search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
18.98k stars 707 forks source link

Unable to read auth data from kube config connected to external IAM #513

Open nkuzman opened 1 year ago

nkuzman commented 1 year ago

Expected Behavior

When running slim build on a running container in k8s cluster, authentication should be successfully read from cube config.

Actual Behavior

I'm using external IAM provider for k8s authentication. This is my configuration snapshot:

kind: Config
users:
- name: my-user/{hash}/external.iam.com-id
  user:
    auth-provider:
      config:
        client-id: my-client-id
        client-secret: my-secret
        id-token: {hash}
        refresh-token: {hash}
        idp-issuer-url: https://external.iam.com/id
      name: oidc

When I try to run docker build and connect it to a running container in k8s cluster, I get an error:

time="2023-04-17T15:03:49+02:00" level=fatal msg="slim: failure" error="no Auth Provider found for name \"oidc\"" stack="goroutine 1 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:24 +0x65\ngithub.com/docker-slim/docker-slim/pkg/util/errutil.FailOn({0x1f2d220, 0xc0000d9bf0})\n\tgithub.com/docker-slim/docker-slim/pkg/util/errutil/errutil.go:32 +0x5e\ngithub.com/docker-slim/docker-slim/pkg/app.(ExecutionContext).FailOn(0x7fffe00a3813?, {0x1f2d220?, 0xc0000d9bf0?})\n\tgithub.com/docker-slim/docker-slim/pkg/app/execontext.go:56 +0x49\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands/build.OnCommand(, , {, }, , {, }, {, _}, {0x0, ...}, ...)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/build/handler.go:217 +0x188d\ngithub.com/docker-slim/docker-slim/pkg/app/master/commands/build.glob..func1(0xc00012b500)\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/commands/build/cli.go:723 +0x56b0\ngithub.com/urfave/cli/v2.(Command).Run(0x2d49240, 0xc00041e7c0)\n\tgithub.com/urfave/cli/v2@v2.3.0/command.go:163 +0x5dc\ngithub.com/urfave/cli/v2.(App).RunContext(0xc000182b60, {0x1f46a50?, 0xc000136000}, {0xc00012c000, 0x8, 0x8})\n\tgithub.com/urfave/cli/v2@v2.3.0/app.go:313 +0xb7d\ngithub.com/urfave/cli/v2.(App).Run(...)\n\tgithub.com/urfave/cli/v2@v2.3.0/app.go:224\ngithub.com/docker-slim/docker-slim/pkg/app/master.Run()\n\tgithub.com/docker-slim/docker-slim/pkg/app/master/app.go:15 +0x46\nmain.main()\n\tgithub.com/docker-slim/docker-slim/cmd/slim/main.go:15 +0x18e\n" version="linux|Transformer|1.40.1|9c5e69ab1fd4564b0a5426d47be038155e63e4c1|2023-04-05_11:22:53PM"

Build command I'm using: docker-slim build --tag my-slim-image --target-kube-workload deployment/my-workload --target-kube-workload-namespace my-namespace

Steps to Reproduce the Problem

  1. Set an external IAM configuration in kube config
  2. Run slim build on a container running in k8s cluster using external IAM

Specifications

kcq commented 1 year ago

Thanks for opening the issue @nkuzman ! This will be a nice enhancement. The current k8s runtime capabilities are still very basic/experimental. Still ways to go before it's feature complete enough :-)