Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix env variables to include existing environment variables, then override #246

Merged
merged 1 commit into from May 24, 2019
Merged

Fix env variables to include existing environment variables, then override #246

merged 1 commit into from May 24, 2019

Conversation

brendandburns
Copy link
Contributor

Fixes #243

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 20, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 20, 2019
drubin
drubin reviewed May 20, 2019
View reviewed changes
Copy link
Contributor

@drubin drubin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this is really expected behaviour? Obviously this fixes the bug (we should also add a test for it)

This running locally on a developer's laptop might make sense but do we really want to pass the servers env to commands?

Just a question I can see this leading some security issue later down the line.... Where by this library is exposing env.

@michaelgeorgeattard
Copy link

I am trying to understand the fix.

From what I understand, the environment variables are being read from process.env. Is this the expected behavior or should we read from kube config instead?

@drubin
Copy link
Contributor

drubin commented May 21, 2019

@michaelgeorgeattard #243 (comment)

So it is passing your existing env variables from your current shell/process to the command in addition to the ones defined in the kubeconfig.

It is merging the current proccess.env with the ones from the kubeconfig (kubeconfig having higher precedence) which should fix the issue.

@brendandburns
Copy link
Contributor Author

@drubin this is yet another undocumented part of Kubeconfig handling...

When we look at the original go code for this, this is what they are doing.

The override is here:
https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go#L290

And the loading in of the shell's environment variables is here:
https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go#L133

So whether this is secure or not, this is the current (and expected) behavior.

I'm actually not sure there's a security problem, since these aren't sent to the server, they're only used to invoke the shell executable that returns the security token.

@drubin
Copy link
Contributor

drubin commented May 23, 2019

It's trivial and lgtm but would prefer if we had a test but feel free to Merge if adding a test is too difficult.

@drubin
Copy link
Contributor

drubin commented May 23, 2019

Also thanks for the awesome detailed reply and I fully agree we should stick expected behaviour.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 24, 2019
@brendandburns
Copy link
Contributor Author

@drubin test added. took more work than it should have, but the next one will be easier :)

@drubin
Copy link
Contributor

drubin commented May 24, 2019

@brendanburns your linting is off again, but thanks so much for adding a test!

The tests pass so /lgtm but you need to fix the linting but if that's the only change I am fine with merging once the linter passes.

Maybe we should add husky as a pre-push check to include the tests and linting? it seems like this happens often.

@brendandburns
Copy link
Contributor Author

@drubin this is what I get for working on an airplane via 'vi'

I'd be happy to see a pre-push check :)

Oh, and I fixed the lint issues :)

@drubin
Copy link
Contributor

drubin commented May 24, 2019

/lgtm

Sorry about the back and forth will try setup pre commit hooks soon

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 24, 2019
@k8s-ci-robot k8s-ci-robot merged commit 375e92f into kubernetes-client:master May 24, 2019
@snyk-bot snyk-bot mentioned this pull request Apr 23, 2020
Closed
@brendandburns brendandburns deleted the env branch July 8, 2020 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drubin drubin drubin left review comments

@itowlson itowlson Awaiting requested review from itowlson

Assignees

@drubin drubin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-iam-authenticator not found when kube config contains exec env variables
4 participants
@brendandburns @k8s-ci-robot @michaelgeorgeattard @drubin