Your advanced code editor is loading.

Please wait a moment.

#editor-loading { display: none; }

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */

package main

import ( “encoding/json” “errors” “io” “net/http” “os” “time”

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
          "k8s.io/klog/v2"
          credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"

)

const metadataTokenEndpoint = “http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token”

func main() { if err := getCredentials(metadataTokenEndpoint, os.Stdin, os.Stdout); err != nil { klog.Fatalf(“failed to get credentials: %v”, err) } }

func getCredentials(tokenEndpoint string, r io.Reader, w io.Writer) error { provider := &provider{ client: &http.Client{ Timeout: 10 * time.Second, }, tokenEndpoint: tokenEndpoint, }

data, err := io.ReadAll(r)
          if err != nil {
          return err
          }
          
          var authRequest credentialproviderv1.CredentialProviderRequest
          err = json.Unmarshal(data, &authRequest)
          if err != nil {
          return err
          }
          auth, err := provider.Provide(authRequest.Image)
          if err != nil {
          return err
          }
          response := &credentialproviderv1.CredentialProviderResponse{
          TypeMeta: metav1.TypeMeta{
          Kind:       "CredentialProviderResponse",
          APIVersion: "credentialprovider.kubelet.k8s.io/v1",
          },
          CacheKeyType: credentialproviderv1.RegistryPluginCacheKeyType,
          Auth:         auth,
          }
          if err := json.NewEncoder(w).Encode(response); err != nil {
          // The error from json.Marshal is intentionally not included so as to not leak credentials into the logs
          return errors.New("error marshaling response")
          }
          return nil

}

Explanation

This code implements a simple gcp credential provider plugin for Kubernetes. It allows containers running in a Google Kubernetes Engine (GKE) cluster to obtain credentials for accessing Google Cloud services without explicitly providing them.

Here’s a breakdown:

main Function:

Retrieves credentials from the GKE metadata server using the getCredentials function.
If an error occurs during credential retrieval, logs a fatal error message and exits.

getCredentials Function:

Creates a provider struct containing an HTTP client with a timeout and the metadata token endpoint.
Reads the credential provider request from standard input (stdin) and unmarshals it into a credentialproviderv1.CredentialProviderRequest struct.
Calls the provider.Provide method to obtain authentication credentials for the specified image.
Creates a credentialproviderv1.CredentialProviderResponse struct containing the retrieved credentials and metadata.
Marshals the response into JSON format and writes it to standard output (stdout).
Returns an error if any operation fails.

provider Struct:

Holds an HTTP client and the metadata token endpoint URL.

Provide Method:

Sends a GET request to the metadata server to retrieve a temporary access token.
Returns the obtained token as the authentication credential.

Explanation:

The plugin runs as a sidecar container alongside the application container.
When the application container attempts to access a Google Cloud service, Kubernetes invokes this plugin.
The plugin queries the GKE metadata server to retrieve a temporary access token, which is then used to authenticate with Google Cloud services.
The plugin writes the credentials back to the application container, allowing it to access Google Cloud services.

Key Points:

This plugin leverages the GKE metadata server to obtain credentials.
It follows the Kubernetes credential provider plugin interface, enabling it to seamlessly integrate with Kubernetes.
The code is concise and focused on providing a simple and effective solution for credential retrieval.
The plugin avoids logging sensitive credentials by only returning an error message if marshaling fails.

Your advanced code editor is loading.

Please wait a moment.

Explanation

Graph

Symbols

We couldn't identify any entrypoints. If you believe this to be incorrect then please contact support.