Your advanced code editor is loading.

Please wait a moment.

#editor-loading { display: none; }

Licensed under the Apache License, Version 2.0 (the “License”);

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an “AS IS” BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

import json import os import subprocess import sys

from .config_exception import ConfigException

class ExecProvider(object): “”” Implementation of the proposal for out-of-tree client authentication providers as described here – https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md

Missing from implementation:
          
          
          TLS cert support
          caching
          """
          
          def init(self, exec_config, cwd):
          """
          exec_config must be of type ConfigNode because we depend on
          safe_get(self, key) to correctly handle optional exec provider
          config parameters.
          """
          for key in ['command', 'apiVersion']:
          if key not in exec_config:
          raise ConfigException(
          'exec: malformed request. missing key '%s'' % key)
          self.api_version = exec_config['apiVersion']
          self.args = [exec_config['command']]
          if exec_config.safe_get('args'):
          self.args.extend(exec_config['args'])
          self.env = os.environ.copy()
          if exec_config.safe_get('env'):
          additional_vars = {}
          for item in exec_config['env']:
          name = item['name']
          value = item['value']
          additional_vars[name] = value
          self.env.update(additional_vars)
          self.cwd = cwd or None
          def run(self, previous_response=None):
          is_interactive = hasattr(sys.stdout, 'isatty') and sys.stdout.isatty()
          kubernetes_exec_info = {
          'apiVersion': self.api_version,
          'kind': 'ExecCredential',
          'spec': {
          'interactive': is_interactive
          }
          }
          if previous_response:
          kubernetes_exec_info['spec']['response'] = previous_response
          self.env['KUBERNETES_EXEC_INFO'] = json.dumps(kubernetes_exec_info)
          process = subprocess.Popen(
          self.args,
          stdout=subprocess.PIPE,
          stderr=sys.stderr if is_interactive else subprocess.PIPE,
          stdin=sys.stdin if is_interactive else None,
          cwd=self.cwd,
          env=self.env,
          universal_newlines=True)
          (stdout, stderr) = process.communicate()
          exit_code = process.wait()
          if exit_code != 0:
          msg = 'exec: process returned %d' % exit_code
          stderr = stderr.strip()
          if stderr:
          msg += '. %s' % stderr
          raise ConfigException(msg)
          try:
          data = json.loads(stdout)
          except ValueError as de:
          raise ConfigException(
          'exec: failed to decode process output: %s' % de)
          for key in ('apiVersion', 'kind', 'status'):
          if key not in data:
          raise ConfigException(
          'exec: malformed response. missing key '%s'' % key)
          if data['apiVersion'] != self.api_version:
          raise ConfigException(
          'exec: plugin api version %s does not match %s' %
          (data['apiVersion'], self.api_version))
          return data['status']

Explanation

The ExecProvider class implements a mechanism for authenticating Kubernetes clients using external programs. This approach allows for custom authentication methods beyond the built-in options. It is based on the design proposal documented at https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md.

Key Features:

Exec Plugin Integration: It allows the use of executable programs (plugins) to handle authentication.
Configuration: The provider accepts a configuration dictionary, including the plugin command and optional arguments.
Environment Variables: It sets up environment variables for the plugin, including KUBERNETES_EXEC_INFO which contains details about the authentication request.
Response Handling: It handles the plugin’s response, ensuring it’s a valid JSON document with the expected structure.

Constructor (__init__):

Takes exec_config (a configuration dictionary) and an optional cwd (working directory for the plugin).
Verifies the presence of required configuration parameters (command and apiVersion).
Stores the apiVersion and args from the config.
Copies the current environment variables into self.env.
Updates the environment with additional variables specified in the config’s env section.

Run Method:

Sets up an environment variable KUBERNETES_EXEC_INFO containing a JSON structure describing the authentication request (including the apiVersion, kind, and spec). If there’s a previous response, it’s added to the spec as well.
Spawns a subprocess to execute the plugin command with the configured environment and arguments.
Captures the stdout and stderr output.
Checks the exit code of the plugin. If it’s not zero, an exception is raised, including the error message from the plugin.
Parses the JSON output from the plugin’s stdout, validating the apiVersion, kind, and status fields.
Returns the status field from the plugin response.

Limitations:

TLS Support: It currently lacks support for TLS certificates.
Caching: It does not implement any caching mechanisms for authentication tokens or other information.

Overall:

The ExecProvider provides a flexible way to incorporate custom authentication methods into Kubernetes clients, but it’s important to be aware of its limitations and ensure the plugin’s security and reliability.

Your advanced code editor is loading.

Please wait a moment.

Explanation

Graph

Symbols

We couldn't identify any entrypoints. If you believe this to be incorrect then please contact support.