Support kube config user exec for EKS

[steinnes]

What?

This PR adds support for executing client-go credential plugins as defined in the user.exec section of a local kubernetes config. This implementation only supports the retrieval of a bearer token, not the PEM-encoded client certificate and key used with TLS auth. See: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins for more details.

Why?

The "Getting Started" EKS guide on Amazon suggests using the heptio aws authenticator as a client credential plugin. Unless another authentication method is configured, that would leave pykube unable to work with EKS clusters.

[steinnes]

This is very rudimentary, but should be easy to refactor to support more ways of exec-ing to get k8s auth tokens.

[jheiss]

It doesn't look like it would take too much more work to make this support the full credential plugin spec for tokens?

[steinnes]

Yes, I imagine so, but I didn't look up the spec when I built this. I'm perfectly willing to take a look at the spec and see if I can make this a bit more generic and cleaner. Could you point me in the right direction to find it? :-)

[jheiss]

😆 https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

[steinnes]

I made this a bit more generic and hopefully easier to extend. I tried not to make too many opinionated changes to the codebase, that means the auth plugin exec code lives in pykube.http at the moment.

@brosner could you take a look and give me some feedback? I'd be happy to reorganize/refactor to fit your overall design for the project :-)

[jakobant]

Is there a plan to merge and release this soon?

[steinnes]

I'm about to move to EKS for our clusters, any feedback which can help get this feature merged? @brosner ? :-)