- .github
-
CHANGELOG
- CHANGELOG-1.10.md
- CHANGELOG-1.11.md
- CHANGELOG-1.12.md
- CHANGELOG-1.13.md
- CHANGELOG-1.14.md
- CHANGELOG-1.15.md
- CHANGELOG-1.16.md
- CHANGELOG-1.17.md
- CHANGELOG-1.18.md
- CHANGELOG-1.19.md
- CHANGELOG-1.2.md
- CHANGELOG-1.20.md
- CHANGELOG-1.21.md
- CHANGELOG-1.22.md
- CHANGELOG-1.23.md
- CHANGELOG-1.24.md
- CHANGELOG-1.25.md
- CHANGELOG-1.26.md
- CHANGELOG-1.27.md
- CHANGELOG-1.28.md
- CHANGELOG-1.29.md
- CHANGELOG-1.3.md
- CHANGELOG-1.30.md
- CHANGELOG-1.31.md
- CHANGELOG-1.4.md
- CHANGELOG-1.5.md
- CHANGELOG-1.6.md
- CHANGELOG-1.7.md
- CHANGELOG-1.8.md
- CHANGELOG-1.9.md
- OWNERS
- README.md
- LICENSES
- api
- build
- cluster
-
cmd
-
clicheck
-
cloud-controller-manager
-
dependencycheck
-
dependencyverifier
-
fieldnamedocscheck
-
gendocs
-
genkubedocs
-
genman
-
genswaggertypedocs
-
genutils
-
genyaml
-
gotemplate
-
import-boss
-
importverifier
-
kube-apiserver
-
kube-controller-manager
-
kube-proxy
-
kube-scheduler
-
kubeadm
-
kubectl
-
kubectl-convert
-
kubelet
-
kubemark
-
preferredimports
-
prune-junit-xml
-
yamlfmt
- OWNERS
-
clicheck
- docs
-
hack
-
boilerplate
-
conformance
-
e2e-internal
-
gen-swagger-doc
-
jenkins
-
lib
-
make-rules
-
testdata
-
tools
-
verify-flags
- .descriptions_failures
- .import-aliases
- .spelling_failures
- OWNERS
- README.md
- _update-generated-proto-bindings-dockerized.sh
- _update-generated-protobuf-dockerized.sh
- apidiff.sh
- benchmark-go.sh
- build-cross.sh
- build-go.sh
- cherry_pick_pull.sh
- dev-build-and-push.sh
- dev-build-and-up.sh
- dev-push-conformance.sh
- e2e-node-test.sh
- generate-docs.sh
- get-build.sh
- ginkgo-e2e.sh
- golangci-hints.yaml
- golangci-strict.yaml
- golangci.yaml
- golangci.yaml.in
- grab-profiles.sh
- install-etcd.sh
- install-protoc.sh
- lint-dependencies.sh
- list-feature-tests.sh
- local-up-cluster.sh
- logcheck.conf
- module-graph.sh
- pin-dependency.sh
- print-workspace-status.sh
- run-prometheus-on-etcd-scrapes.sh
- serve-prom-scrapes.sh
- test-go.sh
- test-integration.sh
- unwanted-dependencies.json
- update-all.sh
- update-codegen.sh
- update-conformance-yaml.sh
- update-generated-api-compatibility-data.sh
- update-generated-docs.sh
- update-generated-stable-metrics.sh
- update-go-workspace.sh
- update-gofmt.sh
- update-golangci-lint-config.sh
- update-import-aliases.sh
- update-internal-modules.sh
- update-kustomize.sh
- update-mocks.sh
- update-netparse-cve.sh
- update-openapi-spec.sh
- update-translations.sh
- update-vanity-imports.sh
- update-vendor-licenses.sh
- update-vendor.sh
- update-yamlfmt.sh
- verify-all.sh
- verify-api-groups.sh
- verify-boilerplate.sh
- verify-cli-conventions.sh
- verify-codegen.sh
- verify-conformance-requirements.sh
- verify-conformance-yaml.sh
- verify-description.sh
- verify-e2e-suites.sh
- verify-e2e-test-ownership.sh
- verify-external-dependencies-version.sh
- verify-fieldname-docs.sh
- verify-file-sizes.sh
- verify-flags-underscore.py
- verify-generated-docs.sh
- verify-generated-stable-metrics.sh
- verify-go-workspace.sh
- verify-gofmt.sh
- verify-golangci-lint-config.sh
- verify-golangci-lint-pr-hints.sh
- verify-golangci-lint-pr.sh
- verify-golangci-lint.sh
- verify-govulncheck.sh
- verify-import-aliases.sh
- verify-import-boss.sh
- verify-imports.sh
- verify-internal-modules.sh
- verify-licenses.sh
- verify-mocks.sh
- verify-netparse-cve.sh
- verify-no-vendor-cycles.sh
- verify-non-mutating-validation.sh
- verify-openapi-docs-urls.sh
- verify-openapi-spec.sh
- verify-pkg-names.sh
- verify-prerelease-lifecycle-tags.sh
- verify-prometheus-imports.sh
- verify-publishing-bot.py
- verify-readonly-packages.sh
- verify-shellcheck.sh
- verify-spelling.sh
- verify-staging-meta-files.sh
- verify-test-code.sh
- verify-test-featuregates.sh
- verify-test-images.sh
- verify-testing-import.sh
- verify-typecheck.sh
- verify-vendor-licenses.sh
- verify-vendor.sh
- verify-yamlfmt.sh
-
boilerplate
- logo
- pkg
- plugin
- staging
- test
- third_party
- vendor
- .generated_files
- .gitattributes
- .gitignore
- .go-version
- CHANGELOG.md
- CONTRIBUTING.md
- LICENSE
- Makefile
- OWNERS
- OWNERS_ALIASES
- README.md
- SECURITY_CONTACTS
- SUPPORT.md
- code-of-conduct.md
- go.mod
- go.sum
- go.work
- go.work.sum
Explanation
This code implements a simple gcp credential provider plugin for Kubernetes. It allows containers running in a Google Kubernetes Engine (GKE) cluster to obtain credentials for accessing Google Cloud services without explicitly providing them.
Here’s a breakdown:
main
Function:
- Retrieves credentials from the GKE metadata server using the
getCredentials
function. - If an error occurs during credential retrieval, logs a fatal error message and exits.
getCredentials
Function:
- Creates a
provider
struct containing an HTTP client with a timeout and the metadata token endpoint. - Reads the credential provider request from standard input (stdin) and unmarshals it into a
credentialproviderv1.CredentialProviderRequest
struct. - Calls the
provider.Provide
method to obtain authentication credentials for the specified image. - Creates a
credentialproviderv1.CredentialProviderResponse
struct containing the retrieved credentials and metadata. - Marshals the response into JSON format and writes it to standard output (stdout).
- Returns an error if any operation fails.
provider
Struct:
- Holds an HTTP client and the metadata token endpoint URL.
Provide
Method:
- Sends a GET request to the metadata server to retrieve a temporary access token.
- Returns the obtained token as the authentication credential.
Explanation:
- The plugin runs as a sidecar container alongside the application container.
- When the application container attempts to access a Google Cloud service, Kubernetes invokes this plugin.
- The plugin queries the GKE metadata server to retrieve a temporary access token, which is then used to authenticate with Google Cloud services.
- The plugin writes the credentials back to the application container, allowing it to access Google Cloud services.
Key Points:
- This plugin leverages the GKE metadata server to obtain credentials.
- It follows the Kubernetes credential provider plugin interface, enabling it to seamlessly integrate with Kubernetes.
- The code is concise and focused on providing a simple and effective solution for credential retrieval.
- The plugin avoids logging sensitive credentials by only returning an error message if marshaling fails.
Graph
The graph shows the usage of functions within the codebase.
Select a code symbol to view it's graph