exec credential provider: update tests+metadata for v1

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2025-07-19 09:52:49 +00:00 · 2021-06-28 10:58:02 -04:00 · 2021-06-28 10:58:02 -04:00 · 20e1c4d754
commit 20e1c4d754
parent 30a6812aa1
10 changed files with 291 additions and 64 deletions
--- a/api/api-rules/violation_exceptions.list
+++ b/api/api-rules/violation_exceptions.list
@ -466,6 +466,10 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
 API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,IntVal
 API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,StrVal
 API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,Type
+API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1,Cluster,CertificateAuthorityData
+API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1,Cluster,InsecureSkipTLSVerify
+API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1,Cluster,ProxyURL
+API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1,Cluster,TLSServerName
 API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1beta1,Cluster,CertificateAuthorityData
 API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1beta1,Cluster,InsecureSkipTLSVerify
 API rule violation: names_match,k8s.io/client-go/pkg/apis/clientauthentication/v1beta1,Cluster,ProxyURL
--- a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/install/install.go
+++ b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/install/install.go
@ -22,12 +22,15 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
+	"k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
+	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )

 // Install registers the API group and adds types to a scheme
 func Install(scheme *runtime.Scheme) {
 	utilruntime.Must(clientauthentication.AddToScheme(scheme))
+	utilruntime.Must(v1.AddToScheme(scheme))
+	utilruntime.Must(v1beta1.AddToScheme(scheme))
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion))
 }
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
@ -35,15 +35,15 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	"golang.org/x/term"

-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/clock"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	"k8s.io/client-go/pkg/apis/clientauthentication/install"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
+	clientauthenticationv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/transport"
@ -63,10 +63,7 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)

 func init() {
-	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
-	utilruntime.Must(v1alpha1.AddToScheme(scheme))
-	utilruntime.Must(v1beta1.AddToScheme(scheme))
-	utilruntime.Must(clientauthentication.AddToScheme(scheme))
+	install.Install(scheme)
 }

 var (
@ -75,8 +72,9 @@ var (
 	globalCache = newCache()
 	// The list of API versions we accept.
 	apiVersions = map[string]schema.GroupVersion{
-		v1alpha1.SchemeGroupVersion.String(): v1alpha1.SchemeGroupVersion,
-		v1beta1.SchemeGroupVersion.String():  v1beta1.SchemeGroupVersion,
+		clientauthenticationv1alpha1.SchemeGroupVersion.String(): clientauthenticationv1alpha1.SchemeGroupVersion,
+		clientauthenticationv1beta1.SchemeGroupVersion.String():  clientauthenticationv1beta1.SchemeGroupVersion,
+		clientauthenticationv1.SchemeGroupVersion.String():       clientauthenticationv1.SchemeGroupVersion,
 	}
 )

--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go
@ -980,6 +980,36 @@ func TestRefreshCreds(t *testing.T) {
 			}`,
 			wantCreds: credentials{token: "foo-bar"},
 		},
+		{
+			name: "v1-basic-request",
+			config: api.ExecConfig{
+				APIVersion:      "client.authentication.k8s.io/v1",
+				InteractiveMode: api.IfAvailableExecInteractiveMode,
+			},
+			wantInput: `{
+				"kind": "ExecCredential",
+				"apiVersion": "client.authentication.k8s.io/v1",
+				"spec": {
+					"interactive": false
+				}
+			}`,
+			output: `{
+				"kind": "ExecCredential",
+				"apiVersion": "client.authentication.k8s.io/v1",
+				"status": {
+					"token": "foo-bar"
+				}
+			}`,
+			wantCreds: credentials{token: "foo-bar"},
+		},
+		{
+			name: "v1-with-missing-interactive-mode",
+			config: api.ExecConfig{
+				APIVersion: "client.authentication.k8s.io/v1",
+			},
+			wantErr:       true,
+			wantErrSubstr: `exec plugin cannot support interactive mode: unknown interactiveMode: ""`,
+		},
 	}

 	for _, test := range tests {
--- a/staging/src/k8s.io/client-go/tools/auth/exec/exec.go
+++ b/staging/src/k8s.io/client-go/tools/auth/exec/exec.go
@ -22,14 +22,11 @@ import (
 	"fmt"
 	"os"

-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	"k8s.io/client-go/pkg/apis/clientauthentication/install"
 	"k8s.io/client-go/rest"
 )

@ -39,10 +36,7 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)

 func init() {
-	metav1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
-	utilruntime.Must(v1alpha1.AddToScheme(scheme))
-	utilruntime.Must(v1beta1.AddToScheme(scheme))
-	utilruntime.Must(clientauthentication.AddToScheme(scheme))
+	install.Install(scheme)
 }

 // LoadExecCredentialFromEnv is a helper-wrapper around LoadExecCredential that loads from the
@ -68,7 +62,7 @@ func LoadExecCredentialFromEnv() (runtime.Object, *rest.Config, error) {
 // value.
 //
 // If the provided data is successfully unmarshalled, but it does not contain cluster information
-// (i.e., ExecCredential.Spec.Cluster == nil), then the returned rest.Config and error will be nil.
+// (i.e., ExecCredential.Spec.Cluster == nil), then an error will be returned.
 //
 // Note that the returned rest.Config will use anonymous authentication, since the exec plugin has
 // not returned credentials for this cluster yet.
--- a/staging/src/k8s.io/client-go/tools/auth/exec/exec_test.go
+++ b/staging/src/k8s.io/client-go/tools/auth/exec/exec_test.go
@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	clientauthenticationv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/rest"
@ -46,6 +47,50 @@ func TestLoadExecCredential(t *testing.T) {
 		wantRESTInfo       restInfo
 		wantErrorPrefix    string
 	}{
+		{
+			name: "v1 happy path",
+			data: marshal(t, clientauthenticationv1.SchemeGroupVersion, &clientauthenticationv1.ExecCredential{
+				Spec: clientauthenticationv1.ExecCredentialSpec{
+					Cluster: &clientauthenticationv1.Cluster{
+						Server:                   "https://some-server/some/path",
+						TLSServerName:            "some-server-name",
+						InsecureSkipTLSVerify:    true,
+						CertificateAuthorityData: []byte("some-ca-data"),
+						ProxyURL:                 "https://some-proxy-url:12345",
+						Config: runtime.RawExtension{
+							Raw: []byte(`{"apiVersion":"group/v1","kind":"PluginConfig","spec":{"names":["marshmallow","zelda"]}}`),
+						},
+					},
+				},
+			}),
+			wantExecCredential: &clientauthenticationv1.ExecCredential{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "ExecCredential",
+					APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+				},
+				Spec: clientauthenticationv1.ExecCredentialSpec{
+					Cluster: &clientauthenticationv1.Cluster{
+						Server:                   "https://some-server/some/path",
+						TLSServerName:            "some-server-name",
+						InsecureSkipTLSVerify:    true,
+						CertificateAuthorityData: []byte("some-ca-data"),
+						ProxyURL:                 "https://some-proxy-url:12345",
+						Config: runtime.RawExtension{
+							Raw: []byte(`{"apiVersion":"group/v1","kind":"PluginConfig","spec":{"names":["marshmallow","zelda"]}}`),
+						},
+					},
+				},
+			},
+			wantRESTInfo: restInfo{
+				host: "https://some-server/some/path",
+				tlsClientConfig: rest.TLSClientConfig{
+					Insecure:   true,
+					ServerName: "some-server-name",
+					CAData:     []byte("some-ca-data"),
+				},
+				proxyURL: "https://some-proxy-url:12345",
+			},
+		},
 		{
 			name: "v1beta1 happy path",
 			data: marshal(t, clientauthenticationv1beta1.SchemeGroupVersion, &clientauthenticationv1beta1.ExecCredential{
@ -90,6 +135,44 @@ func TestLoadExecCredential(t *testing.T) {
 				proxyURL: "https://some-proxy-url:12345",
 			},
 		},
+		{
+			name: "v1 nil config",
+			data: marshal(t, clientauthenticationv1.SchemeGroupVersion, &clientauthenticationv1.ExecCredential{
+				Spec: clientauthenticationv1.ExecCredentialSpec{
+					Cluster: &clientauthenticationv1.Cluster{
+						Server:                   "https://some-server/some/path",
+						TLSServerName:            "some-server-name",
+						InsecureSkipTLSVerify:    true,
+						CertificateAuthorityData: []byte("some-ca-data"),
+						ProxyURL:                 "https://some-proxy-url:12345",
+					},
+				},
+			}),
+			wantExecCredential: &clientauthenticationv1.ExecCredential{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "ExecCredential",
+					APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+				},
+				Spec: clientauthenticationv1.ExecCredentialSpec{
+					Cluster: &clientauthenticationv1.Cluster{
+						Server:                   "https://some-server/some/path",
+						TLSServerName:            "some-server-name",
+						InsecureSkipTLSVerify:    true,
+						CertificateAuthorityData: []byte("some-ca-data"),
+						ProxyURL:                 "https://some-proxy-url:12345",
+					},
+				},
+			},
+			wantRESTInfo: restInfo{
+				host: "https://some-server/some/path",
+				tlsClientConfig: rest.TLSClientConfig{
+					Insecure:   true,
+					ServerName: "some-server-name",
+					CAData:     []byte("some-ca-data"),
+				},
+				proxyURL: "https://some-proxy-url:12345",
+			},
+		},
 		{
 			name: "v1beta1 nil config",
 			data: marshal(t, clientauthenticationv1beta1.SchemeGroupVersion, &clientauthenticationv1beta1.ExecCredential{
@ -128,6 +211,17 @@ func TestLoadExecCredential(t *testing.T) {
 				proxyURL: "https://some-proxy-url:12345",
 			},
 		},
+		{
+			name: "v1 invalid cluster",
+			data: marshal(t, clientauthenticationv1.SchemeGroupVersion, &clientauthenticationv1.ExecCredential{
+				Spec: clientauthenticationv1.ExecCredentialSpec{
+					Cluster: &clientauthenticationv1.Cluster{
+						ProxyURL: "invalid- url\n",
+					},
+				},
+			}),
+			wantErrorPrefix: "cannot create rest.Config",
+		},
 		{
 			name: "v1beta1 invalid cluster",
 			data: marshal(t, clientauthenticationv1beta1.SchemeGroupVersion, &clientauthenticationv1beta1.ExecCredential{
@ -139,6 +233,11 @@ func TestLoadExecCredential(t *testing.T) {
 			}),
 			wantErrorPrefix: "cannot create rest.Config",
 		},
+		{
+			name:            "v1 nil cluster",
+			data:            marshal(t, clientauthenticationv1.SchemeGroupVersion, &clientauthenticationv1.ExecCredential{}),
+			wantErrorPrefix: "ExecCredential does not contain cluster information",
+		},
 		{
 			name:            "v1beta1 nil cluster",
 			data:            marshal(t, clientauthenticationv1beta1.SchemeGroupVersion, &clientauthenticationv1beta1.ExecCredential{}),
--- a/staging/src/k8s.io/client-go/tools/auth/exec/types_test.go
+++ b/staging/src/k8s.io/client-go/tools/auth/exec/types_test.go
@ -17,26 +17,40 @@ limitations under the License.
 package exec

 import (
+	"fmt"
 	"reflect"
 	"testing"

 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	clientauthenticationv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	clientcmdv1 "k8s.io/client-go/tools/clientcmd/api/v1"
 )

-// TestV1beta1ClusterTypesAreSynced ensures that clientauthenticationv1beta1.Cluster stays in sync
-// with clientcmdv1.Cluster.
-//
-// We want clientauthenticationv1beta1.Cluster to offer the same knobs as clientcmdv1.Cluster to
-// allow someone to connect to the kubernetes API. This test should fail if a new field is added to
-// one of the structs without updating the other.
-func TestV1beta1ClusterTypesAreSynced(t *testing.T) {
+func TestClientAuthenticationClusterTypesAreSynced(t *testing.T) {
 	t.Parallel()

-	execType := reflect.TypeOf(clientauthenticationv1beta1.Cluster{})
+	for _, cluster := range []interface{}{
+		clientauthenticationv1beta1.Cluster{},
+		clientauthenticationv1.Cluster{},
+	} {
+		t.Run(fmt.Sprintf("%T", cluster), func(t *testing.T) {
+			t.Parallel()
+			testClientAuthenticationClusterTypesAreSynced(t, cluster)
+		})
+	}
+}
+
+// testClusterTypesAreSynced ensures that the provided cluster type stays in sync
+// with clientcmdv1.Cluster.
+//
+// We want clientauthentication*.Cluster types to offer the same knobs as clientcmdv1.Cluster to
+// allow someone to connect to the kubernetes API. This test should fail if a new field is added to
+// one of the structs without updating the other.
+func testClientAuthenticationClusterTypesAreSynced(t *testing.T, cluster interface{}) {
+	execType := reflect.TypeOf(cluster)
 	clientcmdType := reflect.TypeOf(clientcmdv1.Cluster{})

 	t.Run("exec cluster fields match clientcmd cluster fields", func(t *testing.T) {
@ -136,6 +150,8 @@ func TestAllClusterTypesAreSynced(t *testing.T) {
 		clientauthenticationv1alpha1.SchemeGroupVersion.Version,
 		// We have a test for v1beta1 above.
 		clientauthenticationv1beta1.SchemeGroupVersion.Version,
+		// We have a test for v1 above.
+		clientauthenticationv1.SchemeGroupVersion.Version,
 	)
 	for gvk := range scheme.AllKnownTypes() {
 		if gvk.Group == clientauthenticationv1beta1.SchemeGroupVersion.Group &&
--- a/test/cmd/authentication.sh
+++ b/test/cmd/authentication.sh
@ -19,10 +19,17 @@ set -o nounset
 set -o pipefail

 run_exec_credentials_tests() {
+  run_exec_credentials_tests_version client.authentication.k8s.io/v1beta1
+  run_exec_credentials_tests_version client.authentication.k8s.io/v1
+}
+
+run_exec_credentials_tests_version() {
  set -o nounset
  set -o errexit

-  kube::log::status "Testing kubectl with configured exec credentials plugin"
+  local -r apiVersion="$1"
+
+  kube::log::status "Testing kubectl with configured ${apiVersion} exec credentials plugin"

  cat > "${TMPDIR:-/tmp}"/invalid_exec_plugin.yaml << EOF
 apiVersion: v1
@ -41,9 +48,10 @@ users:
 - name: invalid_token_user
  user:
    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
+      apiVersion: ${apiVersion}
      # Any invalid exec credential plugin will do to demonstrate
      command: ls
+      interactiveMode: IfAvailable
 EOF

  ### Provided --token should take precedence, thus not triggering the (invalid) exec credential plugin
@ -56,7 +64,7 @@ EOF
    kube::log::status "exec credential plugin not triggered since kubectl was called with provided --token"
  else
    kube::log::status "Unexpected output when providing --token for authentication - exec credential plugin likely triggered. Output: ${output}"
-    exit 1    
+    exit 1
  fi
  # Post-condition: None

@ -91,10 +99,11 @@ users:
 - name: valid_token_user
  user:
    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
+      apiVersion: ${apiVersion}
      command: echo
      args:
-        - '{"apiVersion":"client.authentication.k8s.io/v1beta1","status":{"token":"admin-token"}}'
+        - '{"apiVersion":"${apiVersion}","status":{"token":"admin-token"}}'
+      interactiveMode: IfAvailable
 EOF

  ### Valid exec plugin should authenticate user properly
@ -133,10 +142,17 @@ EOF
 }

 run_exec_credentials_interactive_tests() {
+  run_exec_credentials_interactive_tests_version client.authentication.k8s.io/v1beta1
+  run_exec_credentials_interactive_tests_version client.authentication.k8s.io/v1
+}
+
+run_exec_credentials_interactive_tests_version() {
  set -o nounset
  set -o errexit

-  kube::log::status "Testing kubectl with configured interactive exec credentials plugin"
+  local -r apiVersion="$1"
+
+  kube::log::status "Testing kubectl with configured ${apiVersion} interactive exec credentials plugin"

  cat > "${TMPDIR:-/tmp}"/always_interactive_exec_plugin.yaml << EOF
 apiVersion: v1
@ -155,10 +171,10 @@ users:
 - name: always_interactive_token_user
  user:
    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
+      apiVersion: ${apiVersion}
      command: echo
      args:
-        - '{"apiVersion":"client.authentication.k8s.io/v1beta1","status":{"token":"admin-token"}}'
+        - '{"apiVersion":"${apiVersion}","status":{"token":"admin-token"}}'
      interactiveMode: Always
 EOF

@ -209,11 +225,56 @@ EOF
  if [[ -n "$failure" ]]; then
    exit 1
  fi
+  # Post-condition: None

+  cat > "${TMPDIR:-/tmp}"/missing_interactive_exec_plugin.yaml << EOF
+apiVersion: v1
+clusters:
+- cluster:
+  name: test
+contexts:
+- context:
+    cluster: test
+    user: missing_interactive_token_user
+  name: test
+current-context: test
+kind: Config
+preferences: {}
+users:
+- name: missing_interactive_token_user
+  user:
+    exec:
+      apiVersion: ${apiVersion}
+      command: echo
+      args:
+        - '{"apiVersion":"${apiVersion}","status":{"token":"admin-token"}}'
+EOF
+
+  ### The kubeconfig will fail to be loaded if a v1 exec credential plugin is missing an interactiveMode field, otherwise it will default to IfAvailable
+  # Pre-condition: The exec credential plugin is missing an interactiveMode setting
+
+  output2=$(kubectl "${kube_flags_without_token[@]:?}" --kubeconfig="${TMPDIR:-/tmp}"/missing_interactive_exec_plugin.yaml get namespace kube-system -o name 2>&1 || true)
+
+  if [[ "$apiVersion" == "client.authentication.k8s.io/v1" ]]; then
+    if [[ "${output2}" =~ "error: interactiveMode must be specified for missing_interactive_token_user to use exec authentication plugin" ]]; then
+      kube::log::status "kubeconfig was not loaded successfully because ${apiVersion} exec credential plugin is missing interactiveMode"
+    else
+      kube::log::status "Unexpected output when running kubectl command that uses a ${apiVersion} exec credential plugin without an interactiveMode. Output: ${output2}"
+      exit 1
+    fi
+  else
+    if [[ "${output2}" == "namespace/kube-system" ]]; then
+      kube::log::status "${apiVersion} exec credential plugin triggered and provided valid credentials"
+    else
+      kube::log::status "Unexpected output when using valid exec credential plugin for authentication. Output: ${output2}"
+      exit 1
+    fi
+  fi
  # Post-condition: None

  rm "${TMPDIR:-/tmp}"/always_interactive_exec_plugin.yaml
+  rm "${TMPDIR:-/tmp}"/missing_interactive_exec_plugin.yaml

  set +o nounset
  set +o errexit
-}
+}
--- a/test/integration/client/exec_test.go
+++ b/test/integration/client/exec_test.go
@ -116,7 +116,7 @@ type execPluginClientTestData struct {
 }

 func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byte, clientAuthorizedToken, clientCertFileName, clientKeyFileName string) []execPluginClientTestData {
-	return []execPluginClientTestData{
+	v1Tests := []execPluginClientTestData{
 		{
 			name: "unauthorized token",
 			clientConfigFunc: func(c *rest.Config) {
@ -125,7 +125,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: `{
 										"kind": "ExecCredential",
-										"apiVersion": "client.authentication.k8s.io/v1beta1",
+										"apiVersion": "client.authentication.k8s.io/v1",
 										"status": {
 											"token": "unauthorized"
 										}
@ -152,7 +152,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"clientCertificateData": %q,
 								"clientKeyData": %q
@ -180,7 +180,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 						"kind": "ExecCredential",
-						"apiVersion": "client.authentication.k8s.io/v1beta1",
+						"apiVersion": "client.authentication.k8s.io/v1",
 						"status": {
 							"token": "%s"
 						}
@ -200,7 +200,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"clientCertificateData": %s,
 								"clientKeyData": %s
@ -221,7 +221,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s",
 								"clientCertificateData": %s,
@ -243,7 +243,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s",
 								"clientCertificateData": %s,
@ -265,7 +265,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s",
 								"clientCertificateData": %q,
@ -287,7 +287,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s",
 								"clientCertificateData": %q,
@ -316,7 +316,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s"
 							}
@ -338,7 +338,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s"
 							}
@ -361,7 +361,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": "%s"
 							}
@ -408,6 +408,30 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 10, callStatus: "plugin_execution_error"}}},
 		},
 	}
+	return append(v1Tests, v1beta1TestsFromV1Tests(v1Tests)...)
+}
+
+func v1beta1TestsFromV1Tests(v1Tests []execPluginClientTestData) []execPluginClientTestData {
+	v1beta1Tests := make([]execPluginClientTestData, 0, len(v1Tests))
+	for _, v1Test := range v1Tests {
+		v1Test := v1Test
+
+		v1beta1Test := v1Test
+		v1beta1Test.name = fmt.Sprintf("%s v1beta1", v1Test.name)
+		v1beta1Test.clientConfigFunc = func(c *rest.Config) {
+			v1Test.clientConfigFunc(c)
+			c.ExecProvider.APIVersion = "client.authentication.k8s.io/v1beta1"
+			for j, oldOutputEnvVar := range c.ExecProvider.Env {
+				if oldOutputEnvVar.Name == outputEnvVar {
+					c.ExecProvider.Env[j].Value = strings.Replace(oldOutputEnvVar.Value, "client.authentication.k8s.io/v1", "client.authentication.k8s.io/v1beta1", 1)
+					break
+				}
+			}
+		}
+
+		v1beta1Tests = append(v1beta1Tests, v1beta1Test)
+	}
+	return v1beta1Tests
 }

 func TestExecPluginViaClient(t *testing.T) {
@ -428,9 +452,8 @@ func TestExecPluginViaClient(t *testing.T) {
 			var authorizationHeaderValues syncedHeaderValues
 			clientConfig := rest.AnonymousClientConfig(result.ClientConfig)
 			clientConfig.ExecProvider = &clientcmdapi.ExecConfig{
-				Command: "testdata/exec-plugin.sh",
-				// TODO(ankeesler): move to v1 once exec plugins go GA.
-				APIVersion: "client.authentication.k8s.io/v1beta1",
+				Command:    "testdata/exec-plugin.sh",
+				APIVersion: "client.authentication.k8s.io/v1",
 				Args: []string{
 					// If we didn't have this arg, then some metrics assertions might fail because
 					// the authenticator may be pulled from a globalCache and therefore it may have
@ -620,7 +643,7 @@ func TestExecPluginViaInformer(t *testing.T) {
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"token": %q
 							}
@ -637,7 +660,7 @@ func TestExecPluginViaInformer(t *testing.T) {
 						Name: outputEnvVar,
 						Value: fmt.Sprintf(`{
 							"kind": "ExecCredential",
-							"apiVersion": "client.authentication.k8s.io/v1beta1",
+							"apiVersion": "client.authentication.k8s.io/v1",
 							"status": {
 								"clientCertificateData": %s,
 								"clientKeyData": %s
@ -652,9 +675,8 @@ func TestExecPluginViaInformer(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			clientConfig := rest.AnonymousClientConfig(result.ClientConfig)
 			clientConfig.ExecProvider = &clientcmdapi.ExecConfig{
-				Command: "testdata/exec-plugin.sh",
-				// TODO(ankeesler): move to v1 once exec plugins go GA.
-				APIVersion:      "client.authentication.k8s.io/v1beta1",
+				Command:         "testdata/exec-plugin.sh",
+				APIVersion:      "client.authentication.k8s.io/v1",
 				InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 			}

@ -687,9 +709,8 @@ func newExecPlugin(t *testing.T) *execPlugin {

 func (e *execPlugin) config() *clientcmdapi.ExecConfig {
 	return &clientcmdapi.ExecConfig{
-		Command: "testdata/exec-plugin.sh",
-		// TODO(ankeesler): move to v1 once exec plugins go GA.
-		APIVersion:      "client.authentication.k8s.io/v1beta1",
+		Command:         "testdata/exec-plugin.sh",
+		APIVersion:      "client.authentication.k8s.io/v1",
 		InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		Env: []clientcmdapi.ExecEnvVar{
 			{
@ -706,7 +727,7 @@ func (e *execPlugin) rotateToken(newToken string, lifetime time.Duration) {
 	expirationTimestamp := metav1.NewTime(time.Now().Add(lifetime)).Format(time.RFC3339Nano)
 	newOutput := fmt.Sprintf(`{
 		"kind": "ExecCredential",
-		"apiVersion": "client.authentication.k8s.io/v1beta1",
+		"apiVersion": "client.authentication.k8s.io/v1",
 		"status": {
 			"expirationTimestamp": %q,
 			"token": %q
@ -994,9 +1015,8 @@ func TestExecPluginGlobalCache(t *testing.T) {
 			t.Run(test.name+" "+suffix, func(t *testing.T) {
 				clientConfig := rest.AnonymousClientConfig(result.ClientConfig)
 				clientConfig.ExecProvider = &clientcmdapi.ExecConfig{
-					Command: "testdata/exec-plugin.sh",
-					// TODO(ankeesler): move to v1 once exec plugins go GA.
-					APIVersion: "client.authentication.k8s.io/v1beta1",
+					Command:    "testdata/exec-plugin.sh",
+					APIVersion: "client.authentication.k8s.io/v1",
 					Args: []string{
 						// carefully control what the global cache sees as the same exec plugin
 						"--random-arg-to-avoid-authenticator-cache-hits",
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -1826,6 +1826,8 @@ k8s.io/client-go/metadata/fake
 k8s.io/client-go/metadata/metadatainformer
 k8s.io/client-go/metadata/metadatalister
 k8s.io/client-go/pkg/apis/clientauthentication
+k8s.io/client-go/pkg/apis/clientauthentication/install
+k8s.io/client-go/pkg/apis/clientauthentication/v1
 k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1
 k8s.io/client-go/pkg/apis/clientauthentication/v1beta1
 k8s.io/client-go/pkg/version