Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include stderr in cred provider plugin errors #117448

Merged
merged 1 commit into from May 3, 2023
Merged

Include stderr in cred provider plugin errors #117448

merged 1 commit into from May 3, 2023

Conversation

cartermckinnon
Copy link
Contributor

@cartermckinnon cartermckinnon commented Apr 18, 2023
edited

What type of PR is this?

/kind feature

This is a small quality-of-life thing.

What this PR does / why we need it:

This PR includes stderr in the error returned after failing to invoke a credential provider exec plugin. Failure in these external plugins (due to mismatched apiVersion, for example) currently only results in a generic log line:

plugin.go:233] Failed getting credential from external registry credential provider: error execing credential provider plugin foo for image bar: exit status 1

After this PR, the message will include more details. For example:

plugin.go:233] Failed getting credential from external registry credential provider: error execing credential provider plugin foo for image bar: exit status 1: E0418 06:12:14.490885   14903 main.go:161] Error running credential provider plugin: group version credentialprovider.kubelet.k8s.io/v1beta1 is not supported

Determining why a credential provider plugin failed is otherwise somewhat obtuse. I've done this by placing a logging shim between kubelet and the provider, but this PR makes such an effort unnecessary.

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

While the credential provider does return secrets via standard output, which should never be logged by kubelet -- secrets should not be logged to standard error. If we need to explicitly document this in the credential provider contract, we can do that.

Does this PR introduce a user-facing change?

External credential provider plugins now have their standard error output logged by kubelet upon failures.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

N/A

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 18, 2023
@k8s-ci-robot
Copy link
Contributor

@cartermckinnon: The label(s) kind/(?) cannot be applied, because the repository doesn't have them.

In response to this:

What type of PR is this?

/kind feature (?)

What this PR does / why we need it:

This PR includes stderr in the error returned after failing to invoke a credential provider exec plugin. Failure in these external plugins (due to mismatched apiVersion, for example) currently only results in a generic log line:

plugin.go:233] Failed getting credential from external registry credential provider: error execing credential provider plugin foo for image bar: exit status 1

After this PR, the message will include more details. For example:

plugin.go:233] Failed getting credential from external registry credential provider: error execing credential provider plugin foo for image bar: exit status 1: E0418 06:12:14.490885   14903 main.go:161] Error running credential provider plugin: group version credentialprovider.kubelet.k8s.io/v1beta1 is not supported

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

While the credential provider does return secrets, which should not be logged by kubelet -- secrets should not be logged to standard error. If we need to explicitly document this in the credential provider contract, we can do that.

Does this PR introduce a user-facing change?

External credential provider plugins now have their standard error output logged by kubelet upon failures.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

N/A

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 18, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @cartermckinnon. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Apr 18, 2023
@cartermckinnon cartermckinnon mentioned this pull request Apr 18, 2023
Merged
@dims
Copy link
Member

dims commented May 3, 2023

one line fix to pass through an err, happy to land this.

/ok-to-test
/approve
/lgtm
/sig node

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 3, 2023
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 3, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: fedd000fde3c45cf031e68470e622c268d5efbbe

@dims
Copy link
Member

dims commented May 3, 2023

/priority important-soon
/triage accepted

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cartermckinnon, dims

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 3, 2023
@bart0sh bart0sh added this to Triage in SIG Node PR Triage May 3, 2023
@k8s-ci-robot k8s-ci-robot merged commit 44e3306 into kubernetes:master May 3, 2023
12 checks passed
SIG Node PR Triage automation moved this from Triage to Done May 3, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone May 3, 2023
@cartermckinnon cartermckinnon deleted the cred-provider-stderr branch May 9, 2023 20:50
@mmerkes mmerkes mentioned this pull request May 9, 2023
Closed
@cartermckinnon cartermckinnon mentioned this pull request Jul 19, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@dims dims Awaiting requested review from dims

Assignees

@dims dims

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Done
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cartermckinnon @k8s-ci-robot @dims