search

kontena / k8s-client

Ruby Kubernetes API client
Apache License 2.0
76 stars 26 forks source link

Implement user.exec auth support #114

Closed jakolehm closed 5 years ago

jakolehm commented 5 years ago

PR implements support for:

users:
- name: my-user
  user:
    exec:
      # Command to execute. Required.
      command: "example-client-go-exec-plugin"

      # API version to use when decoding the ExecCredentials resource. Required.
      #
      # The API version returned by the plugin MUST match the version listed here.
      #
      # To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1),
      # set an environment variable or pass an argument to the tool that indicates which version the exec plugin expects.
      apiVersion: "client.authentication.k8s.io/v1beta1"

      # Environment variables to set when executing the plugin. Optional.
      env:
      - name: "FOO"
        value: "bar"

      # Arguments to pass when executing the plugin. Optional.
      args:
      - "arg1"
      - "arg2"
kke commented 5 years ago

Seems a bit dangerous, maybe there could be an option to enable?

jakolehm commented 5 years ago

Seems a bit dangerous, maybe there could be an option to enable?

Wanna explain more? 😄 This is part of the kubeconfig spec, nothing we can really do here (other than support it).

kke commented 5 years ago

Wanna explain more? 😄 This is part of the kubeconfig spec, nothing we can really do here (other than support it).

If someone uses k8s-client to implement something that takes a config, it may be a surprise that the client executes arbitary commands from that config, maybe not, maybe mention in yardoc/readme.