From 0cfc62d1771f1ba0cf062c932e839e4329b44e01 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 15 Jun 2021 16:16:17 -0400 Subject: [PATCH] exec credential provider: v1 documentation Signed-off-by: Andrew Keesler --- .../access-authn-authz/authentication.md | 45 ++++++++++++++----- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md index 2e223b023a1b1..53405379bc3d5 100644 --- a/content/en/docs/reference/access-authn-authz/authentication.md +++ b/content/en/docs/reference/access-authn-authz/authentication.md @@ -836,7 +836,7 @@ rules: ## client-go credential plugins -{{< feature-state for_k8s_version="v1.11" state="beta" >}} +{{< feature-state for_k8s_version="v1.22" state="stable" >}} `k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an external command to receive user credentials. @@ -882,8 +882,9 @@ users: # The API version returned by the plugin MUST match the version listed here. # # To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1), - # set an environment variable or pass an argument to the tool that indicates which version the exec plugin expects. - apiVersion: "client.authentication.k8s.io/v1beta1" + # set an environment variable, pass an argument to the tool that indicates which version the exec plugin expects, + # or read the version from the ExecCredential object in the KUBERNETES_EXEC_INFO environment variable. + apiVersion: "client.authentication.k8s.io/v1" # Environment variables to set when executing the plugin. Optional. env: @@ -912,6 +913,13 @@ users: # very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO # environment variable. provideClusterInfo: true + + # The contract between the exec plugin and the standard input I/O stream. If the + # contract cannot be satisfied, this plugin will not be run and an error will be + # returned. Valid values are "Never" (this exec plugin never uses standard input), + # "IfAvailable" (this exec plugin wants to use standard input if it is available), + # or "Always" (this exec plugin requires standard input to function). Required. + interactiveMode: IfAvailable clusters: - name: my-cluster cluster: @@ -941,24 +949,40 @@ the binary `/home/jane/bin/example-client-go-exec-plugin` is executed. exec: # Path relative to the directory of the kubeconfig command: "./bin/example-client-go-exec-plugin" - apiVersion: "client.authentication.k8s.io/v1beta1" + apiVersion: "client.authentication.k8s.io/v1" + interactiveMode: IfAvailable ``` ### Input and output formats The executed command prints an `ExecCredential` object to `stdout`. `k8s.io/client-go` authenticates against the Kubernetes API using the returned credentials in the `status`. - -When run from an interactive session, `stdin` is exposed directly to the plugin. Plugins should use a -[TTY check](https://godoc.org/golang.org/x/crypto/ssh/terminal#IsTerminal) to determine if it's -appropriate to prompt a user interactively. +The executed command is passed an `ExecCredential` object as input via the `KUBERNETES_EXEC_INFO` +environment variable. This input contains helpful information like the expected API version +of the returned `ExecCredential` object and whether or not the plugin can use `stdin` to interact +with the user. + +When run from an interactive session (i.e., a terminal), `stdin` can be exposed directly +to the plugin. Plugins should use the `spec.interactive` field of the input +`ExecCredential` object from the `KUBERNETES_EXEC_INFO` environment variable in order to +determine if `stdin` has been provided. A plugin's `stdin` requirements (i.e., whether +`stdin` is optional, strictly required, or strictly not required in order for the plugin +to run successfully) must be declared via the `user.exec.interactiveMode` field in the +[kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) (see table +below for valid values). + +| `interactiveMode` Value | Meaning | +| ----------------------- | ------- | +| `Never` | This exec plugin never needs to use standard input, and therefore the exec plugin will be run regardless of whether standard input is available for user input. | +| `IfAvailable` | This exec plugin would like to use standard input if it is available, but can still operate if standard input is not available. Therefore, the exec plugin will be run regardless of whether stdin is available for user input. If standard input is available for user input, then it will be provided to this exec plugin. | +| `Always` | This exec plugin requires standard input in order to run, and therefore the exec plugin will only be run if standard input is available for user input. If standard input is not available for user input, then the exec plugin will not be run and an error will be returned by the exec plugin runner. | To use bearer token credentials, the plugin returns a token in the status of the [`ExecCredential`](/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential) ```json { - "apiVersion": "client.authentication.k8s.io/v1beta1", + "apiVersion": "client.authentication.k8s.io/v1", "kind": "ExecCredential", "status": { "token": "my-bearer-token" @@ -1007,7 +1031,7 @@ RFC3339 timestamp. Presence or absence of an expiry has the following impact: To enable the exec plugin to obtain cluster-specific information, set `provideClusterInfo` on the `user.exec` field in the [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/). -The plugin will then be supplied with an environment variable, `KUBERNETES_EXEC_INFO`. +The plugin will then be supplied this cluster-specific information in the `KUBERNETES_EXEC_INFO` environment variable. Information from this environment variable can be used to perform cluster-specific credential acquisition logic. The following `ExecCredential` manifest describes a cluster information sample. @@ -1026,6 +1050,7 @@ The following `ExecCredential` manifest describes a cluster information sample. "you": ["can", "put", "anything", "here"] } } + "interactive": true } } ```