af0e2a11af
This is what happens when writing back a OIDC refresh token:
- plugin/pkg/client/auth/oidc/oidc.go:282
Calls `Persist` to save the new refresh token.
- tools/clientcmd/config.go:372
Calls `ModifyConfig` to save the config.
- tools/clientcmd/config.go:167
Calls `configAccess.GetLoadingPrecedence()` to get the files
listed from the `KUBECONFIG` environment variable.
- tools/clientcmd/loader.go:334
If the `ConfigAccess` was a `ClientConfigLoadingRules`, it
directly returns the `Precedence` slice from its `rules`
field.
THE PROBLEM:
The slice can be modified by the caller, unintentionally
changing the value of the `ClientConfigLoadingRules`'
`Precedence` field.
- tools/clientcmd/config.go:170
Then proceeds to in-place sort the slice returned by the
`ConfigAccess`. This is the same slice (by identity)
as the `ClientConfigLoadingRules`' `Precedence` field,
destroying its intended order.
- tools/clientcmd/config.go:179
Calls `configAccess.GetStartingConfig` to read the original
config so it can be compared with the new config.
- tools/clientcmd/loader.go:339
Calls `NewNonInteractiveDeferredLoadingClientConfig` with
itself as a parameter.
CONSEQUENCE:
At this point, its the `Precedence` has been
unintentionally sorted. When it loads the
config again, it gives precedence to whichever
file comes first in ascending alphabetical order.
- tools/clientcmd/config.go:192
If the file returned by `GetStartingConfig` has a
different `current-context` than the new config,
it calls `writeCurrentContext` to update the first
kubeconfig file in the `KUBECONFIG` environment
variable.
- tools/clientcmd/config.go:403
Calls `configAccess.GetDefaultFilename` to find the
destination kubeconfig file.
- tools/clientcmd/loader.go:358
Iterates through the kubeconfig files returned by
`GetLoadingPreferences` to find the first file
that exists.
CONSEQUENCE:
With the slice being sorted earlier, the files
returned by this call of `GetLoadingPreferences`
will be sorted alphabetically, rather than by
their intended order.
Kubernetes-commit: ffa084f81129ea685b176a282921c4d54906c539
|
||
|---|---|---|
| .github | ||
| applyconfigurations | ||
| discovery | ||
| dynamic | ||
| examples | ||
| features | ||
| gentype | ||
| informers | ||
| kubernetes | ||
| kubernetes_test | ||
| listers | ||
| metadata | ||
| openapi | ||
| openapi3 | ||
| pkg | ||
| plugin/pkg/client/auth | ||
| rest | ||
| restmapper | ||
| scale | ||
| testing | ||
| third_party/forked/golang | ||
| tools | ||
| transport | ||
| util | ||
| CHANGELOG.md | ||
| code-of-conduct.md | ||
| CONTRIBUTING.md | ||
| doc.go | ||
| go.mod | ||
| go.sum | ||
| INSTALL.md | ||
| LICENSE | ||
| OWNERS | ||
| README.md | ||
| SECURITY_CONTACTS | ||
⚠️ This is an automatically published staged repository for Kubernetes.
Contributions, including issues and pull requests, should be made to the main Kubernetes repository: https://github.com/kubernetes/kubernetes.
This repository is read-only for importing, and not used for direct contributions.
See CONTRIBUTING.md for more details.
client-go
Go clients for talking to a kubernetes cluster.
We recommend using the v0.x.y tags for Kubernetes releases >= v1.17.0 and
kubernetes-1.x.y tags for Kubernetes releases < v1.17.0.
The fastest way to add this library to a project is to run go get k8s.io/client-go@latest with go1.16+.
See INSTALL.md for detailed installation instructions and troubleshooting.
Table of Contents
- What's included
- Versioning
- Kubernetes tags
- How to get it
- How to use it
- Dependency management
- Contributing code
What's included
- The
kubernetespackage contains the clientset to access Kubernetes API. - The
discoverypackage is used to discover APIs supported by a Kubernetes API server. - The
dynamicpackage contains a dynamic client that can perform generic operations on arbitrary Kubernetes API objects. - The
plugin/pkg/client/authpackages contain optional authentication plugins for obtaining credentials from external sources. - The
transportpackage is used to set up auth and start a connection. - The
tools/cachepackage is useful for writing controllers.
Versioning
-
For each
v1.x.yKubernetes release, the major version (first digit) would remain0. -
Bugfixes will result in the patch version (third digit) changing. PRs that are cherry-picked into an older Kubernetes release branch will result in an update to the corresponding branch in
client-go, with a corresponding new tag changing the patch version.
Branches and tags.
We will create a new branch and tag for each increment in the minor version number. We will create only a new tag for each increment in the patch version number. See semver for definitions of major, minor, and patch.
The HEAD of the master branch in client-go will track the HEAD of the master branch in the main Kubernetes repo.
Compatibility: your code <-> client-go
The v0.x.y tags indicate that go APIs may change in incompatible ways in
different versions.
See INSTALL.md for guidelines on requiring a specific version of client-go.
Compatibility: client-go <-> Kubernetes clusters
Since Kubernetes is backwards compatible with clients, older client-go
versions will work with many different Kubernetes cluster versions.
We will backport bugfixes--but not new features--into older versions of
client-go.
Compatibility matrix
| Kubernetes 1.27 | Kubernetes 1.28 | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 | |
|---|---|---|---|---|---|---|
kubernetes-1.27.0/v0.27.0 |
✓ | +- | +- | +- | +- | +- |
kubernetes-1.28.0/v0.28.0 |
+- | ✓ | +- | +- | +- | +- |
kubernetes-1.29.0/v0.29.0 |
+- | +- | ✓ | +- | +- | +- |
kubernetes-1.30.0/v0.30.0 |
+- | +- | +- | ✓ | +- | +- |
kubernetes-1.31.0/v0.31.0 |
+- | +- | +- | +- | ✓ | +- |
kubernetes-1.32.0/v0.32.0 |
+- | +- | +- | +- | +- | ✓ |
HEAD |
+- | +- | +- | +- | +- | +- |
Key:
✓Exactly the same features / API objects in both client-go and the Kubernetes version.+client-go has features or API objects that may not be present in the Kubernetes cluster, either due to that client-go has additional new API, or that the server has removed old API. However, everything they have in common (i.e., most APIs) will work. Please note that alpha APIs may vanish or change significantly in a single release.-The Kubernetes cluster has features the client-go library can't use, either due to the server has additional new API, or that client-go has removed old API. However, everything they share in common (i.e., most APIs) will work.
See the CHANGELOG for a detailed description of changes between client-go versions.
| Branch | Canonical source code location | Maintenance status |
|---|---|---|
release-1.23 |
Kubernetes main repo, 1.23 branch | =- |
release-1.24 |
Kubernetes main repo, 1.24 branch | =- |
release-1.25 |
Kubernetes main repo, 1.25 branch | =- |
release-1.26 |
Kubernetes main repo, 1.26 branch | =- |
release-1.27 |
Kubernetes main repo, 1.27 branch | =- |
release-1.28 |
Kubernetes main repo, 1.28 branch | =- |
release-1.29 |
Kubernetes main repo, 1.29 branch | ✓ |
release-1.30 |
Kubernetes main repo, 1.30 branch | ✓ |
release-1.31 |
Kubernetes main repo, 1.31 branch | ✓ |
release-1.32 |
Kubernetes main repo, 1.32 branch | ✓ |
| client-go HEAD | Kubernetes main repo, master branch | ✓ |
Key:
✓Changes in main Kubernetes repo are actively published to client-go by a bot=Maintenance is manual, only severe security bugs will be patched.-Deprecated; please upgrade.
Deprecation policy
We will maintain branches for at least six months after their first stable tag is cut. (E.g., the clock for the release-2.0 branch started ticking when we tagged v2.0.0, not when we made the first alpha.) This policy applies to every version greater than or equal to 2.0.
Why do the 1.4 and 1.5 branch contain top-level folder named after the version?
For the initial release of client-go, we thought it would be easiest to keep separate directories for each minor version. That soon proved to be a mistake. We are keeping the top-level folders in the 1.4 and 1.5 branches so that existing users won't be broken.
Kubernetes tags
This repository is still a mirror of k8s.io/kubernetes/staging/src/client-go, the code development is still done in the staging area.
Since Kubernetes v1.8.0, when syncing the code from the staging area,
we also sync the Kubernetes version tags to client-go, prefixed with
kubernetes-. From Kubernetes v1.17.0, we also create matching semver
v0.x.y tags for each v1.x.y Kubernetes release.
For example, if you check out the kubernetes-1.17.0 or the v0.17.0 tag in
client-go, the code you get is exactly the same as if you check out the v1.17.0
tag in Kubernetes, and change directory to staging/src/k8s.io/client-go.
The purpose is to let users quickly find matching commits among published repos, like sample-apiserver, apiextension-apiserver, etc. The Kubernetes version tag does NOT claim any backwards compatibility guarantees for client-go. Please check the semantic versions if you care about backwards compatibility.
How to get it
To get the latest version, use go1.16+ and fetch using the go get command. For example:
go get k8s.io/client-go@latest
To get a specific version, use go1.11+ and fetch the desired version using the go get command. For example:
go get k8s.io/client-go@v0.20.4
See INSTALL.md for detailed instructions and troubleshooting.
How to use it
If your application runs in a Pod in the cluster, please refer to the in-cluster example, otherwise please refer to the out-of-cluster example.
Dependency management
For details on how to correctly use a dependency management for installing client-go, please see INSTALL.md.
Contributing code
Please send pull requests against the client packages in the Kubernetes main repository. Changes in the staging area will be published to this repository every day.