Closed rajatjindal closed 4 years ago
I'm confident this is not how it's supposed to work.
You should be just doing import _ "k8s.io/client-go/plugin/pkg/client/auth"
.
There's no guarantee that
access-token
will exist on gcp auth section (i.e. first-time use)access-token
will be valid (i.e. long-time no use)I highly discourage this approach.
Hi Ahmet
thanks for your feedback. I've already imported auth as you suggested, but its still an issue (with current implementation)
The prob is that we need 'token' being used in the request to use TokenReviewRequest api. I am trying to get it by injecting a custom http.RoundTripper now.
is there a way to retrieve the effective token used in the request using client-go?
Hi Ahmet,
thanks for your valuable feedback. I've tried a diff approach to make it work. Please let me know what u think about it.
Also following are results of some tests I did with this new approach:
with valid gcp token:
➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami rajatjindal83@gmail.com
With invalid gcp token ➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami Error: Unauthorized exit status 1
With minikube basic auth
➜ kubectl-whoami git:(auth-providers) go run main.go --context default
kubecfg:basicauth:admin
with cert auth ➜ kubectl-whoami git:(auth-providers) go run main.go --context minikube kubecfg:certauth:admin
with valid service account token ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A --context minikube system:serviceaccount:kube-system:replicaset-controller
with token of wrong cluster ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A Unauthorized Error: Unauthorized exit status 1
with invalid token ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMW --context minikube Error: [invalid bearer token, square/go-jose: error in cryptographic primitive] exit status 1
Please don’t put tokens on the internet like this :)
I think you should take the roundtripper approach and get the token from the header after a successful request. Don’t try to read token from kubeconfig; it won’t work easily.
:) thanks for the tip, I am usually extra paranoids with credentials.
Also those tokens are from my minikube cluster which I already deleted so shud be fine.
(but given how easy it is to do that mistake, thank you again for the reminder to not put tokens on public internet)
I've updated the PR to use the round-tripper approach. Seems to work fine. if there are no other concerns, I will merge the code and cut a new release.
Thanks again
requesting review from @ahmetb