proposal: external client-go auth providers

[ericchiang]

Updates kubernetes/kubernetes#55968
Updates kubernetes/kubernetes#14362

cc @kubernetes/sig-auth-proposals
cc @mattmoyer
cc @ericavonb

[liggitt]

@kubernetes/sig-cli-proposals

[liggitt]

@kubernetes/sig-api-machinery-proposals for client-go

[liggitt]

is this called just once at process start?

[ericchiang]

Yes, but it can still instrument or wrap the transport. Will add a comment.

[ericavonb]

In terms of encouraging good behaviors, does having an exec option encourage providers to bypass greater user transparency, cross-compatibility and standardization via plugging in some executable? As opposed to making their auth compatible with OIDC or something (assuming client-go/kubectl handles tokens and refreshing them properly)

[ericchiang]

I've seen more people willing to wrap kubectl then implement OIDC (or ask their IdP to implement OIDC). The goal of this feature is to ensure users use kubectl the same way, which I think is worth the trade-off.

I still think there's still incentive to implement an open standard to not require an exec plugin. I even floated the idea of a "generic oauth2" provider a while back kubernetes/kubernetes#35530 (comment)

[nckturner]

Long story short, for EKS we would very much appreciate not having to conform to OIDC and being able to exec a binary (specifically heptio authenticator).

[ericavonb]

If Exec and (Name,Config) are mutually exclusive, would it make more sense to move the Exec config up a level to AuthInfo instead? It makes some sense to me to add a "dynamic" token (or cert) option along side Token and TokenFile.

I don't mean to over complicate the issue, it just seems a bit complicated from a user's perspective. It would make more sense to me if either this were its own named auth provider (e.g. Name: "exec"), moved out of the auth provider section, or allowed to specify a named auth provider as well with some sort of defined login on how that case is handled.

[ericchiang]

Agreed this is an awkward place. I'll move it a level up.

[ericchiang]

Addressed

[ericavonb]

This seems like a related but separate change from the executable plugin. It is not necessary to break it out into its own proposal but I wanted to note that one does not block the other from moving forward.

[ericchiang]

Thanks, added a comment.

[nckturner]

Just wanted to call out that we would like to be able to use this for kube-proxy and kubelet as well, to authenticate nodes with AWS IAM credentials.

[ericchiang]

Can you expand a little on that? Why would you want to give kube-proxy IAM credentials to talk to the API server instead of a regular service account?

[liggitt]

if it's supported by client-go, then kubeproxy and kubelet would pick it up automatically (though kubelet would not be able to take advantage of the nodeauthorizer/noderestriction components unless an IAM-to-node-name mapping could be determined)

[mikedanese]

The stress on kubectl in this proposal is a bit misleading. The change would necessarily be in client-go, thus supported by any component that installs the plugin. Why call out kubectl in the title? Why not just discuss kubectl specifically in the login section?

[ericchiang]

Why call out kubectl?

Most of the use cases I was thinking about were about kubectl users. But you're right this should be more general to client-go.

[nckturner]

@ericchiang, our node identity is essentially IAM credentials that are present on the node, so it makes sense to us to use those directly for authentication. If its already in client-go, why not use it?

[nckturner]

@liggitt Right, the heptio authenticator provides the ability to map IAM role to node name.

[liggitt]

@liggitt Right, the heptio authenticator provides the ability to map IAM role to node name.

ah, great

[ccojocar]

Please define the format (including version) of the output generated by the authenticator tool.

[ccojocar]

I am a bit concern about the complexity which this approach will bring, that I my opinion shades the benefits. The kubectl is currently self-contained and can be easily installed. One will need to install and to configure an additional authenticator tool in multiple machines maybe with different operating systems. Also there are case when people uses parallel cloud providers, they will need to install an additional tool for each of them. I imagine that the authenticator will require its own configuration separated from kubectl.

From security perspective, it will get more complicated to secure the entire setup. An attacker can leverage in certain scenarios (e.g wrong permissions + client credential flow) the authenticator tool to get access to the entire cluster.

[ericchiang]

I don't think having every IdP integration compiled into kubectl is going to scale. This is in-line with other efforts around kubernetes/kubernetes to move cloud provider, or other kind of external project specific integrations, out of core in favor of extension points.

Additionally, sig-auth often doesn't have the expertise to maintain or comment on the security soundness of integrations with system's we're not familiar with. There are trade-offs, but I don't think today's situation is a good place for these plugins.

There's a bigger conversation here about what to do with the existing in-tree plugins, but I think that's going to have to come after we introduce an extension point.

[ccojocar]

It sounds good. Hopefully the use will not be overwhelm by the number of external authenticators.

[ccojocar]

The format of the output must be defined to ensure interoperability between kubectl/client-go and the external authenticator. I guess a JSON schema with a version would be sufficient. This could prevent cases when the authentication could be broken by a change on the kubectl/client-go side.

[mikedanese]

Alternatively we support jsonpath and integrator define their own scheme. I'm not sure if it's better but we do this in the gcp plugin today: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go#L77-L84

[ericchiang]

I think @cosmincojocar is talking about using a structured, versioned API so we can ask for additional data beside the credentials in the future.

Do we really need versioned output? Do we expect the tool to pass things like expiry to us? I expected just printing the bearer token to be sufficient. We expect some of these tools to not know anything about kubectl.

If we don't go with a structured stdout API, I'd be in favor of some way of parsing the output like jsonpath.

[ccojocar]

Or maybe get directly in the output a base64 encoded JWT.

[ccojocar]

Do you plan to cache the token on kubectl/client-go side and invoke the external authenticator only when the token is about to expire? Or do you want to invoke the external authenticator every time a token is required?

I think, the authenticator can persist its tokens in a file after the initial authentication, especially in the case when the refresh token is supported. It can execute later on only the refresh flow when the token is close to the expiration.

I suspect that there are authenticators which do not support the refresh flow (e.g. client credentials). In that case it will request a new token from IdP instead of refresh it. Also in this case a sort of caching will be helpful in order to avoid overwhelming the IdP.

I know that these details are up to the authenticator implementation, but they will have an impact in the kubectl/client-go performance and reliability.

[ericavonb]

For kubectl, I'd rather leave it up to the external authenticator to handle persisting tokens in a file. Some might not want the token to be saved to disk or need other special handling for their credentials.

There's room for better cache/refresh handling in general but I don't think it needs to be directly coupled to this change.

[ericchiang]

Added some comments on why we went for an unversioned output.

[ccojocar]

This is not required if the refresh token login is built into the plugin. For instance Azure Active Directory plugin does this without any external wrapping see: https://github.com/kubernetes/client-go/blob/1b75876d45719a84085528ee621939b0c68a4b85/plugin/pkg/client/auth/azure/azure.go#L276

[ericavonb]

We would like to be able to support refreshing credentials for additional providers who do not have a plugin compiled in. It's not feasible to require every new provider or enterprise with custom tooling to submit a PR to kubernetes and we would like to discourage forking or wrapping kubectl in an alias as is often currently done. (not to say this proposal is not the only solution to this problem)

[ccojocar]

How would you distinguish between the cases when the authenticator process hangs or waits for the user input (e.g. interactive flow)? I guess a sort of execution timeout of the subprocess is required. On the other hand, kubectl has more control over this in case of a plugin.

[ericchiang]

I'd like to start with the subprocess implementing this logic and present appropriate feedback.

If this is interactive, the user will likely CTRL+c the execution anyway.

[ericchiang]

Made this clear.

[perotinus]

/cc @perotinus

I'm interested in following along with this for the cluster registry. We had discussed using the cluster registry to provide a way to bootstrap kubectl with credentials, so I'd like to make sure we can integrate with this proposal in a reasonable way.

[perotinus]

/uncc @perotinus

[ericchiang]

Proposal updated to address feedback.

[ericavonb]

nit: s/kind/kinds/

[ericavonb]

my review probably doesn't mean anything formally, but lgtm! 😄

[ericchiang]

Just realized that this section conflicts with the login section. They both need to read from stdin. I need to remove it.

[Frusty]

Is there any way today to use kubectl to write below config into ~/.kube/config?