exec credential provider: v1 documentation #28429
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
👷 Deploy Preview for kubernetes-io-vnext-staging processing. 🔨 Explore the source changes: a30e63d 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/60eda78e8ab3f60007f4af52 |
k8s-ci-robot
added
sig/docs
ankeesler
force-pushed
the
exec-credential-v1
branch
2 times, most recently
from
1bda5d9
to
0cfc62d
Compare
| apiVersion: "client.authentication.k8s.io/v1beta1" | ||
| # set an environment variable, pass an argument to the tool that indicates which version the exec plugin expects, | ||
| # or read the version from the ExecCredential object in the KUBERNETES_EXEC_INFO environment variable. | ||
| apiVersion: "client.authentication.k8s.io/v1" |
There was a problem hiding this comment.
when we have multiple versions available, we've added per-version examples in tabs
see https://github.com/kubernetes/website/blame/master/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md#L98 as an example
There was a problem hiding this comment.
i went ahead and added tabs for all of the non-trivial API objects.
| # returned. Valid values are "Never" (this exec plugin never uses standard input), | ||
| # "IfAvailable" (this exec plugin wants to use standard input if it is available), | ||
| # or "Always" (this exec plugin requires standard input to function). Required. | ||
| interactiveMode: IfAvailable |
There was a problem hiding this comment.
I assume people will copy/paste this example blindly, and interactive credential plugins are perhaps not the ideal... would it make sense to make the example be "Never"?
There was a problem hiding this comment.
ok, i can get on board with interactive credential plugins are perhaps not the ideal. maybe s/ideal/the norm/? i originally had IfAvailable because it was the default in v1beta1, but i think your argument makes sense. 5c22507
| apiVersion: "client.authentication.k8s.io/v1" | ||
| interactiveMode: IfAvailable |
There was a problem hiding this comment.
same comment about multiple version examples in tabs, and making the default example use "Never"
| to the plugin. Plugins should use the `spec.interactive` field of the input | ||
| `ExecCredential` object from the `KUBERNETES_EXEC_INFO` environment variable in order to | ||
| determine if `stdin` has been provided. A plugin's `stdin` requirements (i.e., whether | ||
| `stdin` is optional, strictly required, or strictly not required in order for the plugin |
There was a problem hiding this comment.
"strictly not required" reads weirdly... maybe "never used"?
There was a problem hiding this comment.
validated "never used" with a couple of other people, so i went with that. c06d8ff
|
|
||
| To use bearer token credentials, the plugin returns a token in the status of the | ||
| [`ExecCredential`](/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential) | ||
|
|
||
| ```json | ||
| { | ||
| "apiVersion": "client.authentication.k8s.io/v1beta1", | ||
| "apiVersion": "client.authentication.k8s.io/v1", |
There was a problem hiding this comment.
multiple tabs for examples in different versions
| @@ -1026,6 +1050,7 @@ The following `ExecCredential` manifest describes a cluster information sample. | |||
| "you": ["can", "put", "anything", "here"] | |||
| } | |||
| } | |||
There was a problem hiding this comment.
wow, good catch; 7d5a81b
|
/assign |
k8s-ci-robot
added
size/L
ankeesler
force-pushed
the
exec-credential-v1
branch
2 times, most recently
from
297c8aa
to
6a3abda
Compare
| [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) (see table | ||
| below for valid values). | ||
|
|
||
| | `interactiveMode` Value | Meaning | |
There was a problem hiding this comment.
@PI-Victor do you know of a way that I can ensure that this table renders without splitting words on different lines?
There was a problem hiding this comment.
sorry i missed this, @sftim have any idea on this one? does it need some special css code to fix this?
There was a problem hiding this comment.
Ah, HTML table layout.
I would raise a separate issue about the rendering and label it area/web-development.
There was a problem hiding this comment.
raised issue here: #28815
unfortunately couldn't coax the bot into applying the area/web-development...perhaps someone can enlighten me
|
content lgtm, though hold for v1 API merge |
|
v1 API has merged - kubernetes/kubernetes#102890 |
| [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) (see table | ||
| below for valid values). | ||
|
|
||
| | `interactiveMode` Value | Meaning | |
|
to quote an ex-team lead, i think we beat this one to death. @ankeesler i see there are no more PRs for this enhancement and it's not marked as 'At Risk' do you still have any more work for this or can you squash so we can merge it? |
ankeesler
force-pushed
the
exec-credential-v1
branch
from
cbbded0
to
c83eb20
Compare
|
i have no more work associated with this enhancement - i have squashed into one commit. thanks for keeping this moving forward. |
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
ankeesler
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
per issue #28013 we could also document that kubeconfig exec has a security risk,
and emphasize that this risk is present whenever you use a config from an untrusted source without checking it
That improvement is not required for this PR to merge.
| `ExecCredential` object from the `KUBERNETES_EXEC_INFO` environment variable in order to | ||
| determine if `stdin` has been provided. A plugin's `stdin` requirements (i.e., whether | ||
| `stdin` is optional, strictly required, or never used in order for the plugin | ||
| to run successfully) must be declared via the `user.exec.interactiveMode` field in the |
There was a problem hiding this comment.
Should this note that the "must" is only true for the v1 API?
There was a problem hiding this comment.
gave this a go here e4653f1
|
|
||
| To use bearer token credentials, the plugin returns a token in the status of the | ||
| [`ExecCredential`](/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential) | ||
| {{< /table >}} |
There was a problem hiding this comment.
Er, should this be higher up in the doc right after the table ends?
There was a problem hiding this comment.
whoops. fbe3f67
|
@sftim i'm considering your comment above about adding something in the docs about #28013. appreciate you calling that out. @enj do you have an opinion on whether we should add something in this PR for the above doc issue? my gut feel was to keep the PR specifically targeted at GA stuff on the grounds that smaller PRs are usually better. |
+1 to keeping this PR targeted at GA stuff with a follow-up PR to add docs around not running kubeconfigs from untrusted sources. Feel free to squash, this PR looks ready to me. |
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
ankeesler
force-pushed
the
exec-credential-v1
branch
from
e4653f1
to
a30e63d
Compare
|
cool, thanks @enj. PR hath been squashed |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 515d5b71a372a3f9349c53f5a0f814313a857ca3
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PI-Victor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Adds documentation for client-go credential plugin GA version.
KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/541-external-credential-providers