1 /* 2 Copyright 2021 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime" 22 ) 23 24 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 25 26 // ExecCredential is used by exec-based plugins to communicate credentials to 27 // HTTP transports. 28 type ExecCredential struct { 29 metav1.TypeMeta `json:",inline"` 30 31 // Spec holds information passed to the plugin by the transport. 32 Spec ExecCredentialSpec `json:"spec,omitempty"` 33 34 // Status is filled in by the plugin and holds the credentials that the transport 35 // should use to contact the API. 36 // +optional 37 Status *ExecCredentialStatus `json:"status,omitempty"` 38 } 39 40 // ExecCredentialSpec holds request and runtime specific information provided by 41 // the transport. 42 type ExecCredentialSpec struct { 43 // Cluster contains information to allow an exec plugin to communicate with the 44 // kubernetes cluster being authenticated to. Note that Cluster is non-nil only 45 // when provideClusterInfo is set to true in the exec provider config (i.e., 46 // ExecConfig.ProvideClusterInfo). 47 // +optional 48 Cluster *Cluster `json:"cluster,omitempty"` 49 50 // Interactive declares whether stdin has been passed to this exec plugin. 51 Interactive bool `json:"interactive"` 52 } 53 54 // ExecCredentialStatus holds credentials for the transport to use. 55 // 56 // Token and ClientKeyData are sensitive fields. This data should only be 57 // transmitted in-memory between client and exec plugin process. Exec plugin 58 // itself should at least be protected via file permissions. 59 type ExecCredentialStatus struct { 60 // ExpirationTimestamp indicates a time when the provided credentials expire. 61 // +optional 62 ExpirationTimestamp *metav1.Time `json:"expirationTimestamp,omitempty"` 63 // Token is a bearer token used by the client for request authentication. 64 Token string `json:"token,omitempty" datapolicy:"token"` 65 // PEM-encoded client TLS certificates (including intermediates, if any). 66 ClientCertificateData string `json:"clientCertificateData,omitempty"` 67 // PEM-encoded private key for the above certificate. 68 ClientKeyData string `json:"clientKeyData,omitempty" datapolicy:"security-key"` 69 } 70 71 // Cluster contains information to allow an exec plugin to communicate 72 // with the kubernetes cluster being authenticated to. 73 // 74 // To ensure that this struct contains everything someone would need to communicate 75 // with a kubernetes cluster (just like they would via a kubeconfig), the fields 76 // should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception 77 // of CertificateAuthority, since CA data will always be passed to the plugin as bytes. 78 type Cluster struct { 79 // Server is the address of the kubernetes cluster (https://hostname:port). 80 Server string `json:"server"` 81 // TLSServerName is passed to the server for SNI and is used in the client to 82 // check server certificates against. If ServerName is empty, the hostname 83 // used to contact the server is used. 84 // +optional 85 TLSServerName string `json:"tls-server-name,omitempty"` 86 // InsecureSkipTLSVerify skips the validity check for the server's certificate. 87 // This will make your HTTPS connections insecure. 88 // +optional 89 InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"` 90 // CAData contains PEM-encoded certificate authority certificates. 91 // If empty, system roots should be used. 92 // +listType=atomic 93 // +optional 94 CertificateAuthorityData []byte `json:"certificate-authority-data,omitempty"` 95 // ProxyURL is the URL to the proxy to be used for all requests to this 96 // cluster. 97 // +optional 98 ProxyURL string `json:"proxy-url,omitempty"` 99 // DisableCompression allows client to opt-out of response compression for all requests to the server. This is useful 100 // to speed up requests (specifically lists) when client-server network bandwidth is ample, by saving time on 101 // compression (server-side) and decompression (client-side): https://github.com/kubernetes/kubernetes/issues/112296. 102 // +optional 103 DisableCompression bool `json:"disable-compression,omitempty"` 104 // Config holds additional config data that is specific to the exec 105 // plugin with regards to the cluster being authenticated to. 106 // 107 // This data is sourced from the clientcmd Cluster object's 108 // extensions[client.authentication.k8s.io/exec] field: 109 // 110 // clusters: 111 // - name: my-cluster 112 // cluster: 113 // ... 114 // extensions: 115 // - name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config 116 // extension: 117 // audience: 06e3fbd18de8 # arbitrary config 118 // 119 // In some environments, the user config may be exactly the same across many clusters 120 // (i.e. call this exec plugin) minus some details that are specific to each cluster 121 // such as the audience. This field allows the per cluster config to be directly 122 // specified with the cluster info. Using this field to store secret data is not 123 // recommended as one of the prime benefits of exec plugins is that no secrets need 124 // to be stored directly in the kubeconfig. 125 // +optional 126 Config runtime.RawExtension `json:"config,omitempty"` 127 } 128