csharp icon indicating copy to clipboard operation
csharp copied to clipboard
verified publisher icon kubernetes-client

KubernetesClientConfiguration.IsInCluster() not working when automountServiceAccountToken=false

Open zhiweiv opened this issue 1 year ago • 4 comments

In KubernetesClientConfiguration.IsInCluster, it uses service account token file as one check condition.

 var tokenPath = Path.Combine(ServiceAccountPath, ServiceAccountTokenKeyFileName);
 if (!FileSystem.Current.Exists(tokenPath))
 {
     return false;
 }

When set automountServiceAccountToken false(https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting), there is no token file injected to container, KubernetesClientConfiguration.IsInCluster doesn't work correctly.

zhiweiv avatar Aug 19 '24 06:08 zhiweiv

any alternative way to know if the app is running inside k8s? this is designed to use incluster auth

tg123 avatar Aug 19 '24 07:08 tg123

In client-go, seems there is no public IsInCluster method, it suggests checking return value of InClusterConfig(https://github.com/kubernetes/client-go/blob/master/examples/in-cluster-client-configuration/main.go#L42).

We used IsInCluster beyond auth purpose, plan to remove them.

zhiweiv avatar Aug 19 '24 08:08 zhiweiv

i believe the ask is reband IsInCluster -> HasInClusterToken ?

tg123 avatar Aug 19 '24 18:08 tg123

I don't think that IsInCluster is intended to test whether or not the container is running inside a cluster. We could make that name change to make it more clear, but honestly I'm not sure if it's worth it.

brendandburns avatar Aug 23 '24 20:08 brendandburns

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 21 '24 21:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 21 '24 21:12 k8s-triage-robot