Command based token support

felixfbecker / PSKubectl

kubectl with the power of the object pipeline

MIT License

61 stars 9 forks source link

Command based token support #54

Open macat opened 5 years ago

macat commented 5 years ago

AWS EKS relies on getting the user token from the aws eks get-token command.

In the ~/.kubectl/config:

users:
- name: arn:aws:eks:us-east-1:ID:cluster/clustertname
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - clustername
      command: aws

PSKubectl does not pick up the user configured by AWS and it defaults to "system:anonymous".

Also, when I use Use-KubeContext <contextname>, it deletes the exec block from the config.

Is there a way to make this work or it requires changes in the kube client? I was trying to trace how this config gets picked up, but didn't get too far.

felixfbecker commented 5 years ago

This only needs support in https://github.com/tintoy/dotnet-kube-client cc @tintoy

felixfbecker commented 5 years ago

Also interesting the GCP auth is command-based too but works:

- name: gke_sourcegraph-dev_us-central1-f_dot-com
  user:
    auth-provider:
      config:
        access-token: REDACTED
        cmd-args: config config-helper --format=json
        cmd-path: /Users/felix/google-cloud-sdk/bin/gcloud
        expiry: "2019-09-21T02:28:54Z"
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

tintoy commented 5 years ago

Interesting - I’ll take a look at this first thing tomorrow; not sure why one works and the other does not 🤔

tintoy commented 5 years ago

Ah, I see - client-go credential plugins are a relatively recent feature, and KubeClient's models for ~/.kube/config do not cover that yet (only the older auth-provider model).

It may take a couple of days to implement given that the plugin output format is a little different than the old auth-provider model.

rohancragg commented 4 years ago

Using v 0.13.0 on Windows 10, with an AKS cluster with AAD integration (i.e. kubectl commands prompt for MS devicelogin flow for auth)

I get errors trying to execute any commands (such as Get-KubeResource)

I assume this is related to this issue? Is there a workaround in the meantime?

tintoy commented 4 years ago

Hi - can you post the errors you’re seeing so I can confirm it’s the same issue?

rohancragg commented 4 years ago

Hi - can you post the errors you’re seeing so I can confirm it’s the same issue?

Get-KubeResource : Argument cannot be null, empty, or entirely composed of whitespace: 'accessTokenCommand'.
Parameter name: accessTokenCommand
At line:1 char:1
+ Get-KubeResource Pod
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-KubeResource], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Kubectl.Cmdlets.GetKubeResourceCmdlet

StephenDrewLDS commented 3 years ago

I have the same...kubectl works fine but I get this:

PS C:\Program Files\PowerShell\7> Get-KubePod -namespace dev *back*
Get-KubePod: Unable to list Pod (v1) resources (HTTP status Forbidden).
Forbidden: pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" in the namespace "dev"