion": "client.authentication.k8s.io/v1alpha1", | "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
"kind": "ExecCredential", | "kind": "ExecCredential", | ||
"spec": { | "status": { | ||
"response": { | "token": "my-bearer-token" | ||
"code": 401, | |||
"header": { | |||
"WWW-Authenticate": [ | |||
"Bearer realm=ldap.example.com" | |||
] | |||
}, | |||
}, | |||
"interactive": true | |||
} | } | ||
} | } | ||
``` | ``` | ||
|
|
||
The executed command is expected to print an `ExceCredential` to `stdout`. `k8s.io/client-go` | This output can include the expiry of the token formatted as a RFC3339 timestamp. If an expiry is | ||
will then use the returned bearer token in the `status` when authenticating against the | omitted, the bearer token is cached in-memory until the server responds with a 401 HTTP status code. | ||
Kubernetes API. | |||
|
|
||
```json | ```json | ||
{ | { | ||
"apiVersion": "client.authentication.k8s.io/v1alpha1", | "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
"kind": "ExecCredential", | "kind": "ExecCredential", | ||
"status": { | "status": { | ||
"token": "my-bearer-token" | "token": "my-bearer-token", | ||
"expirationTimestamp": "2018-03-05T17:30:20-08:00" | |||
} | } | ||
} | } | ||
``` | ``` | ||
|
|
||
Optionally, this output can include the expiry of the token formatted as a RFC3339 timestamp. | Alternatively, a PEM encoded client key pair can be returned to use TLS client auth. The status can | ||
If an expiry is omitted, the bearer token is cached until the server responds with a 401 HTTP | include an optional expiry. If the plugin returns a different key pair on a subsequent call, | ||
status code. Note that this caching is only for the duration of process and therefore the plugin | `k8s.io/client-go` will close existing connections with the server to force a new TLS handshake. | ||
is triggered each time the tool using the plugin is invoked. | |||
|
|
||
```json | ```json | ||
{ | { | ||
"apiVersion": "client.authentication.k8s.io/v1alpha1", | "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
"kind": "ExecCredential", | "kind": "ExecCredential", | ||
"status": { | "status": { | ||
"token": "my-bearer-token", | "clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUdJjFbDtfMV3dr9kz31A1tJ5NUucwCgYIKoZIzj0EAwIw\nEjEQMA4GA1UEAxMHZXRjZC1jYTAeFw0xODA2MDUyMjE4MDBaFw0yMzA2MDQyMjE4\nMDBaMA8xDTALBgNVBAMTBHJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATL\nAiIj9Ys3llkqw9sxYrTkT/f9CovZLJedmy1UNJ3oWRWCPLaJfCqzUqbnmDHYNd+0\n9vqHEZXWvwo77CKn/R8xo3UwczAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI\nKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUjhtqg/FpowLzZm39l7nz\nWVG8HmMwHwYDVR0jBBgwFoAUnVk+crP5CA5Az1VVCBNCDWEFp6IwCgYIKoZIzj0E\nAwIDSAAwRQIhAN8lfRdj63blobkj+NN1SddsSmo2/hSi7meWnnedvLMdAiBwe4dg\nDeDERq+IX7oq5TH5Q2J53r8LRvPZhapq3NzqJw==\n-----END CERTIFICATE-----\n", | ||
"clientKeyData": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBns6XkPfM8KA/9QfQ4WABPr91QN2i9nACmVx4MsH+a5oAoGCCqGSM49\nAwEHoUQDQgAEywIiI/WLN5ZZKsPbMWK05E/3/QqL2SyXnZstVDSd6FkVgjy2iXwq\ns1Km55gx2DXftPb6hxGV1r8KO+wip/0fMQ==\n-----END EC PRIVATE KEY-----\n", | |||
"expirationTimestamp": "2018-03-05T17:30:20-08:00" | "expirationTimestamp": "2018-03-05T17:30:20-08:00" | ||
} | } | ||
} | } | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace lines 753-754 with: