python icon indicating copy to clipboard operation
python copied to clipboard
verified publisher icon kubernetes-client

ExecCredential does not contain cluster information

Open ofrzeta opened this issue 1 year ago • 2 comments

What you expected to happen: A Python script provided with a kubeconfig that contains a user exec section to get a client certificate should connect to the cluster.

The kubeconfig contains this section:

users:
- name: my-garden-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - get-client-certificate
      command: kubectl-gardenlogin
      env: null
      installHint: Follow the instructions on https://github.com/gardener/gardenlogin#installation
        to install gardenlogin
      interactiveMode: IfAvailable
      provideClusterInfo: true

Running a Kubernetes Python script with this kubeconfig produces the following error:

Error: failed to complete command options: ExecCredential does not contain cluster information
Usage:
  gardenlogin get-client-certificate [flags]

ofrzeta avatar Oct 10 '24 13:10 ofrzeta

This looks to me like the exec itself is not working correctly. What happens when you run kubectl-gardenlogin get-client-certificate in your shell? If that doesn't work, this won't work either.

Does this kubeconfig file work when you run it with kubectl?

brendandburns avatar Oct 19 '24 18:10 brendandburns

Thanks for your response. "kubectl-gardenlogin" produces valid certificates in that shell. This is how I kind of worked around this issue: exec get-certificate with python.subprocess and use the certs with the client object. It also works with kubectl (and k9s for instance). It works as follows:

  • get kubeconfig from Gardener
  • gardenctl config set-garden Gardenname --kubeconfig Downloadedkubeconfig
  • eval $(gardenctl kubectl-env bash) # this sets KUBECONFIG to some temporary file. This is the kubeconfig that contains the above exec configuration with kubectl-gardenlogin
  • gardenctl target --garden Gardenname --project GardenerProject --shoot ShootName

after that I can get the certs with

  • kubectl-gardenlogin get-client-certificate --name ShootName --namespace Garden-Projectname--garden-cluster-identity Gardenname

After that, when I run "kubectl get ns", it works, but the corresponding Python client sample errors with: "Error: failed to complete command options: ExecCredential does not contain cluster information". Which is true, because the ExecCredential delivered by get-certificate contains only kind, apiVersion, spec (interactive=false) and status (with expirationTimestamp, clientCertificateData and clientKeyData). Changing the value of provideClusterInfo in the kubeconfig doesn't seem to change anything.

If you look into the code of base/config/exec_provider there's no mention of a cluster or clusterinfo as it is in the Go client.

ofrzeta avatar Oct 20 '24 09:10 ofrzeta

Ok, I think I see the issue.

I believe that the message is coming from gardenlogin and it's refering to the ExecCredential which is sent into gardenlogin as input.

If you look at the code here: https://github.com/kubernetes-client/python/blob/master/kubernetes/base/config/exec_provider.py#L65 we definitely don't set the cluster info.

The root of the problem is that we don't implement the provideClusterInfo as described here:

https://kubernetes.io/docs/reference/config-api/client-authentication.v1/#client-authentication-k8s-io-v1-ExecCredentialSpec

brendandburns avatar Oct 26 '24 19:10 brendandburns

The relevant code in Go is here: https://github.com/kubernetes/client-go/blob/3dc7fd5f4c1d8afaf5924c461eae2ab27db0045a/plugin/pkg/client/auth/exec/exec.go#L424

brendandburns avatar Oct 26 '24 19:10 brendandburns