Update exec credential provider KEP after convo with sig-auth

[ankeesler]

Signed-off-by: Andrew Keesler akeesler@vmware.com

• The goal of these updates is to reach consensus on how best to wire cluster info into exec credential providers so that we can wrap up and merge the implementation (exec credential provider: wire in cluster info kubernetes#91192).
• These edits were suggested by @liggitt in a conversation we had last week.
• There are still some open questions which will be added as comments.
• Previous PR in this saga: Update exec credential provider KEP with feedback from cluster info PR #1927.

[k8s-ci-robot]

Hi @ankeesler. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ankeesler]

Open question: is it OK to not include InsecureSkipTLSVerify here? Need to think through what guidance to exec plugins would be.

[ankeesler]

/assign @liggitt

I'm also wondering if @mikedanese would be interested in taking a look at this since I believe he did a lot of the original review on this KEP.

[liggitt]

Thinking about this more, I think we should include InsecureSkipTLSVerify.

If the kubeconfig has insecure-skip-tls-verify: true set, whatever credentials the auth plugin returns will be happily sent by client-go without verifying TLS.

If we omit this, I anticipate some auth plugins trying connections with insecure TLS as a fallback "just in case" that's how the user's kubeconfig was set up.

One upside of including InsecureSkipTLSVerify info is that it would allow credential providers to detect if replayable tokens they planned to return would be used in an insecure context, and to refuse.

[ankeesler]

ACK. @enj may slay me when he returns, but I'll add this into the struct. :)

[liggitt]

One upside of including InsecureSkipTLSVerify info is that it would allow credential providers to detect if replayable tokens they planned to return would be used in an insecure context, and to refuse.

That's how I talked myself into this

[ankeesler]

You speak truth!

[liggitt]

in the implementation, account for the fact that this envvar was already used in v1alpha1 and sent a serialized ExecCredential which did not include connection info

[liggitt]

describe the behavior in the following scenarios (well-known error, etc?):

• the envvar is not set
• the envvar is set to an empty string
• the envvar cannot be decoded (because it is malformed)
• the envvar cannot be decoded (because it contains an unrecognized type)

or document that in LoadCluster and indicate this delegates to that

[liggitt]

might consider names like LoadExecCredentialFromEnv / LoadExecCredential instead

[ankeesler]

ACK. I'll rev this description tonight.

[ankeesler]

well-known error

I am thinking here that a plugin that wants to use cluster info looks like this:

func main() {
  ec, rc, err := exec.LoadExecCredentialFromEnv()
  if err != nil {
    [0]
  }
  ...
}

The plugin will probably do something like fmt.Println(err); os.Exit(1); in [0]. I can't imagine that they would want to branch on what that error return is. If the exec plugin can't get the cluster information, I would hope that it doesn't sacrifice any security properties and just quits. Seems like it makes the package API surface easier to consume if we return opaque errors from these functions. If I am wrong about this assumption, then we should be able to update this package with those error helpers in a backwards compatible manner.

might consider names

I'll move forward with LoadExecCredential* to optimize for readability and speed of consensus, but I will mention that the original reason I went with Load is because the package name was exec and I had hoped that exec.Load() read as "load information necessary to do exec stuff".

[liggitt]

nit: go

[liggitt]

would it be simpler to do

func LoadCluster(data []byte) (execCredential runtime.Object, *rest.Config, error)

and let them type-assert the version they expect and get their exec config from execCredential.spec.cluster.config themselves?

[ankeesler]

Yes? Probably? You would have a better gut feel for this so I am tempted to go with the function signature that you proposed.

Your function signature gets rid of an error case where someone calls LoadCluster(data, &corev1.Pod{}) on my function signature. So I think I do like your's better.

I suppose injecting references for return values is nice in situations where you want the caller to be able to allocate the memory necessary for an object, but I won't be able to outsmart the Go compiler here, and it's 2020 so why even worry about memory...

[liggitt]

nit: note this is only set if provideClusterInfo: true in the exec provider config

[liggitt]

/ok-to-test
/approve

/hold go ahead and squash commits, and add the doc to the *Cluster field about when it is populated

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ankeesler, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• keps/sig-auth/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ankeesler]

Thanks @liggitt - I updated the *Cluster doc and squashed into a single commit.

[liggitt]

/hold cancel
/lgtm