Attempt to implement exec-plugins support in kubeconfig #75
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
Codecov Report
@@ Coverage Diff @@
## master #75 +/- ##
==========================================
- Coverage 91.85% 91.63% -0.22%
==========================================
Files 11 13 +2
Lines 994 1124 +130
==========================================
+ Hits 913 1030 +117
- Misses 81 94 +13
Continue to review full report at Codecov.
|
k8s-ci-robot
added
size/L
|
@roycaihw What is the process to get this reviewed and (hopefully) accepted? |
|
I tested this PR and worked, any plan to merge it? |
dovreshef
force-pushed
the
master
branch
4 times, most recently
from
999c199 to
d56d8df
Compare
|
I'd love to see this merged too. |
|
thanks for the pr. has this been tested with python 2.7.12? |
|
I have tested this with 2.7.15. |
config/exec_provider.py
Outdated
| @@ -0,0 +1,79 @@ | |||
| # Copyright 2016 The Kubernetes Authors. | |||
There was a problem hiding this comment.
s/2016/2018/ for all copyright notices?
config/exec_provider_test.py
Outdated
| def setUp(self): | ||
| self.input_ok = { | ||
| 'command': 'aws-iam-authenticator token -i dummy', | ||
| 'apiVersion': 'client.authentication.k8s.io/v1alpha1' |
There was a problem hiding this comment.
s/v1alpha1/v1beta1/ for all the tests? the feature is v1beta1 is 1.11
config/exec_provider.py
Outdated
| 'apiVersion': self.api_version, | ||
| 'kind': 'ExecCredential', | ||
| 'spec': { | ||
| 'interactive': True |
There was a problem hiding this comment.
why is it hard coded to True?
There was a problem hiding this comment.
I have changed it to be the same as the process's stdout (using sys.stdout.isatty()), which is what was done here https://github.com/kubernetes/kubernetes/blob/7b6647a418c660f2c87f183f706b297f1cb573ca/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go#L128 (I think).
But I'm still not clear whether or not I should detect interactive stdin as well. Also, if it is interactive, what else am I supposed to do.
config/exec_provider.py
Outdated
|
|
||
| class ExecProvider(object): | ||
| def __init__(self, exec_config): | ||
| for key in ['command', 'apiVersion']: |
There was a problem hiding this comment.
could you list explicitly what is implemented (v1beta1, right?) as listed in the proposal (https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md), or better, what is left out.
AFAICT, TLS cert, caching are not implemented.
what about refreshing? what to do when token expires?
There was a problem hiding this comment.
TLS cert, caching are indeed not implemented.
TLS cert
I did not implement it.
My reading of the proposal language
TLS client certificate support is orthogonal to bearer tokens, but something that we should consider supporting in the future.
lead me to think it is not implemented in the go client as well.
caching
I can try to add caching by basing it on the way it is implemented for the other auth methods, taking into account the expiry field.
But there is a problem. Right now aws-iam-authenticator does not return anexpiry field, even though the returned token is only valid for a short period (15 minutes IIRC).
The proposal on the other hand specifies:
Plugins can indicate their credentials explicit expiry using the Expiry field on the returned ExecCredentials object, otherwise credentials will be cached throughout the lifetime of a program.
I can check the return value if it is 401 and in that case re-execute the plugin, which is what the proposal also recommends. But I do not understand the code well enough for that.
Can you point me where in the code would it be best to hook up such a mechanism?
what about refreshing? what to do when token expires?
Right now I do not cache the token at all. So since the plugin always executes, the token received is always fresh.
There was a problem hiding this comment.
since this is a highly desired feature, and it is orthogonal to the other auth methods. I think it is safe to merge with some missing features. people who need those features can implement them on top of this later.
so could you please add some comments about what features are missing, and probably a link
to the design (https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md). then I think we can merge it. Thanks.
There was a problem hiding this comment.
Added. Hope it's ok.
|
How far from getting this merged are we? Is there anything I can do to help this go through faster? |
|
I don't think it's far. I put in some comments, as soon as those are addressed, we can merge it. |
|
@dovreshef Do you need help fixing @yliaog's comments? Thanks for building this BTW. |
|
@macat I'd be glad for help. I'll not be able to get to this before Monday. |
|
👍 |
|
Hi all. I have updated the PR. I'm sorry about the delay, real life intervened. Edit: Also, I don't know what |
|
No worries. I’m using a monkey patch with this change to tide me over. 😉 |
dovreshef
force-pushed
the
master
branch
3 times, most recently
from
c02241d to
c1bb5cc
Compare
config/kube_config.py
Outdated
| status = ExecProvider(self._user['exec']).run() | ||
| if 'token' not in status: | ||
| raise ConfigException( | ||
| 'Missing token field in exec plugin response') |
There was a problem hiding this comment.
i think it's better to catch all the exceptions and return None in case there is any exception, just to give a chance to other auth methods. that is the general pattern used by other load...() methods.
There was a problem hiding this comment.
Ok.
Then there is no reason throw any exception at all in exec_provider.py?
In that case how should I inform the user if the exec process return an error, or missing exec config, etc?
There was a problem hiding this comment.
it's still good to have exceptions from exec_provider.py, then in kube_config.py, when it catches the exception, it could log it, and proceed.
There was a problem hiding this comment.
Done. I have used logging.error since it seems to me to be more of an error than a warning. Since it implies an incorrect exec config / result.
…token only, no caching)
|
thanks for the PR. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dovreshef, yliaog The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
thanks a lot! |
|
For posterity: this one fixes kubernetes-client/python#514 |
Hi
This is my attempt to implement exec plugin support.
I've only tested this using Python3 with EKS.
I'm also only supporting token authentication for now, since it was not clear to me how to support anything else.
I'm willing to do the necessary changes to get it to merge, but I might need help.
Thanks,