exec credential provider: ProvideClusterInfo and kubeconfig shadow

- The main idea here is that we want to 1) prevent potentially large CA bundles from being set in an exec plugin's environment and 2) ensure that the exec plugin is getting everything it needs in order to talk to a cluster. - Avoid breaking existing manual declarations of rest.Config instances by moving exec Cluster to kubeconfig internal type. - Use client.authentication.k8s.io/exec to qualify exec cluster extension. - Deep copy the exec Cluster.Config when we copy a rest.Config. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Kubernetes-commit: c4299d15d5289768808034676858e76a177eeae5
2025-09-25 06:24:59 +00:00 · 2020-10-29 13:38:42 -04:00
parent eb15c10113
commit a7ba87c612
22 changed files with 822 additions and 174 deletions
--- a/tools/clientcmd/api/types.go
+++ b/tools/clientcmd/api/types.go
@@ -215,6 +215,36 @@ type ExecConfig struct {
 	// present. For example, `brew install foo-cli` might be a good InstallHint for
 	// foo-cli on Mac OS systems.
 	InstallHint string `json:"installHint,omitempty"`
+
+	// ProvideClusterInfo determines whether or not to provide cluster information,
+	// which could potentially contain very large CA data, to this exec plugin as a
+	// part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set
+	// to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for
+	// reading this environment variable.
+	ProvideClusterInfo bool `json:"provideClusterInfo"`
+
+	// Config holds additional config data that is specific to the exec
+	// plugin with regards to the cluster being authenticated to.
+	//
+	// This data is sourced from the clientcmd Cluster object's extensions[exec] field:
+	//
+	// clusters:
+	// - name: my-cluster
+	//   cluster:
+	//     ...
+	//     extensions:
+	//     - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config
+	//       extension:
+	//         audience: 06e3fbd18de8  # arbitrary config
+	//
+	// In some environments, the user config may be exactly the same across many clusters
+	// (i.e. call this exec plugin) minus some details that are specific to each cluster
+	// such as the audience.  This field allows the per cluster config to be directly
+	// specified with the cluster info.  Using this field to store secret data is not
+	// recommended as one of the prime benefits of exec plugins is that no secrets need
+	// to be stored directly in the kubeconfig.
+	// +k8s:conversion-gen=false
+	Config runtime.Object
 }

 var _ fmt.Stringer = new(ExecConfig)
@@ -237,7 +267,11 @@ func (c ExecConfig) String() string {
 	if len(c.Env) > 0 {
 		env = "[]ExecEnvVar{--- REDACTED ---}"
 	}
-	return fmt.Sprintf("api.AuthProviderConfig{Command: %q, Args: %#v, Env: %s, APIVersion: %q}", c.Command, args, env, c.APIVersion)
+	config := "runtime.Object(nil)"
+	if c.Config != nil {
+		config = "runtime.Object(--- REDACTED ---)"
+	}
+	return fmt.Sprintf("api.ExecConfig{Command: %q, Args: %#v, Env: %s, APIVersion: %q, ProvideClusterInfo: %t, Config: %s}", c.Command, args, env, c.APIVersion, c.ProvideClusterInfo, config)
 }

 // ExecEnvVar is used for setting environment variables when executing an exec-based
--- a/tools/clientcmd/api/v1/types.go
+++ b/tools/clientcmd/api/v1/types.go
@@ -214,6 +214,13 @@ type ExecConfig struct {
 	// present. For example, `brew install foo-cli` might be a good InstallHint for
 	// foo-cli on Mac OS systems.
 	InstallHint string `json:"installHint,omitempty"`
+
+	// ProvideClusterInfo determines whether or not to provide cluster information,
+	// which could potentially contain very large CA data, to this exec plugin as a
+	// part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set
+	// to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for
+	// reading this environment variable.
+	ProvideClusterInfo bool `json:"provideClusterInfo"`
 }

 // ExecEnvVar is used for setting environment variables when executing an exec-based
--- a/tools/clientcmd/api/v1/zz_generated.conversion.go
+++ b/tools/clientcmd/api/v1/zz_generated.conversion.go
@@ -171,7 +171,15 @@ func autoConvert_v1_AuthInfo_To_api_AuthInfo(in *AuthInfo, out *api.AuthInfo, s
 	out.Username = in.Username
 	out.Password = in.Password
 	out.AuthProvider = (*api.AuthProviderConfig)(unsafe.Pointer(in.AuthProvider))
-	out.Exec = (*api.ExecConfig)(unsafe.Pointer(in.Exec))
+	if in.Exec != nil {
+		in, out := &in.Exec, &out.Exec
+		*out = new(api.ExecConfig)
+		if err := Convert_v1_ExecConfig_To_api_ExecConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Exec = nil
+	}
 	if err := Convert_Slice_v1_NamedExtension_To_Map_string_To_runtime_Object(&in.Extensions, &out.Extensions, s); err != nil {
 		return err
 	}
@@ -197,7 +205,15 @@ func autoConvert_api_AuthInfo_To_v1_AuthInfo(in *api.AuthInfo, out *AuthInfo, s
 	out.Username = in.Username
 	out.Password = in.Password
 	out.AuthProvider = (*AuthProviderConfig)(unsafe.Pointer(in.AuthProvider))
-	out.Exec = (*ExecConfig)(unsafe.Pointer(in.Exec))
+	if in.Exec != nil {
+		in, out := &in.Exec, &out.Exec
+		*out = new(ExecConfig)
+		if err := Convert_api_ExecConfig_To_v1_ExecConfig(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Exec = nil
+	}
 	if err := Convert_Map_string_To_runtime_Object_To_Slice_v1_NamedExtension(&in.Extensions, &out.Extensions, s); err != nil {
 		return err
 	}
@@ -359,6 +375,7 @@ func autoConvert_v1_ExecConfig_To_api_ExecConfig(in *ExecConfig, out *api.ExecCo
 	out.Env = *(*[]api.ExecEnvVar)(unsafe.Pointer(&in.Env))
 	out.APIVersion = in.APIVersion
 	out.InstallHint = in.InstallHint
+	out.ProvideClusterInfo = in.ProvideClusterInfo
 	return nil
 }

@@ -373,6 +390,8 @@ func autoConvert_api_ExecConfig_To_v1_ExecConfig(in *api.ExecConfig, out *ExecCo
 	out.Env = *(*[]ExecEnvVar)(unsafe.Pointer(&in.Env))
 	out.APIVersion = in.APIVersion
 	out.InstallHint = in.InstallHint
+	out.ProvideClusterInfo = in.ProvideClusterInfo
+	// INFO: in.Config opted out of conversion generation
 	return nil
 }

--- a/tools/clientcmd/api/zz_generated.deepcopy.go
+++ b/tools/clientcmd/api/zz_generated.deepcopy.go
@@ -267,6 +267,9 @@ func (in *ExecConfig) DeepCopyInto(out *ExecConfig) {
 		*out = make([]ExecEnvVar, len(*in))
 		copy(*out, *in)
 	}
+	if in.Config != nil {
+		out.Config = in.Config.DeepCopyObject()
+	}
 	return
 }

--- a/tools/clientcmd/client_config.go
+++ b/tools/clientcmd/client_config.go
@@ -34,6 +34,11 @@ import (
 	"github.com/imdario/mergo"
 )

+const (
+	// clusterExtensionKey is reserved in the cluster extensions list for exec plugin config.
+	clusterExtensionKey = "client.authentication.k8s.io/exec"
+)
+
 var (
 	// ClusterDefaults has the same behavior as the old EnvVar and DefaultCluster fields
 	// DEPRECATED will be replaced
@@ -269,9 +274,9 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
 		mergedConfig.AuthConfigPersister = persistAuthConfig
 	}
 	if configAuthInfo.Exec != nil {
-		mergedConfig.Exec.ExecProvider = configAuthInfo.Exec
+		mergedConfig.ExecProvider = configAuthInfo.Exec
 		mergedConfig.ExecProvider.InstallHint = cleanANSIEscapeCodes(mergedConfig.ExecProvider.InstallHint)
-		mergedConfig.Exec.Config = configClusterInfo.Extensions["exec"] // this key is reserved in the extensions list for exec plugin config
+		mergedConfig.ExecProvider.Config = configClusterInfo.Extensions[clusterExtensionKey]
 	}

 	// if there still isn't enough information to authenticate the user, try prompting
@@ -314,7 +319,7 @@ func canIdentifyUser(config restclient.Config) bool {
 		(len(config.CertFile) > 0 || len(config.CertData) > 0) ||
 		len(config.BearerToken) > 0 ||
 		config.AuthProvider != nil ||
-		config.Exec.ExecProvider != nil
+		config.ExecProvider != nil
 }

 // cleanANSIEscapeCodes takes an arbitrary string and ensures that there are no
--- a/tools/clientcmd/client_config_test.go
+++ b/tools/clientcmd/client_config_test.go
@@ -836,7 +836,7 @@ clusters:
 - cluster:
    server: https://localhost:8080
    extensions:
-    - name: exec
+    - name: client.authentication.k8s.io/exec
      extension:
        audience: foo
        other: bar
@@ -858,6 +858,7 @@ users:
      - arg-1
      - arg-2
      command: foo-command
+      provideClusterInfo: true
 `
 	tmpfile, err := ioutil.TempFile("", "kubeconfig")
 	if err != nil {
@@ -871,15 +872,18 @@ users:
 	if err != nil {
 		t.Error(err)
 	}
-	if !reflect.DeepEqual(config.Exec.ExecProvider.Args, []string{"arg-1", "arg-2"}) {
-		t.Errorf("Got args %v when they should be %v\n", config.Exec.ExecProvider.Args, []string{"arg-1", "arg-2"})
+	if !reflect.DeepEqual(config.ExecProvider.Args, []string{"arg-1", "arg-2"}) {
+		t.Errorf("Got args %v when they should be %v\n", config.ExecProvider.Args, []string{"arg-1", "arg-2"})
+	}
+	if !config.ExecProvider.ProvideClusterInfo {
+		t.Error("Wanted provider cluster info to be true")
 	}
 	want := &runtime.Unknown{
 		Raw:         []byte(`{"audience":"foo","other":"bar"}`),
 		ContentType: "application/json",
 	}
-	if !reflect.DeepEqual(config.Exec.Config, want) {
-		t.Errorf("Got config %v when it should be %v\n", config.Exec.Config, want)
+	if !reflect.DeepEqual(config.ExecProvider.Config, want) {
+		t.Errorf("Got config %v when it should be %v\n", config.ExecProvider.Config, want)
 	}
 }