Notable changes to this project will be documented in this file. The format is based on Keep a Changelog. Kubeclient release versioning follows SemVer.
- Add test coverage for Ruby 3.2 (#615)
- Allow a region when getting a signer for Aws::Sts (#507)
- Update the AWS STS endpoint to be regional as the method is now regional (#528)
- Assume role support for aws eks credentials (#630)
- [v4.y] Regenerated expired test TLS certs by running
test/config/update_certs_k0s.rb
. - [v4.y] Regenerated expired test TLS certs (#611)
- Regenerated expired test TLS certs (#632)
- Update actions/checkout (#590)
- chore(deps): update actions/checkout action to v4 (#619)
- Dropped support for EOL Ruby versions 2.5, 2.6. (#589)
-
Relaxed dependency on
http
gem (used for watches) to allow 5.y.z versions. (#589)- Specifically, http 5.1.1 may fix issues watching with IPv6. (#585)
- Dropped debug logging about bearer token options that was added in 4.10.0. (#577)
-
When using
:bearer_token_file
, re-read the file on every request. (#566 closed #561)Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature to beta and enabled it by default, so standard in-cluster auth now uses short-lived tokens.
This changes allows a long-lived
Client
object to keep working when the token file gets rotated. It's not optimized at all, if you feel the performance overhead, please report!
-
VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA (normal situation for production clusters with public domain and certificate!),
Config
was returning ssl_options[:verify_ssl] hard-coded toVERIFY_NONE
:-(Assuming you passed those ssl_options to Kubeclient::Client, this means that instead of checking server's certificate against your system CA store, it would accept ANY certificate, allowing easy man-in-the middle attacks.
This is especially dangerous with user/password or token credentials because MITM attacker could simply steal those credentials to the cluster and do anything you could do on the cluster.
This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
Kubeclient::Config
was created.#554.
-
Bug fix: kubeconfig
insecure-skip-tls-verify
field was ignored. When kubeconfig did define custom CA,Config
was returning hard-codedVERIFY_PEER
.Now we honor it, return
VERIFY_NONE
iff kubeconfig has explicitinsecure-skip-tls-verify: true
, otherwiseVERIFY_PEER
.#555.
-
Config
: fixed parsing ofcertificate-authority
file containing concatenation of several certificates. Previously, server's cert was checked against only first CA cert, resulting in possible "certificate verify failed" errors.An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA itself is signed by another custom CA. But also helps when you simply concatenate independent certs. (#461, #552)
- Still broken (#460): inline
certificate-authority-data
is still parsed usingadd_cert
method that handles only one cert.
- Still broken (#460): inline
These don't affect code that supplies Client
parameters directly,
only code that uses Config
.
- Ruby 3.0 compatibility (#500, #505).
- Reduce .gem size by dropping test/ directory, it's useless at run time (#502).
- Now should work with apiserver deployed not at root of domain but a sub-path,
which is standard with Rancher.
Notably,
create_...
methods were sending bad apiVersion and getting 400 error. (#457, hopefully fixes #318, #418 and https://gitlab.com/gitlab-org/gitlab/-/issues/22043)
- Support for
user: exec
credential plugins using TLS client auth (#453)
- Support for server-side apply (#448).
- Declared forgotten dependency on jsonpath, needed for
gcp
provider withcmd-path
(#450).
- Ruby 2.7 compatibility: bumped minimum recursive-open-struct to one that works on 2.7 (#439).
- Ruby 2.7 warnings (#433, #438).
- Improved watch documentation, including behavior planned to change in 5.0.0 (#436).
- Google Application Default Credentials: Added
userinfo.email
to requested scopes, which is necessary for RBAC policies (#441).
- AmazonEksCredentials was sometimes leaving base64 padding that IAM auth of the EKS cluster rejects. Now padding is always stripped. (#424, #423)
-
Allow calling
watch_foos
methods with a block, simpler to use and guarantees closing the connection. (#425) -
Support
limitBytes
query parameter forget_pod_log
. (#426)
-
Support
:resourceVersion
parameter inget_foos
methods (similar to existing support inwatch_foos
methods). (#420) -
Relax dependency on
http
gem to allow both 3.x and 4.x. (#413)
- GCP configs with
user[auth-provider][name] == 'gcp'
will execute credential plugin (normally thegcloud config config-helper
subcommand) when the config specifies it incmd-path
,cmd-args
fields (similar toexec
support). This code path works withoutgoogleauth
gem. Otherwise,GoogleApplicationDefaultCredentials
path will be tried as before. (#410) AmazonEksCredentials
helper for obtaining a token to authenticate against Amazon EKS. This is not currently integrated inConfig
, you will need to invoke it yourself. You'll need some aws gems that Kubeclient does not include. (#404, #406)
- OpenID Connect tokens which cannot be validaded because we cannot identify the key they were signed with will be considered expired and refreshed as usual. (#407)
GoogleApplicationDefaultCredentials
will now automatically be used byConfig
if theuser[auth-provider][name] == 'gcp'
in the provided context. Note thatuser[exec]
is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient does not include the requiredgoogleauth
gem, so you will need to include it in your calling application. (#394)
-
OpenID Connect credentials will automatically be used if the
user[auth-provider][name] == 'oidc'
in the provided context. Note thatuser[exec]
is checked first. Kubeclient does not include the requiredopenid_connect
gem, so you will need to include it in your calling application. (#396) -
Support for
json_patch_#{entity}
andmerge_patch_#{entity}
.patch_#{entity}
will continue to use strategic merge patch. (#390)
- New
http_max_redirects
option (#374).
- Default max redirects for watch increased from 4 to 10, to match other verbs (#374).
- For resources that contain dashes in name, there will be an attempt to resolve the method name based on singular name prefix or by replacing the dash in names with underscores (#383).
- Support
user: exec: ...
credential plugins like in Go client (#363, #375).
-
Really made
Kubeclient::Config.new(data, nil)
prevent external file lookups. (#372) README documented this since 3.1.1 (#334) but alas that was a lie — absolute paths always worked. Now this also prevents credential plugin execution.Even in this mode, using config from untrusted sources is not recommended.
This release included all changes up to 4.1.1, but NOT 4.1.2 which was branched off later (4.2.1 does include same fix).
- For resources that contain dashes in name, there will be an attempt to resolve the method name based on singular name prefix or by replacing the dash in names with underscores (#382).
- Fixed method names for non-suffix plurals such as y -> ies (#377).
This version broke method names where plural is not just adding a suffix, notably y -> ies (bug #376).
- Support custom resources with lowercase
kind
(#361). create_security_context_constraint
now works (#366).get_security_context_constraints.kind
,get_endpoints.kind
are now plural as in kubernetes (#366).
- Add support for retrieving large lists of objects in chunks (#356).
- Bumped officially supported kubernetes versions to >= 1.3.
- Specifically
proxy_url
no longer works for <= 1.2 (#323).
proxy_url
now works for kubernetes 1.10 and later (#323).
- Switched
http
gem dependency from 2.y to 3.y (#321).
- Fixed
Kubeclient::Config.read
regression, no longer crashes on YAML timestamps (#338).
In this version Kubeclient::Config.read
raises Psych::DisallowedClass on legal yaml configs containing a timestamp, for example gcp access-token expiry (bug #337).
-
Changed
Kubeclient::Config.read
to useYAML.safe_load
(#334).Previously, could deserialize arbitrary ruby classes. The risk depends on ruby classes available in the application; sometimes a class may have side effects - up to arbitrary code execution - when instantiated and/or built up with
x[key] = value
during YAML parsing.Despite this fix, using config from untrusted sources is not recommended.
- Fixed watch
.finish
sometimes causedHTTP::ConnectionError
exception from the reading loop (#315).
get_pod_log
now hastimestamps
,since_time
(#319) andtail_lines
(#326) params.Kubeclient::Config::Context#namespace
now set, if present in kubeconfig file (#308).- Improved README directions for authenticating within a kubernetes cluster (#316).
Kubeclient::GoogleApplicationDefaultCredentials
helper for Google application default credentials (#213). Needsgoogleauth
gem.- New
as: :parsed
andas: :parsed_symbolized
formats (#306). - Allow setting default
as:
format for the whole client (#299, #305). - Relaxed
recursive-open-struct
dependency to allow 1.1+ as well (#313).
- Dropped entity classes (
Kubeclient::Pod
etc.), onlyKubeclient::Resource
exists now (#292, #288). - Ruby 2.0, 2.1 no longer supported (#253, #291).
- Added missing singular
get_security_context_constraint
, fixedget_security_context_constraints
to mean plural (#261). - Fixed
@http_proxy_uri
undefined warning (#261). - Documentation fixes & improvements (#225, #229, #243, #296).
delete_options:
parameter todelete_*
methods, useful for cascade delete (#267).as: :raw
option for watch (#285).- Now raises
Kubeclient::HttpError
. RescuingKubeException
still works but is deprecated. (#195, #288)- 404 error raise
Kubeclient::ResourceNotFoundError
, a subclass ofHttpError
(#233).
- 404 error raise
- Include request info in exception message (#221).
- Ruby 2.4 and 2.5 are now supported & tested (#247, #295).
Kubeclient::Config#context(nonexistent_context_name)
raisesKeyError
instead ofRuntimeError
.update_*
,delete_*
,patch_*
now all returnRecursiveOpenStruct
consistently (#290).- Many dependencies bumped (#204, #231, #253, #269).
- Watch results are now
RecursiveOpenStruct
inside arrays too (#279). - Fixed watch
.finish
sometimes causedErrno::EBADF
exception from the reading loop (#280). - Easing dependency version (#287, #301)
No changes since 2.5.0, fixed packaging mistake.
as: raw
option forget_*
methods returning a string (#262 via #271).