From b840391f9214d2d10ef1d67131baa4b82e249ed1 Mon Sep 17 00:00:00 2001 From: Peter Engelbert Date: Thu, 26 Feb 2026 13:27:46 -0500 Subject: [PATCH] Rename AllowlistEntry clientcmd.Name to Command Signed-off-by: Peter Engelbert Kubernetes-commit: 505b937babc9ab0061ed346ec0278a3a605664ac --- plugin/pkg/client/auth/exec/exec.go | 18 +++++++++--------- plugin/pkg/client/auth/exec/exec_test.go | 10 +++++----- plugin/pkg/client/auth/exec/metrics_test.go | 8 ++++---- tools/clientcmd/api/types.go | 6 +++--- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/plugin/pkg/client/auth/exec/exec.go b/plugin/pkg/client/auth/exec/exec.go index acd9144d4..b2393f4dd 100644 --- a/plugin/pkg/client/auth/exec/exec.go +++ b/plugin/pkg/client/auth/exec/exec.go @@ -185,8 +185,8 @@ func newAuthenticator(c *cache, isTerminalFunc func(int) bool, config *api.ExecC allowlistLookup := sets.New[string]() for _, entry := range config.PluginPolicy.Allowlist { - if entry.Name != "" { - allowlistLookup.Insert(entry.Name) + if entry.Command != "" { + allowlistLookup.Insert(entry.Command) } } @@ -641,14 +641,14 @@ func (a *Authenticator) checkAllowlistLocked(cmd *exec.Cmd) error { func (a *Authenticator) resolveAllowListEntriesLocked(commandHint string) { hintName := filepath.Base(commandHint) for _, entry := range a.execPluginPolicy.Allowlist { - entryBasename := filepath.Base(entry.Name) + entryBasename := filepath.Base(entry.Command) if hintName != "" && hintName != entryBasename { // we got a hint, and this allowlist entry does not match it continue } - entryResolvedPath, err := exec.LookPath(entry.Name) + entryResolvedPath, err := exec.LookPath(entry.Command) if err != nil { - klog.V(5).ErrorS(err, "resolving credential plugin allowlist", "name", entry.Name) + klog.V(5).ErrorS(err, "resolving credential plugin allowlist", "name", entry.Command) continue } if entryResolvedPath != "" { @@ -691,10 +691,10 @@ func validateAllowlist(list []api.AllowlistEntry) error { return fmt.Errorf("misconfigured credential plugin allowlist: empty allowlist entry #%d", i+1) } - if cleaned := filepath.Clean(item.Name); cleaned != item.Name { - return fmt.Errorf("non-normalized file path: %q vs %q", item.Name, cleaned) - } else if item.Name == "" { - return fmt.Errorf("empty file path: %q", item.Name) + if cleaned := filepath.Clean(item.Command); cleaned != item.Command { + return fmt.Errorf("non-normalized file path: %q vs %q", item.Command, cleaned) + } else if item.Command == "" { + return fmt.Errorf("empty file path: %q", item.Command) } } diff --git a/plugin/pkg/client/auth/exec/exec_test.go b/plugin/pkg/client/auth/exec/exec_test.go index ada512c66..06fd1a9a5 100644 --- a/plugin/pkg/client/auth/exec/exec_test.go +++ b/plugin/pkg/client/auth/exec/exec_test.go @@ -1077,7 +1077,7 @@ func (tt *pluginPolicyTest) setAllowlist(l int, existingPluginInPATHAbsolutePath } for i := 1; i < tt.allowlistLength; i++ { - tt.allowlist = append(tt.allowlist, api.AllowlistEntry{Name: fmt.Sprintf("foo-%d", i)}) + tt.allowlist = append(tt.allowlist, api.AllowlistEntry{Command: fmt.Sprintf("foo-%d", i)}) } // shuffle the allowlist to guarantee ordering doesn't matter @@ -1092,13 +1092,13 @@ func (tt *pluginPolicyTest) makeAllowlistEntry(existingPluginInPATHAbsolutePath switch { case tt.entryExists && tt.useEntryAbsPath: - entry.Name = existingPluginInPATHAbsolutePath + entry.Command = existingPluginInPATHAbsolutePath case tt.entryExists && !tt.useEntryAbsPath: - entry.Name = existingPluginInPATHBasename + entry.Command = existingPluginInPATHBasename case !tt.entryExists && tt.useEntryAbsPath: - entry.Name = "/this/path/does/not/exist" + entry.Command = "/this/path/does/not/exist" case !tt.entryExists && !tt.useEntryAbsPath: - entry.Name = "does not exist" + entry.Command = "does not exist" } return entry diff --git a/plugin/pkg/client/auth/exec/metrics_test.go b/plugin/pkg/client/auth/exec/metrics_test.go index b50ac89b6..9141f99bf 100644 --- a/plugin/pkg/client/auth/exec/metrics_test.go +++ b/plugin/pkg/client/auth/exec/metrics_test.go @@ -243,10 +243,10 @@ func TestPolicyCallsMetric(t *testing.T) { PolicyType: api.PluginPolicyAllowlist, Allowlist: []api.AllowlistEntry{ { - Name: "foobar", + Command: "foobar", }, { - Name: "testdata/test-plugin.sh", + Command: "testdata/test-plugin.sh", }, }, }, @@ -256,8 +256,8 @@ func TestPolicyCallsMetric(t *testing.T) { policy: api.PluginPolicy{ PolicyType: api.PluginPolicyAllowlist, Allowlist: []api.AllowlistEntry{ - {Name: "foobar"}, - {Name: "baz"}, + {Command: "foobar"}, + {Command: "baz"}, }, }, }, diff --git a/tools/clientcmd/api/types.go b/tools/clientcmd/api/types.go index cb21c040a..66d0e9230 100644 --- a/tools/clientcmd/api/types.go +++ b/tools/clientcmd/api/types.go @@ -298,12 +298,12 @@ type ExecConfig struct { // the logical AND of all checks corresponding to the specified fields within // the entry. type AllowlistEntry struct { - // Name matching is performed by first resolving the absolute path of both + // Command matching is performed by first resolving the absolute path of both // the plugin and the name in the allowlist entry using `exec.LookPath`. It // will be called on both, and the resulting strings must be equal. If - // either call to `exec.LookPath` results in an error, the `Name` check + // either call to `exec.LookPath` results in an error, the `Command` check // will be considered a failure. - Name string `json:"-"` + Command string `json:"-"` } // PluginPolicy describes the policy type and allowlist (if any) for client-go