Presence of bearer token should cancel exec action

If a bearer token is present in a request, the exec credential plugin should accept that as the chosen method of authentication. Judging by an [earlier comment in exec.go](c18bc7e9f7/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go (L217)), this was already intended. This would however not work since UpdateTransportConfig would set the GetCert callback which would then get called by the transport, triggering the exec plugin action even with a token present in the request. See linked issue for further details. See #87369 for further details. Signed-off-by: Anders Eknert <anders.eknert@bisnode.com>
2025-09-05 19:21:37 +00:00 · 2020-06-04 00:12:05 +02:00
parent a138be8722
commit b423216a3b
7 changed files with 153 additions and 0 deletions
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@@ -69,6 +69,7 @@ function run_kube_apiserver() {
    --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
    --cert-dir="${TMPDIR:-/tmp/}" \
    --service-cluster-ip-range="10.0.0.0/24" \
+    --client-ca-file=hack/testdata/ca.crt \
    --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
  export APISERVER_PID=$!