proposal: external client-go auth providers #1503
Conversation
k8s-ci-robot
added
size/L
|
@kubernetes/sig-cli-proposals |
k8s-ci-robot
added
the
sig/cli
|
@kubernetes/sig-api-machinery-proposals for client-go |
k8s-ci-robot
added
the
sig/api-machinery
| // UpdateTransportConfig updates a config by adding a transport wrapper, | ||
| // setting a bearer token (should ignore if one is already set), or adding | ||
| // TLS client certificate credentials. | ||
| UpdateTransportConfig(c *transport.Config) |
There was a problem hiding this comment.
is this called just once at process start?
There was a problem hiding this comment.
Yes, but it can still instrument or wrap the transport. Will add a comment.
|
|
||
| # Proposal | ||
|
|
||
| This proposal builds off of earlier requests to [support exec-based plugins]( |
There was a problem hiding this comment.
In terms of encouraging good behaviors, does having an exec option encourage providers to bypass greater user transparency, cross-compatibility and standardization via plugging in some executable? As opposed to making their auth compatible with OIDC or something (assuming client-go/kubectl handles tokens and refreshing them properly)
There was a problem hiding this comment.
I've seen more people willing to wrap kubectl then implement OIDC (or ask their IdP to implement OIDC). The goal of this feature is to ensure users use kubectl the same way, which I think is worth the trade-off.
I still think there's still incentive to implement an open standard to not require an exec plugin. I even floated the idea of a "generic oauth2" provider a while back kubernetes/kubernetes#35530 (comment)
There was a problem hiding this comment.
Long story short, for EKS we would very much appreciate not having to conform to OIDC and being able to exec a binary (specifically heptio authenticator).
| Name string `json:"name"` | ||
| Config map[string]string `json:"config"` | ||
|
|
||
| // Exec should only be provided if Name and Config aren't. |
There was a problem hiding this comment.
If Exec and (Name,Config) are mutually exclusive, would it make more sense to move the Exec config up a level to AuthInfo instead? It makes some sense to me to add a "dynamic" token (or cert) option along side Token and TokenFile.
I don't mean to over complicate the issue, it just seems a bit complicated from a user's perspective. It would make more sense to me if either this were its own named auth provider (e.g. Name: "exec"), moved out of the auth provider section, or allowed to specify a named auth provider as well with some sort of defined login on how that case is handled.
There was a problem hiding this comment.
Agreed this is an awkward place. I'll move it a level up.
| args: ["token", "-i", "(CLUSTER_ID)", "-r", "(ROLE_ARN)"] | ||
| ``` | ||
|
|
||
| ## TLS client certificate support |
There was a problem hiding this comment.
This seems like a related but separate change from the executable plugin. It is not necessary to break it out into its own proposal but I wanted to note that one does not block the other from moving forward.
There was a problem hiding this comment.
Thanks, added a comment.
|
|
||
| # Objective | ||
|
|
||
| This document describes a credential rotation strategy for kubectl and client-go |
There was a problem hiding this comment.
Just wanted to call out that we would like to be able to use this for kube-proxy and kubelet as well, to authenticate nodes with AWS IAM credentials.
There was a problem hiding this comment.
Can you expand a little on that? Why would you want to give kube-proxy IAM credentials to talk to the API server instead of a regular service account?
There was a problem hiding this comment.
if it's supported by client-go, then kubeproxy and kubelet would pick it up automatically (though kubelet would not be able to take advantage of the nodeauthorizer/noderestriction components unless an IAM-to-node-name mapping could be determined)
There was a problem hiding this comment.
The stress on kubectl in this proposal is a bit misleading. The change would necessarily be in client-go, thus supported by any component that installs the plugin. Why call out kubectl in the title? Why not just discuss kubectl specifically in the login section?
There was a problem hiding this comment.
Why call out kubectl?
Most of the use cases I was thinking about were about kubectl users. But you're right this should be more general to client-go.
There was a problem hiding this comment.
@ericchiang, our node identity is essentially IAM credentials that are present on the node, so it makes sense to us to use those directly for authentication. If its already in client-go, why not use it?
There was a problem hiding this comment.
@liggitt Right, the heptio authenticator provides the ability to map IAM role to node name.
There was a problem hiding this comment.
@liggitt Right, the heptio authenticator provides the ability to map IAM role to node name.
ah, great
|
|
||
| This document describes a credential rotation strategy for kubectl and client-go | ||
| using an exec-based plugin mechanism. | ||
|
|
There was a problem hiding this comment.
I am a bit concern about the complexity which this approach will bring, that I my opinion shades the benefits. The kubectl is currently self-contained and can be easily installed. One will need to install and to configure an additional authenticator tool in multiple machines maybe with different operating systems. Also there are case when people uses parallel cloud providers, they will need to install an additional tool for each of them. I imagine that the authenticator will require its own configuration separated from kubectl.
From security perspective, it will get more complicated to secure the entire setup. An attacker can leverage in certain scenarios (e.g wrong permissions + client credential flow) the authenticator tool to get access to the entire cluster.
There was a problem hiding this comment.
I don't think having every IdP integration compiled into kubectl is going to scale. This is in-line with other efforts around kubernetes/kubernetes to move cloud provider, or other kind of external project specific integrations, out of core in favor of extension points.
Additionally, sig-auth often doesn't have the expertise to maintain or comment on the security soundness of integrations with system's we're not familiar with. There are trade-offs, but I don't think today's situation is a good place for these plugins.
There's a bigger conversation here about what to do with the existing in-tree plugins, but I think that's going to have to come after we introduce an extension point.
There was a problem hiding this comment.
It sounds good. Hopefully the use will not be overwhelm by the number of external authenticators.
| proposes that we should add this as a first-class feature of kubectl. Specifically, | ||
| kubectl (and client-go) should be able to receive credentials by executing a | ||
| command and reading that command's stdout. | ||
|
|
There was a problem hiding this comment.
The format of the output must be defined to ensure interoperability between kubectl/client-go and the external authenticator. I guess a JSON schema with a version would be sufficient. This could prevent cases when the authentication could be broken by a change on the kubectl/client-go side.
There was a problem hiding this comment.
Alternatively we support jsonpath and integrator define their own scheme. I'm not sure if it's better but we do this in the gcp plugin today: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go#L77-L84
There was a problem hiding this comment.
I think @cosmincojocar is talking about using a structured, versioned API so we can ask for additional data beside the credentials in the future.
Do we really need versioned output? Do we expect the tool to pass things like expiry to us? I expected just printing the bearer token to be sufficient. We expect some of these tools to not know anything about kubectl.
If we don't go with a structured stdout API, I'd be in favor of some way of parsing the output like jsonpath.
There was a problem hiding this comment.
Or maybe get directly in the output a base64 encoded JWT.
There was a problem hiding this comment.
Do you plan to cache the token on kubectl/client-go side and invoke the external authenticator only when the token is about to expire? Or do you want to invoke the external authenticator every time a token is required?
I think, the authenticator can persist its tokens in a file after the initial authentication, especially in the case when the refresh token is supported. It can execute later on only the refresh flow when the token is close to the expiration.
I suspect that there are authenticators which do not support the refresh flow (e.g. client credentials). In that case it will request a new token from IdP instead of refresh it. Also in this case a sort of caching will be helpful in order to avoid overwhelming the IdP.
I know that these details are up to the authenticator implementation, but they will have an impact in the kubectl/client-go performance and reliability.
There was a problem hiding this comment.
For kubectl, I'd rather leave it up to the external authenticator to handle persisting tokens in a file. Some might not want the token to be saved to disk or need other special handling for their credentials.
There's room for better cache/refresh handling in general but I don't think it needs to be directly coupled to this change.
There was a problem hiding this comment.
Added some comments on why we went for an unversioned output.
| specification supported but a subset of vendors (OpenID Connect). | ||
|
|
||
| External tools that do rotation generally have to be called on a regular bases in | ||
| case the current credentials have expired, which leads to wrapping `kubectl` with |
There was a problem hiding this comment.
This is not required if the refresh token login is built into the plugin. For instance Azure Active Directory plugin does this without any external wrapping see: https://github.com/kubernetes/client-go/blob/1b75876d45719a84085528ee621939b0c68a4b85/plugin/pkg/client/auth/azure/azure.go#L276
There was a problem hiding this comment.
We would like to be able to support refreshing credentials for additional providers who do not have a plugin compiled in. It's not feasible to require every new provider or enterprise with custom tooling to submit a PR to kubernetes and we would like to discourage forking or wrapping kubectl in an alias as is often currently done. (not to say this proposal is not the only solution to this problem)
| either by opening a browser, or performing a text based prompt. | ||
|
|
||
| We should take care that interactive stderr and stdin are correctly | ||
| inherited by the sub-process to enable this kind of interaction. |
There was a problem hiding this comment.
How would you distinguish between the cases when the authenticator process hangs or waits for the user input (e.g. interactive flow)? I guess a sort of execution timeout of the subprocess is required. On the other hand, kubectl has more control over this in case of a plugin.
There was a problem hiding this comment.
I'd like to start with the subprocess implementing this logic and present appropriate feedback.
If this is interactive, the user will likely CTRL+c the execution anyway.
There was a problem hiding this comment.
Made this clear.
|
/cc @perotinus I'm interested in following along with this for the cluster registry. We had discussed using the cluster registry to provide a way to bootstrap |
|
/uncc @perotinus |
ericchiang
force-pushed
the
external-auth-providers
branch
from
76938f5 to
2a2f8f7
Compare
|
Proposal updated to address feedback. |
|
|
||
| # Motivation | ||
|
|
||
| Kubernetes clients can provide three kind of credentials: bearer tokens, TLS |
| https://github.com/kubernetes/client-go/blob/kubernetes-1.9.0/plugin/pkg/client/auth/gcp/gcp.go#L230) | ||
| and parses the output using JSONPath. | ||
|
|
||
| In the future, client-go may write versioned data to the plugin's stdin to pass |
There was a problem hiding this comment.
Just realized that this section conflicts with the login section. They both need to read from stdin. I need to remove it.
ericchiang
changed the title
ericchiang
force-pushed
the
external-auth-providers
branch
from
2a2f8f7 to
c2da875
Compare
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
| makes it hard to express things like a list of arguments or list key/value environment | ||
| variables. As such, `AuthInfo` should add another field which expresses the `exec` | ||
| config. This has the benefit of a more natural structure, but the trade-off of not being | ||
| compatible with the existing `kubectl config set-credentials` implementation. |
There was a problem hiding this comment.
Is there any way today to use kubectl to write below config into ~/.kube/config?
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. client-go: add an exec-based client auth provider Updates kubernetes/enhancements#541 Implements kubernetes/community#1503 Closes kubernetes/kubernetes#57164 ```release-note client-go: alpha support for exec-based credential providers ``` /sig auth /kind feature Kubernetes-commit: cb9d6b51556a1677f262e35e4aded0051c424818
…iders proposal: external client-go auth providers
Updates kubernetes/kubernetes#55968
Updates kubernetes/kubernetes#14362
cc @kubernetes/sig-auth-proposals
cc @mattmoyer
cc @ericavonb