Load of users with client-certificate and client-key paths

Question

Load of users with client-certificate and client-key paths

hirishh opened this issue 2 years ago · comments

Hello all,

I was playing with the official python and c library and there is a difference in how the kubeconfig is loaded.

For example if we have a kubeconfig like this:

users:
- name: userA
  user:
    client-certificate-data: LS0tLS1C...S0tCg==
    client-key-data: LS0tLS1CRU...LQo=
- name: userB
  user:
    client-certificate: /path/to/client.crt
    client-key: /path/to/client.key

The python lib is able to load both users, instead the C lib is able to load only userA. I've checked the code and indeed the load of the second variant of the configuration is not implemented.

Is it a known limitation of the C lib?

Brendan Burns · Answer 1 · Thu Jan 12 2023 00:57:09 GMT+0800 (China Standard Time)

I'm pretty sure that multiple users are loaded:

https://github.com/kubernetes-client/c/blob/master/kubernetes/config/kube_config_yaml.c#L285

However, only the current user (selected by the current context in the kubeconfig file) will be used for authentication.

Are you looking to be able to chose a different user than the current user in the kubeconfig file?

Or does the python client somehow try both users (that would be surprising)

If you can clarify what your use-case is, we may be able to help.

(alternately, we may be able to guide you to create a PR to add more functionality :)

hirish · Answer 2 · Thu Jan 12 2023 07:59:56 GMT+0800 (China Standard Time)

Thank you for your reply. I was not clear enough about my use case. Sorry.

Both the C lib and the python lib are loading the current context. During my tests I'm switching the current context between userA and userB via kubectl (kubectl config use-context userA-context). Both users have the same rights via RBAC on a specific namespace. Python Lib are processing fine both userA and userB requests (so it loads both base64 and file certs).
The C lib instead loads correctly only when the context is userA with base64 encoded certificates. In the C library the load of certificates by file is not implemented and while using userB-context it calls api with anonymous user so I get 403 Forbidden.

It should be easy to check for the existence of client-certificate and client-key properties and do fopen of them. I could try to implement it indeed.

hirish · Answer 3 · Thu Jan 12 2023 08:10:27 GMT+0800 (China Standard Time)

It's simple to reproduce this with minikube. After minikube start it sets the current context with minikube user with auth by file paths like userB. Then, if you try to run the list_pod example (https://github.com/kubernetes-client/c/blob/master/examples/list_pod/main.c) you get 403 Forbidden.

Brendan Burns · Answer 4 · Fri Jan 13 2023 06:59:57 GMT+0800 (China Standard Time)

Ok, I will try to reproduce this, if you have cycles to fix we'd gladly take a PR, but we'll otherwise get to it eventually.

Brendan Burns · Answer 5 · Sat Jan 14 2023 05:54:38 GMT+0800 (China Standard Time)

@hirishh thanks for the PR and apologies, I misinterpreted the problem you were reporting, very much appreciate the fast PR!

Brendan Burns · Answer 6 · Sat Jan 14 2023 07:37:18 GMT+0800 (China Standard Time)

Closing this via #167