search

rajatjindal / kubectl-whoami

This plugin gets the subject name using the effective kubeconfig
Apache License 2.0
120 stars 14 forks source link

add support for auth providers #4

Closed rajatjindal closed 4 years ago

rajatjindal commented 4 years ago

requesting review from @ahmetb

ahmetb commented 4 years ago

I'm confident this is not how it's supposed to work. You should be just doing import _ "k8s.io/client-go/plugin/pkg/client/auth".

There's no guarantee that

  1. access-token will exist on gcp auth section (i.e. first-time use)
  2. access-token will be valid (i.e. long-time no use)

I highly discourage this approach.

rajatjindal commented 4 years ago

Hi Ahmet

thanks for your feedback. I've already imported auth as you suggested, but its still an issue (with current implementation)

The prob is that we need 'token' being used in the request to use TokenReviewRequest api. I am trying to get it by injecting a custom http.RoundTripper now.

is there a way to retrieve the effective token used in the request using client-go?

rajatjindal commented 4 years ago

Hi Ahmet,

thanks for your valuable feedback. I've tried a diff approach to make it work. Please let me know what u think about it.

Also following are results of some tests I did with this new approach:

with valid gcp token:

➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami rajatjindal83@gmail.com

With invalid gcp token ➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami Error: Unauthorized exit status 1

With minikube basic auth ➜ kubectl-whoami git:(auth-providers) go run main.go --context default
kubecfg:basicauth:admin

with cert auth ➜ kubectl-whoami git:(auth-providers) go run main.go --context minikube kubecfg:certauth:admin

with valid service account token ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A --context minikube system:serviceaccount:kube-system:replicaset-controller

with token of wrong cluster ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A Unauthorized Error: Unauthorized exit status 1

with invalid token ➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMW --context minikube Error: [invalid bearer token, square/go-jose: error in cryptographic primitive] exit status 1

ahmetb commented 4 years ago

Please don’t put tokens on the internet like this :)

I think you should take the roundtripper approach and get the token from the header after a successful request. Don’t try to read token from kubeconfig; it won’t work easily.

rajatjindal commented 4 years ago

:) thanks for the tip, I am usually extra paranoids with credentials.

Also those tokens are from my minikube cluster which I already deleted so shud be fine.

(but given how easy it is to do that mistake, thank you again for the reminder to not put tokens on public internet)

I've updated the PR to use the round-tripper approach. Seems to work fine. if there are no other concerns, I will merge the code and cut a new release.

Thanks again