Extension constantly asks for Okta MFA authentication

[cygnus8595]

Type: Bug

Context

• Managed Dependencies: on
• Cloud SDK Version: 436.0.0
• Skaffold Version: v2.5.0
• minikube Version: 1.30.1

Whenever VS Code is open, I get constant MFA push notifications. This happened as soon as I installed the plugin. I tried logging out of gcloud with no luck. I am not signed into Google through the plugin and I never was.

Steps to reproduce:

• Install Cloud Code extension
• Wait

I've restarted VS Code, updated, tried the insiders version, and it keeps happening. The source of the auth is go-http-client/2.0.

Extension version: 1.21.7 VS Code version: Code 1.79.2 (Universal) (695af097c7bd098fbf017ce3ac85e09bbc5dda06, 2023-06-14T08:58:52.392Z) OS version: Darwin arm64 22.5.0 Modes:

System Info

|Item|Value| |---|---| |CPUs|Apple M1 (8 x 24)| |GPU Status|2d_canvas: enabled
canvas_oop_rasterization: disabled_off
direct_rendering_display_compositor: disabled_off_ok
gpu_compositing: enabled
metal: disabled_off
multiple_raster_threads: enabled_on
opengl: enabled_on
rasterization: enabled
raw_draw: disabled_off_ok
video_decode: enabled
video_encode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled
webgpu: enabled| |Load (avg)|2, 2, 3| |Memory (System)|16.00GB (0.09GB free)| |Process Argv|--crash-reporter-id be0893a6-2de8-42bd-9922-93c207a41a24| |Screen Reader|no| |VM|0%|

A/B Experiments

``` vsliv368cf:30146710 vsreu685:30147344 python383cf:30185419 vspor879:30202332 vspor708:30202333 vspor363:30204092 vslsvsres303:30308271 vserr242:30382549 pythontb:30283811 vsjup518:30340749 pythonptprofiler:30281270 vshan820:30294714 vstes263:30335439 vscorecescf:30445987 vscod805:30301674 binariesv615:30325510 bridge0708:30335490 bridge0723:30353136 vsaa593cf:30376535 pythonvs932:30410667 py29gd2263cf:30773604 vsclangdc:30486549 c4g48928:30535728 dsvsc012cf:30540253 pynewext54:30695312 azure-dev_surveyone:30548225 vsccc:30610678 3biah626:30602489 pyind779:30671433 89544117:30613380 pythonsymbol12:30671437 a9j8j154:30646983 showlangstatbar:30737416 vsctsb:30748421 pythonms35:30701012 03d35959:30757346 pythonfmttext:30731395 pythoncmv:30756943 fixshowwlkth:30771522 pythongtdpath:30769146 i26e3531:30769768 dh2dc718:30776458 pythonidxpt:30772539 pythondjangotscf:30772537 pythonnoceb:30776495 h7j2d465:30772216 ```

[glouischandra]

Thanks @cygnus8595 for the bug report. Is this issue only repro when Cloud Code is in Insiders version? or does this happen when Cloud Code is on the latest GA version too?

To check you can open the vscode marketplace for Cloud Code

1.21.8 is the latest GA version while anything with *-insiders is insider.

[glouischandra]

Also couple additional question @cygnus8595:

1. this issue seems related to kubectl & kubernetes explorer in Cloud Code, can you point us to the kubeconfig entries? Please also ensure to redact any personal/sensitive information in the kubeconfig file, this would help us debug further.
2. Are you approving the okta 2fa request and if the authentication being generated is not persistent.

Thanks!

[cygnus8595]

Thank you for the response! The fact that it's using the kubeconfig makes sense, as it's full of aws_okta calls. I will work on the redacted file to give you.

I'm approving them sometimes but it keeps asking so eventually I stop responding. We have Okta timeouts at my workplace so every time the auth times out it will ask again for authorization.

Is there a way to turn off Kubernetes if I don't need it? It would be great to either have that option, or to be able to just install the parts that we need (i.e., I only need Apigee, so I should just be able to install the Apigee portion of the plugin).

[glouischandra]

Hi @cygnus8595 currently we don't have fragmented parts for the extension. You can try unchecking the k8s explorer in

And see if that stops the kubeconfig call.

[cygnus8595]

I already did that and it’s still calling for the kubeconfig. Sorry I’m off work for this week so I may not be able to get you my config until next week.

[glouischandra]

I see, we'll do more investigation from our side too. Yes the redacted kubeconfig will help with debugging, when you have the chance. Thanks!

[cygnus8595]

config_redacted.txt

Here is the redacted kubeconfig

[glouischandra]

Hi @cygnus8595 the aws-okta is what's pushing the okta notification it seems. Not sure if that CLI/binary has caching built in to not keep prompting you login but when we're reading the kubeconfig we ask for the that executable. I'll file a feature request to not initiate the kubeconfig read if the k8s explorer is being conciously disabled/hidden

[cygnus8595]

Thanks! That would be great to not read the kubeconfig when hidden. I appreciate your help on this!