exec credential provider: v1 documentation #28429
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -836,7 +836,7 @@ rules: | |
|
|
||
| ## client-go credential plugins | ||
|
|
||
| {{< feature-state for_k8s_version="v1.22" state="stable" >}} | ||
|
|
||
| `k8s.io/client-go` and tools using it such as `kubectl` and `kubelet` are able to execute an | ||
| external command to receive user credentials. | ||
|
|
@@ -867,6 +867,8 @@ To authenticate against the API: | |
| Credential plugins are configured through [kubectl config files](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) | ||
| as part of the user fields. | ||
|
|
||
| {{< tabs name="exec_plugin_kubeconfig_example_1" >}} | ||
| {{% tab name="client.authentication.k8s.io/v1" %}} | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Config | ||
|
|
@@ -882,7 +884,81 @@ users: | |
| # The API version returned by the plugin MUST match the version listed here. | ||
| # | ||
| # To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1), | ||
| # set an environment variable, pass an argument to the tool that indicates which version the exec plugin expects, | ||
| # or read the version from the ExecCredential object in the KUBERNETES_EXEC_INFO environment variable. | ||
| apiVersion: "client.authentication.k8s.io/v1" | ||
|
|
||
| # Environment variables to set when executing the plugin. Optional. | ||
| env: | ||
| - name: "FOO" | ||
| value: "bar" | ||
|
|
||
| # Arguments to pass when executing the plugin. Optional. | ||
| args: | ||
| - "arg1" | ||
| - "arg2" | ||
|
|
||
| # Text shown to the user when the executable doesn't seem to be present. Optional. | ||
| installHint: | | ||
| example-client-go-exec-plugin is required to authenticate | ||
| to the current cluster. It can be installed: | ||
|
|
||
| On macOS: brew install example-client-go-exec-plugin | ||
|
|
||
| On Ubuntu: apt-get install example-client-go-exec-plugin | ||
|
|
||
| On Fedora: dnf install example-client-go-exec-plugin | ||
|
|
||
| ... | ||
|
|
||
| # Whether or not to provide cluster information, which could potentially contain | ||
| # very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO | ||
| # environment variable. | ||
| provideClusterInfo: true | ||
|
|
||
| # The contract between the exec plugin and the standard input I/O stream. If the | ||
| # contract cannot be satisfied, this plugin will not be run and an error will be | ||
| # returned. Valid values are "Never" (this exec plugin never uses standard input), | ||
| # "IfAvailable" (this exec plugin wants to use standard input if it is available), | ||
| # or "Always" (this exec plugin requires standard input to function). Required. | ||
| interactiveMode: Never | ||
| clusters: | ||
| - name: my-cluster | ||
| cluster: | ||
| server: "https://172.17.4.100:6443" | ||
| certificate-authority: "/etc/kubernetes/ca.pem" | ||
| extensions: | ||
| - name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config | ||
| extension: | ||
| arbitrary: config | ||
| this: can be provided via the KUBERNETES_EXEC_INFO environment variable upon setting provideClusterInfo | ||
| you: ["can", "put", "anything", "here"] | ||
| contexts: | ||
| - name: my-cluster | ||
| context: | ||
| cluster: my-cluster | ||
| user: my-user | ||
| current-context: my-cluster | ||
| ``` | ||
| {{% /tab %}} | ||
| {{% tab name="client.authentication.k8s.io/v1beta1" %}} | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Config | ||
| users: | ||
| - name: my-user | ||
| user: | ||
| exec: | ||
| # Command to execute. Required. | ||
| command: "example-client-go-exec-plugin" | ||
|
|
||
| # API version to use when decoding the ExecCredentials resource. Required. | ||
| # | ||
| # The API version returned by the plugin MUST match the version listed here. | ||
| # | ||
| # To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1), | ||
| # set an environment variable, pass an argument to the tool that indicates which version the exec plugin expects, | ||
| # or read the version from the ExecCredential object in the KUBERNETES_EXEC_INFO environment variable. | ||
| apiVersion: "client.authentication.k8s.io/v1beta1" | ||
|
|
||
| # Environment variables to set when executing the plugin. Optional. | ||
|
|
@@ -912,6 +988,14 @@ users: | |
| # very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO | ||
| # environment variable. | ||
| provideClusterInfo: true | ||
|
|
||
| # The contract between the exec plugin and the standard input I/O stream. If the | ||
| # contract cannot be satisfied, this plugin will not be run and an error will be | ||
| # returned. Valid values are "Never" (this exec plugin never uses standard input), | ||
| # "IfAvailable" (this exec plugin wants to use standard input if it is available), | ||
| # or "Always" (this exec plugin requires standard input to function). Optional. | ||
| # Defaults to "IfAvailable". | ||
| interactiveMode: Never | ||
| clusters: | ||
| - name: my-cluster | ||
| cluster: | ||
|
|
@@ -930,6 +1014,8 @@ contexts: | |
| user: my-user | ||
| current-context: my-cluster | ||
| ``` | ||
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| Relative command paths are interpreted as relative to the directory of the config file. If | ||
| KUBECONFIG is set to `/home/jane/kubeconfig` and the exec command is `./bin/example-client-go-exec-plugin`, | ||
|
|
@@ -941,21 +1027,53 @@ the binary `/home/jane/bin/example-client-go-exec-plugin` is executed. | |
| exec: | ||
| # Path relative to the directory of the kubeconfig | ||
| command: "./bin/example-client-go-exec-plugin" | ||
| apiVersion: "client.authentication.k8s.io/v1" | ||
| interactiveMode: Never | ||
| ``` | ||
|
|
||
| ### Input and output formats | ||
|
|
||
| The executed command prints an `ExecCredential` object to `stdout`. `k8s.io/client-go` | ||
| authenticates against the Kubernetes API using the returned credentials in the `status`. | ||
| The executed command is passed an `ExecCredential` object as input via the `KUBERNETES_EXEC_INFO` | ||
| environment variable. This input contains helpful information like the expected API version | ||
| of the returned `ExecCredential` object and whether or not the plugin can use `stdin` to interact | ||
| with the user. | ||
|
|
||
| When run from an interactive session (i.e., a terminal), `stdin` can be exposed directly | ||
| to the plugin. Plugins should use the `spec.interactive` field of the input | ||
| `ExecCredential` object from the `KUBERNETES_EXEC_INFO` environment variable in order to | ||
| determine if `stdin` has been provided. A plugin's `stdin` requirements (i.e., whether | ||
| `stdin` is optional, strictly required, or never used in order for the plugin | ||
| to run successfully) is declared via the `user.exec.interactiveMode` field in the | ||
| [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) (see table | ||
| below for valid values). The `user.exec.interactiveMode` field is optional in `client.authentication.k8s.io/v1beta1` | ||
| and required in `client.authentication.k8s.io/v1`. | ||
|
|
||
| {{< table caption="interactiveMode values" >}} | ||
| | `interactiveMode` Value | Meaning | | ||
|
There was a problem hiding this comment. @PI-Victor do you know of a way that I can ensure that this table renders without splitting words on different lines? There was a problem hiding this comment. sorry i missed this, @sftim have any idea on this one? does it need some special css code to fix this? There was a problem hiding this comment. Ah, HTML table layout. I would raise a separate issue about the rendering and label it area/web-development. There was a problem hiding this comment. raised issue here: #28815 unfortunately couldn't coax the bot into applying the area/web-development...perhaps someone can enlighten me |
||
| | ----------------------- | ------- | | ||
| | `Never` | This exec plugin never needs to use standard input, and therefore the exec plugin will be run regardless of whether standard input is available for user input. | | ||
| | `IfAvailable` | This exec plugin would like to use standard input if it is available, but can still operate if standard input is not available. Therefore, the exec plugin will be run regardless of whether stdin is available for user input. If standard input is available for user input, then it will be provided to this exec plugin. | | ||
| | `Always` | This exec plugin requires standard input in order to run, and therefore the exec plugin will only be run if standard input is available for user input. If standard input is not available for user input, then the exec plugin will not be run and an error will be returned by the exec plugin runner. | | ||
| {{< /table >}} | ||
|
|
||
| To use bearer token credentials, the plugin returns a token in the status of the | ||
| [`ExecCredential`](/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential) | ||
|
|
||
| {{< tabs name="exec_plugin_ExecCredential_example_1" >}} | ||
| {{% tab name="client.authentication.k8s.io/v1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1", | ||
|
There was a problem hiding this comment. multiple tabs for examples in different versions |
||
| "kind": "ExecCredential", | ||
| "status": { | ||
| "token": "my-bearer-token" | ||
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{% tab name="client.authentication.k8s.io/v1beta1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
|
|
@@ -965,6 +1083,8 @@ To use bearer token credentials, the plugin returns a token in the status of the | |
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| Alternatively, a PEM-encoded client certificate and key can be returned to use TLS client auth. | ||
| If the plugin returns a different certificate and key on a subsequent call, `k8s.io/client-go` | ||
|
|
@@ -974,6 +1094,20 @@ If specified, `clientKeyData` and `clientCertificateData` must both must be pres | |
|
|
||
| `clientCertificateData` may contain additional intermediate certificates to send to the server. | ||
|
|
||
| {{< tabs name="exec_plugin_ExecCredential_example_2" >}} | ||
| {{% tab name="client.authentication.k8s.io/v1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1", | ||
| "kind": "ExecCredential", | ||
| "status": { | ||
| "clientCertificateData": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", | ||
| "clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----" | ||
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{% tab name="client.authentication.k8s.io/v1beta1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
|
|
@@ -984,6 +1118,8 @@ If specified, `clientKeyData` and `clientCertificateData` must both must be pres | |
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| Optionally, the response can include the expiry of the credential formatted as a | ||
| RFC3339 timestamp. Presence or absence of an expiry has the following impact: | ||
|
|
@@ -994,6 +1130,20 @@ RFC3339 timestamp. Presence or absence of an expiry has the following impact: | |
| - If an expiry is omitted, the bearer token and TLS credentials are cached until | ||
| the server responds with a 401 HTTP status code or until the process exits. | ||
|
|
||
| {{< tabs name="exec_plugin_ExecCredential_example_3" >}} | ||
| {{% tab name="client.authentication.k8s.io/v1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1", | ||
| "kind": "ExecCredential", | ||
| "status": { | ||
| "token": "my-bearer-token", | ||
| "expirationTimestamp": "2018-03-05T17:30:20-08:00" | ||
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{% tab name="client.authentication.k8s.io/v1beta1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
|
|
@@ -1004,14 +1154,38 @@ RFC3339 timestamp. Presence or absence of an expiry has the following impact: | |
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| To enable the exec plugin to obtain cluster-specific information, set `provideClusterInfo` on the `user.exec` | ||
| field in the [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/). | ||
| The plugin will then be supplied this cluster-specific information in the `KUBERNETES_EXEC_INFO` environment variable. | ||
| Information from this environment variable can be used to perform cluster-specific | ||
| credential acquisition logic. | ||
| The following `ExecCredential` manifest describes a cluster information sample. | ||
|
|
||
| {{< tabs name="exec_plugin_ExecCredential_example_4" >}} | ||
| {{% tab name="client.authentication.k8s.io/v1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1", | ||
| "kind": "ExecCredential", | ||
| "spec": { | ||
| "cluster": { | ||
| "server": "https://172.17.4.100:6443", | ||
| "certificate-authority-data": "LS0t...", | ||
| "config": { | ||
| "arbitrary": "config", | ||
| "this": "can be provided via the KUBERNETES_EXEC_INFO environment variable upon setting provideClusterInfo", | ||
| "you": ["can", "put", "anything", "here"] | ||
| } | ||
| }, | ||
| "interactive": true | ||
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{% tab name="client.authentication.k8s.io/v1beta1" %}} | ||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
|
|
@@ -1025,12 +1199,14 @@ The following `ExecCredential` manifest describes a cluster information sample. | |
| "this": "can be provided via the KUBERNETES_EXEC_INFO environment variable upon setting provideClusterInfo", | ||
| "you": ["can", "put", "anything", "here"] | ||
| } | ||
| }, | ||
| "interactive": true | ||
| } | ||
| } | ||
| ``` | ||
| {{% /tab %}} | ||
| {{< /tabs >}} | ||
|
|
||
| ## {{% heading "whatsnext" %}} | ||
|
|
||
| * Read the [client authentication reference (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when we have multiple versions available, we've added per-version examples in tabs
see https://github.com/kubernetes/website/blame/master/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md#L98 as an example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i went ahead and added tabs for all of the non-trivial API objects.
6a3abda