1 /* 2 Copyright 2018 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package clientauthentication 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime" 22 ) 23 24 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 25 26 // ExecCredential is used by exec-based plugins to communicate credentials to 27 // HTTP transports. 28 type ExecCredential struct { 29 metav1.TypeMeta 30 31 // Spec holds information passed to the plugin by the transport. This contains 32 // request and runtime specific information, such as if the session is interactive. 33 Spec ExecCredentialSpec 34 35 // Status is filled in by the plugin and holds the credentials that the transport 36 // should use to contact the API. 37 // +optional 38 Status *ExecCredentialStatus 39 } 40 41 // ExecCredentialSpec holds request and runtime specific information provided by 42 // the transport. 43 type ExecCredentialSpec struct { 44 // Interactive is true when the transport detects the command is being called from an 45 // interactive prompt, i.e., when stdin has been passed to this exec plugin. 46 // +optional 47 Interactive bool 48 49 // Cluster contains information to allow an exec plugin to communicate with the 50 // kubernetes cluster being authenticated to. Note that Cluster is non-nil only 51 // when provideClusterInfo is set to true in the exec provider config (i.e., 52 // ExecConfig.ProvideClusterInfo). 53 // +optional 54 Cluster *Cluster 55 } 56 57 // ExecCredentialStatus holds credentials for the transport to use. 58 type ExecCredentialStatus struct { 59 // ExpirationTimestamp indicates a time when the provided credentials expire. 60 // +optional 61 ExpirationTimestamp *metav1.Time 62 // Token is a bearer token used by the client for request authentication. 63 // +optional 64 Token string `datapolicy:"token"` 65 // PEM-encoded client TLS certificate. 66 // +optional 67 ClientCertificateData string 68 // PEM-encoded client TLS private key. 69 // +optional 70 ClientKeyData string `datapolicy:"secret-key"` 71 } 72 73 // Cluster contains information to allow an exec plugin to communicate 74 // with the kubernetes cluster being authenticated to. 75 // 76 // To ensure that this struct contains everything someone would need to communicate 77 // with a kubernetes cluster (just like they would via a kubeconfig), the fields 78 // should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception 79 // of CertificateAuthority, since CA data will always be passed to the plugin as bytes. 80 type Cluster struct { 81 // Server is the address of the kubernetes cluster (https://hostname:port). 82 Server string 83 // TLSServerName is passed to the server for SNI and is used in the client to 84 // check server certificates against. If ServerName is empty, the hostname 85 // used to contact the server is used. 86 // +optional 87 TLSServerName string 88 // InsecureSkipTLSVerify skips the validity check for the server's certificate. 89 // This will make your HTTPS connections insecure. 90 // +optional 91 InsecureSkipTLSVerify bool 92 // CAData contains PEM-encoded certificate authority certificates. 93 // If empty, system roots should be used. 94 // +listType=atomic 95 // +optional 96 CertificateAuthorityData []byte 97 // ProxyURL is the URL to the proxy to be used for all requests to this 98 // cluster. 99 // +optional 100 ProxyURL string 101 // DisableCompression allows client to opt-out of response compression for all requests to the server. This is useful 102 // to speed up requests (specifically lists) when client-server network bandwidth is ample, by saving time on 103 // compression (server-side) and decompression (client-side): https://github.com/kubernetes/kubernetes/issues/112296. 104 // +optional 105 DisableCompression bool 106 // Config holds additional config data that is specific to the exec 107 // plugin with regards to the cluster being authenticated to. 108 // 109 // This data is sourced from the clientcmd Cluster object's 110 // extensions[client.authentication.k8s.io/exec] field: 111 // 112 // clusters: 113 // - name: my-cluster 114 // cluster: 115 // ... 116 // extensions: 117 // - name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config 118 // extension: 119 // audience: 06e3fbd18de8 # arbitrary config 120 // 121 // In some environments, the user config may be exactly the same across many clusters 122 // (i.e. call this exec plugin) minus some details that are specific to each cluster 123 // such as the audience. This field allows the per cluster config to be directly 124 // specified with the cluster info. Using this field to store secret data is not 125 // recommended as one of the prime benefits of exec plugins is that no secrets need 126 // to be stored directly in the kubeconfig. 127 // +optional 128 Config runtime.Object 129 } 130