Add credential-plugin authentication support #15
Conversation
|
@svend Thanks for your contributions :) How is it going? (I didn't mean to rush you!) |
|
@ynqa Thanks for checking. This is functional. I don't have the bandwidth to look into automatically refreshing credentials, which would be a more complex change. Do you think the current PR is useful as-is? |
svend
changed the title
|
@svend Yes, of course! For EKS cluster, this plugin is necessary and I can accept the functions whether it is complex or not. Ref? |
|
@ynqa Thanks. As far as I can tell, this PR is functionally similar to the Python implementation (https://github.com/kubernetes-client/python/pull/619/files). It is possible for an exec token to expire or become invalid, but I don't see the Python code checking Is exec authentication token auto-renewal required, or could that be implemented later? Are there any other changes you would like to see for this PR? |
|
I have rebased my PR and fixed the conflicts. I'll verify that the updated PR works with aws-iam-authenticator (which is what EKS uses). |
|
I successfully tested listing pods for a cluster using aws-iam-authenticator exec plugin with the latest version of this PR. The test code is here: https://github.com/svend/k8s-rust-exec-test Let me know if there are any changes you want to see to the PR. |
api rewrite
This adds support for credential-plugin authentication.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
This is used by the Kubernetes AWS IAM authenticator.
https://github.com/kubernetes-sigs/aws-iam-authenticator
I took the data types from here:
https://github.com/kubernetes/client-go/blob/03bfb9bdcfe5482795b999f39ca3ed9ad42ce5bb/pkg/apis/clientauthentication/v1beta1/types.go
There is a timestamp that should probably be converted to a time object. I haven't looked into how the Go client handles refreshing the credentials.