Print subject in case of x509 client cert auth

[olivierlemasle]

Print subject in case of x509 client cert auth, instead of kubecfg:certauth:admin.

Fixes #9

As an example, I chose to simply print the client certificate subject.

Example

$ kubectl-whoami
CN=kubernetes-admin,O=system:masters

But I'm ok with any other format; please tell me your preference.

[rajatjindal]

many thanks for the PR. i will try this out once and merge as soon as i verify.

[rajatjindal]

at this moment, the plugin prints only the username and not the groups for any other auth type. so I think printing just the CN should be enough to be consistent.

what do you think?

[olivierlemasle]

what do you think?

I think it's time to print the groups for all authentication types where it's possible :smiley:

More seriously, yes, printing the username only is more consistent with the other authentication types. If you want, I'll update the PR.

It all depends on what you cant kubectl-whoami to be; which use case(s) you want to address. For me, listing the groups you belong to is very important because if you need to request more permissions to your cluster administrator, he will want to add a [Cluster]RoleBinding to one of your groups.

What use case did you have in mind when creating this plugin?

Also, it is possible to keep the existing (print the username only, including for x509), and have a new flag to enable group printing. What do you think of that?

[rajatjindal]

it was supposed to be like linux whoami when i was implementing this plugin.

the reason i am thinking to keep this at just userinfo is because it can get really complicated for other auth types, and there are other awesome kubectl plugins to visualize that e.g. https://github.com/corneliusweig/rakkess

[olivierlemasle]

Ok, I've updated the PR to print only the username.

However, I still think it would be great to optionally print the groups as well, at least for authentication types where it's simple (x509 certificates, OIDC, Webhook):

• doing like linux whoami is not really a use case. On Linux, you can do something like chown $(whoami) foo or cd /home/$(whoami); I don't find any equivalent use case in Kubernetes.
• I may be wrong, but I don't think that rakkess will help me to know to which groups I belong. I may use rakkess to see, for example, that I do not have the update permission on configmaps in namespace foo. But If I want to ask my cluster administrator to give me this permission (by adding a RoleBinding to one of the groups I belong), I won't be able to tell him my groups.

[olivierlemasle]

@rajatjindal Any news?

[rajatjindal]

thank for the PR.

[olivierlemasle]

Thanks for merging!