-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External credential providers KEP follow-ups #90817
Comments
Maybe missing something obvious, but having worked for quite some time on a custom exec credential plugin it's not really clear to me how a plugin is meant to communicate failures. Our plugin sends the user to do an interactive MFA, but returning from that the only options are to return either a token or a cert - if the external authentication process returns failures, obligations or anything but a successful response it would make sense to me that I'd be able to pass that along to the exec plugin and have the message displayed in the kubectl output. |
@anderseknert - could you return a non-0 exit code from your plugin? Looks like today that non-0 exit code should tell One question I do have, though, is that since [0] kubernetes/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go Lines 325 to 327 in 7b0d784
[1]
|
Thanks @ankeesler! Yeah, it's been a while since I worked on our plugin but I think we ended up doing something like that but thinking it didn't feel very "native". Good to know that it is. I think it would make a good addition to the docs on the topic as they currently say nothing about dealing with errors. Also, interesting question! |
@anderseknert thanks for your feedback. We really appreciate having real world usage data to help us understand if I think that the KEP fails to outline how to communicate failure correctly. We describe how standard input is used:
And standard output:
But we fail to describe that if // The returned error is nil if the command runs, has no problems
// copying stdin, stdout, and stderr, and exits with a zero exit
// status. then client-go will fail the overall process. We also do not describe that standard error from the plugin is passed through to client-go's standard error. Per Andrew's comment, I am wondering if we should store the standard error output in a buffer and just include it in the returned error instead of directly writing to client-go's standard error. This would give the caller more flexibility on how to print the error. I think an update to the KEP should be made to help provide more clarity here. |
Appreciate hearing that @enj 👍 If I was to write a new exec credential plugin from scratch today I might have done some things differently knowing what I know now, but the idea at the time was to extend an existing company tool that retrieved credentials (ID token) with an This worked fairly well, but a potential problem of kubectl hijacking stdout for everything is that although a terrible practice, some libraries and dependencies may under some circumstances print stuff to stdout. And sometimes, like with us extending an existing app one might not want to change the whole logging logic of that app just for this new use case. AND.. sometimes you even want your app and dependencies to be loud, like when developing and debugging your plugin with the equivalent of |
Yeah that will be part of the doc updates for GA, per the KEP note:
I think part of the issue here is that an exec based model is inherently limited to environment vars + stdin as input, and stdout + stderr as output. Since all these are global to the binary, it is trivial for them to get polluted accidentally. These are probably not the best building blocks for an API, but it is trivial to print a string to stdout, so it made the barrier to entry very small (and it mimics how the GCP plugin works). I think at some level the belief is that you control the binary you are using, so you can make it do anything. In a sense, instead of extending an existing app with the
I think this approach may muddy up the API contract a bit too much. The exec plugin can already basically do anything with stdin and stderr. It seems fair to leave some level of contractual obligation to only emit I think Go locks stdout to a single writer at a time, but I am not sure all languages do this. In particular, I am not sure if it would be possible to get interleaved writes to stdout if you have multiple writers (and buffering). |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Tracking work from kubernetes/enhancements#1711
Not all of these are required for GA
gcp
andazure
authentication optionsv1alpha1
andv1beta1
APIsv1
APIonRotateListWarningLength
warning?v1
/assign
/sig auth
The text was updated successfully, but these errors were encountered: