exec credential provider: wire in cluster info#91192
exec credential provider: wire in cluster info#91192enj wants to merge 3 commits intokubernetes:masterfrom
Conversation
|
/retest |
|
/remove-sig api-machinery |
|
👋 Hello from Bug Triage team! The code freeze is starting June 25th (about 4 weeks from now) and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time. As the PR is tagged for 1.19, is it still planned for this release? |
|
@bai: GitHub didn't allow me to request PR reviews from the following users: enj. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/types.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/types.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/types.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
Outdated
Show resolved
Hide resolved
ca531c9 to
4d78dbb
Compare
|
/retest |
|
/lgtm |
Signed-off-by: Monis Khan <mok@vmware.com>
a2fdc3d to
17df008
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: enj, mikedanese The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
Hey 👋 Bug Triage Shadow here. Looks like this PR is 🍏 and is waiting for final reviews 👀 . Wanted to post a friendly reminder that code freeze starts tomorrow to make sure this one doesn't fall through the cracks 🙏 |
code freeze has been moved to July 9th per https://github.com/kubernetes/sig-release/tree/master/releases/release-1.19#tldr |
| if c.ExecProvider != nil { | ||
| provider, err := exec.GetAuthenticator(c.ExecProvider) | ||
| if c.Exec.ExecProvider != nil { | ||
| caData, err := dataFromSliceOrFile(c.CAData, c.CAFile) |
There was a problem hiding this comment.
for a CAFile config, this reads/freezes the data from the file at TransportConfig() construction time rather than transport construction time... probably not a big deal, but notable... could end up with different content here than is used in the transport itself.
There was a problem hiding this comment.
it's also maybe slightly unexpected that TransportConfig() would do file reads...
There was a problem hiding this comment.
I could pass in the logic as a closure to delay the computation if you think the extra complexity would be worth it?
| // Cluster contains information to allow an exec plugin to communicate | ||
| // with the kubernetes cluster being authenticated to. |
There was a problem hiding this comment.
I missed some of the discussion around this, so asked a question at https://github.com/kubernetes/enhancements/pull/1711/files#r445956764, echoing here:
I can see use cases for cluster hostname and custom config bits, but I was surprised by the ServerName and CAData bits... are we expecting exec plugins to call out to the server we are asking them to provide credentials for?
If so, don't we need to include ProxyURL and InsecureSkipTLSVerify?
There was a problem hiding this comment.
is there a reason not to just use the serialized version of the cluster stanza from the kubeconfig file more or less as-is?
There was a problem hiding this comment.
I was surprised by the ServerName and CAData bits... are we expecting exec plugins to call out to the server we are asking them to provide credentials for?
Yes, similar to what oc login does today to determine the location of the OAuth server (i.e. read this well known config map that tells you something dynamic about the cluster).
If so, don't we need to include ProxyURL and InsecureSkipTLSVerify?
The per-cluster ProxyURL was added in v1.19 without me noticing, but yeah, we should include that. I left out InsecureSkipTLSVerify on purpose to discourage its use...
is there a reason not to just use the serialized version of the cluster stanza from the kubeconfig file more or less as-is?
I had that in the original draft of the KEP updates. See kubernetes/enhancements#1711 (comment). @mikedanese leaned towards a new struct, and I liked the idea of just having a single well-known extension key to pass through instead of just dumping everything.
There was a problem hiding this comment.
Opened a new PR into the KEP to try to address this design update: kubernetes/enhancements#1927.
| // cluster: | ||
| // ... | ||
| // extensions: | ||
| // - name: exec # reserved extension name for per cluster exec config |
There was a problem hiding this comment.
I'm not sure it's ok to declare an unqualified name (no kubernetes.io/ prefix) reserved after the fact like this.
would it be better for the exec config to opt into getting cluster info (and maybe even identify the named cluster extension it wants)?
clusters:
- name: my-cluster
cluster:
...
extensions:
- name: myexec
extension:
audience: 06e3fbd18de8 # arbitrary config
users:
- name: myuser
user:
exec:
...
includeClusterConfig: true
includeClusterExtension: myexecthat would:
- avoid having a magic extension name
- avoid clusters only working with a single plugin
- avoid sending exec plugins data they did not expect/want (CA data specifically could be quite large to include in the env)
- avoid multiple calls to an exec plugin for different clusters when it didn't care about the cluster and the already-fetched credential could have been used
There was a problem hiding this comment.
I would personally lean towards just changing exec to client.authentication.k8s.io/exec to prevent any possible collision instead of expanding ExecConfig (though I suspect that we would be fine using exec).
avoid having a magic extension name
I am not sure this is much different from the exec: stanza under user:.
avoid clusters only working with a single plugin
Somehow I do not see a user having the same cluster with multiple distinct exec plugins configured. I realize it is technically possible, but not exactly practical or common.
avoid sending exec plugins data they did not expect/want (CA data specifically could be quite large to include in the env)
I think we can handle the extra 2 KB via the env var...
avoid multiple calls to an exec plugin for different clusters when it didn't care about the cluster and the already-fetched credential could have been used
Using the same credential across clusters is an incredibly unsafe pattern. If you are using a bearer token, you are at risk of a compromised cluster replaying your credentials. For both tokens and certs, if the credential is stolen from disk, it can be used against multiple clusters. Combine that with no revocation of certs, and you are really asking for trouble. I am okay adding the latency of exec-ing the binary per cluster as the binary will likely need to do some form of caching itself to support clients like kubectl.
There was a problem hiding this comment.
Opened a new PR into the KEP to try to address this design update: kubernetes/enhancements#1927.
| // Cluster contains information to allow an exec plugin to communicate | ||
| // with the kubernetes cluster being authenticated to. |
There was a problem hiding this comment.
is there a reason not to just use the serialized version of the cluster stanza from the kubeconfig file more or less as-is?
| conf: conf, | ||
| cluster: cluster, | ||
| } | ||
| return spewConfig.Sprint(key) |
There was a problem hiding this comment.
does this do the right thing printing the runtime.Config object?
There was a problem hiding this comment.
Yeah, the new test cases in TestCacheKey should cover that.
|
/uncc |
|
@enj: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hi @enj! 👋🏽 I'm from the Bug Triage Team! The code freeze for 1.20 release is starting November 12th which is about 3 weeks from now. As the PR is tagged for 1.20, is it still planned for this release? |
|
Hey @sayanchowdhury - we have opened a new PR which has a superset of the stuff included in this PR. Here is the new PR: #95489. I opened the new PR since I wanted to add right on top of @enj's work. I think if that superset PR gets merged, we can close this PR since @enj's work here will be included in the other PR. |
|
Thanks @ankeesler for the update 👍🏽 |
|
subsumed by #95489 /close |
|
@dims: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…cluster exec credential provider: wire in cluster info (superset of #91192)
Signed-off-by: Monis Khan mok@vmware.com
/kind feature
/sig auth
/milestone v1.19
/assign @mikedanese
/priority important-soon
@kubernetes/sig-auth-pr-reviews
xref: kubernetes/enhancements#1711