Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client exec auth: updates for 1.11 #8932

Closed
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 28 additions & 48 deletions content/en/docs/reference/access-authn-authz/authentication.md
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -664,7 +664,7 @@ rules:


## client-go credential plugins ## client-go credential plugins


{{< feature-state for_k8s_version="v1.10" state="alpha" >}} {% assign for_k8s_version="v1.11" %}{% include feature-state-beta.md %}


`k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an `k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an
external command to receive user credentials. external command to receive user credentials.
Expand All @@ -675,8 +675,6 @@ protocol specific logic, then returns opaque credentials to use. Almost all cred
use cases require a server side component with support for the [webhook token authenticator](#webhook-token-authentication) use cases require a server side component with support for the [webhook token authenticator](#webhook-token-authentication)
to interpret the credential format produced by the client plugin. to interpret the credential format produced by the client plugin.


As of 1.10 only bearer tokens are supported. Support for client certs may be added in a future release.

### Example use case ### Example use case


In a hypothetical use case, an organization would run an external service that exchanges LDAP credentials In a hypothetical use case, an organization would run an external service that exchanges LDAP credentials
Expand Down Expand Up @@ -707,11 +705,13 @@ users:
# Command to execute. Required. # Command to execute. Required.
command: "example-client-go-exec-plugin" command: "example-client-go-exec-plugin"


# API version to use when encoding and decoding the ExecCredentials # API version to use when decoding the ExecCredentials resource. Required.
# resource. Required. #
# The API version returned by the plugin MUST match the version listed here.
# #
# The API version returned by the plugin MUST match the version encoded. # Tools that support the alpha API should use an "env" field below to indicate
apiVersion: "client.authentication.k8s.io/v1alpha1" # which version the exec plugin is using.
apiVersion: "client.authentication.k8s.io/v1beta1"


# Environment variables to set when executing the plugin. Optional. # Environment variables to set when executing the plugin. Optional.
env: env:
Expand Down Expand Up @@ -745,75 +745,55 @@ the binary `/home/jane/bin/example-client-go-exec-plugin` is executed.
exec: exec:
# Path relative to the directory of the kubeconfig # Path relative to the directory of the kubeconfig
command: "./bin/example-client-go-exec-plugin" command: "./bin/example-client-go-exec-plugin"
apiVersion: "client.authentication.k8s.io/v1alpha1" apiVersion: "client.authentication.k8s.io/v1beta1"
``` ```


### Input and output formats ### Input and output formats


When executing the command, `k8s.io/client-go` sets the `KUBERNETES_EXEC_INFO` environment The executed command is expected to print an `ExceCredential` object to `stdout`. `k8s.io/client-go`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace lines 753-754 with:

The executed command prints an `ExecCredential` object to `stdout`. `k8s.io/client-go`
authenticates against the Kubernetes API using the returned credentials in the `status`. 

variable to a JSON serialized [`ExecCredential`]( will then use the returned credentials in the `status` when authenticating against the Kubernetes API.
https://github.com/kubernetes/client-go/blob/master/pkg/apis/clientauthentication/v1alpha1/types.go)
resource.

```
KUBERNETES_EXEC_INFO='{
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"kind": "ExecCredential",
"spec": {
"interactive": true
}
}'
```


When plugins are executed from an interactive session, `stdin` and `stderr` are directly When run from an interactive session `stdin` is exposed directly to the plugin. Plugins should use a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaces lines 756-758 with:

When run from an interactive session, `stdin` is exposed directly to the plugin. Plugins should use a
[TTY check](https://godoc.org/golang.org/x/crypto/ssh/terminal#IsTerminal) to determine if it's
appropriate to prompt a user interactively.

exposed to the plugin so it can prompt the user for input for interactive logins. [TTY check](https://godoc.org/golang.org/x/crypto/ssh/terminal#IsTerminal) to determine if it's
appropriate to prompt a user interactively.


When responding to a 401 HTTP status code (indicating invalid credentials), this object will To use bearer token credentials, the plugin returns a token in the status of the `ExecCredential`.
include metadata about the response.


```json ```json
{ {
"apiVersion": "client.authentication.k8s.io/v1alpha1", "apiVersion": "client.authentication.k8s.io/v1beta1",
"kind": "ExecCredential", "kind": "ExecCredential",
"spec": { "status": {
"response": { "token": "my-bearer-token"
"code": 401,
"header": {
"WWW-Authenticate": [
"Bearer realm=ldap.example.com"
]
},
},
"interactive": true
} }
} }
``` ```


The executed command is expected to print an `ExceCredential` to `stdout`. `k8s.io/client-go` This output can include the expiry of the token formatted as a RFC3339 timestamp. If an expiry is
will then use the returned bearer token in the `status` when authenticating against the omitted, the bearer token is cached in-memory until the server responds with a 401 HTTP status code.
Kubernetes API.


```json ```json
{ {
"apiVersion": "client.authentication.k8s.io/v1alpha1", "apiVersion": "client.authentication.k8s.io/v1beta1",
"kind": "ExecCredential", "kind": "ExecCredential",
"status": { "status": {
"token": "my-bearer-token" "token": "my-bearer-token",
"expirationTimestamp": "2018-03-05T17:30:20-08:00"
} }
} }
``` ```


Optionally, this output can include the expiry of the token formatted as a RFC3339 timestamp. Alternatively, a PEM encoded client key pair can be returned to use TLS client auth. The status can
If an expiry is omitted, the bearer token is cached until the server responds with a 401 HTTP include an optional expiry. If the plugin returns a different key pair on a subsequent call,
status code. Note that this caching is only for the duration of process and therefore the plugin `k8s.io/client-go` will close existing connections with the server to force a new TLS handshake.
is triggered each time the tool using the plugin is invoked.


```json ```json
{ {
"apiVersion": "client.authentication.k8s.io/v1alpha1", "apiVersion": "client.authentication.k8s.io/v1beta1",
"kind": "ExecCredential", "kind": "ExecCredential",
"status": { "status": {
"token": "my-bearer-token", "clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUdJjFbDtfMV3dr9kz31A1tJ5NUucwCgYIKoZIzj0EAwIw\nEjEQMA4GA1UEAxMHZXRjZC1jYTAeFw0xODA2MDUyMjE4MDBaFw0yMzA2MDQyMjE4\nMDBaMA8xDTALBgNVBAMTBHJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATL\nAiIj9Ys3llkqw9sxYrTkT/f9CovZLJedmy1UNJ3oWRWCPLaJfCqzUqbnmDHYNd+0\n9vqHEZXWvwo77CKn/R8xo3UwczAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI\nKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUjhtqg/FpowLzZm39l7nz\nWVG8HmMwHwYDVR0jBBgwFoAUnVk+crP5CA5Az1VVCBNCDWEFp6IwCgYIKoZIzj0E\nAwIDSAAwRQIhAN8lfRdj63blobkj+NN1SddsSmo2/hSi7meWnnedvLMdAiBwe4dg\nDeDERq+IX7oq5TH5Q2J53r8LRvPZhapq3NzqJw==\n-----END CERTIFICATE-----\n",
"clientKeyData": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBns6XkPfM8KA/9QfQ4WABPr91QN2i9nACmVx4MsH+a5oAoGCCqGSM49\nAwEHoUQDQgAEywIiI/WLN5ZZKsPbMWK05E/3/QqL2SyXnZstVDSd6FkVgjy2iXwq\ns1Km55gx2DXftPb6hxGV1r8KO+wip/0fMQ==\n-----END EC PRIVATE KEY-----\n",
"expirationTimestamp": "2018-03-05T17:30:20-08:00" "expirationTimestamp": "2018-03-05T17:30:20-08:00"
} }
} }
Expand Down