In order to easily switch between multiple clusters, a .kubeconfig file was defined. This file contains a series of authentication mechanisms and cluster connection information associated with nicknames. It also introduces the concept of a tuple of authentication information (user) and cluster connection information called a context that is also associated with a nickname.
Multiple files are .kubeconfig files are allowed. At runtime they are loaded and merged together along with override options specified from the command line (see rules below).
The rules for loading and merging the .kubeconfig files are straightforward, but there are a lot of them. The final config is built in this order:
1. Merge together the kubeconfig itself. This is done with the following hierarchy and merge rules:
Empty filenames are ignored. Files with non-deserializable content produced errors.
The first file to set a particular value or map key wins and the value or map key is never changed.
This means that the first file to set CurrentContext will have its context preserved. It also means that if two files specify a "red-user", only values from the first file's red-user are used. Even non-conflicting entries from the second file's "red-user" are discarded.
1. CommandLineLocation - the value of the `kubeconfig` command line option
1. EnvVarLocation - the value of $KUBECONFIG
1. CurrentDirectoryLocation - ``pwd``/.kubeconfig
1. HomeDirectoryLocation = ~/.kube/.kubeconfig
1. Determine the context to use based on the first hit in this chain
1. command line argument - the value of the `context` command line option
1. current-context from the merged kubeconfig file
1. Empty is allowed at this stage
1. Determine the cluster info and user to use. At this point, we may or may not have a context. They are built based on the first hit in this chain. (run it twice, once for user, once for cluster)
1. command line argument - `user` for user name and `cluster` for cluster name
1. If context is present, then use the context's value
1. Empty is allowed
1. Determine the actual cluster info to use. At this point, we may or may not have a cluster info. Build each piece of the cluster info based on the chain (first hit wins):
1. command line arguments - `server`, `api-version`, `certificate-authority`, and `insecure-skip-tls-verify`
1. If cluster info is present and a value for the attribute is present, use it.
1. If you don't have a server location, error.
1. User is build using the same rules as cluster info, EXCEPT that you can only have one authentication technique per user.
The command line flags are: `auth-path`, `client-certificate`, `client-key`, and `token`. If there are two conflicting techniques, fail.
1. For any information still missing, use default values and potentially prompt for authentication information
flags.StringVarP(&builder.apiserver,FlagApiServer,"s",builder.apiserver,"The address of the Kubernetes API server")
flags.BoolVar(&builder.matchApiVersion,FlagMatchApiVersion,false,"Require server version to match client version")
flags.StringVar(&builder.apiVersion,FlagApiVersion,latest.Version,"The API version to use when talking to the server")
flags.StringVarP(&builder.authPath,FlagAuthPath,"a",os.Getenv("HOME")+"/.kubernetes_auth","Path to the auth info file. If missing, prompt the user. Only used if using https.")
flags.Var(&builder.cmdAuthInfo.Insecure,FlagInsecure,"If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure.")
flags.Var(&builder.cmdAuthInfo.CertFile,FlagCertFile,"Path to a client key file for TLS.")
flags.Var(&builder.cmdAuthInfo.KeyFile,FlagKeyFile,"Path to a client key file for TLS.")
flags.Var(&builder.cmdAuthInfo.CAFile,FlagCAFile,"Path to a cert. file for the certificate authority.")
flags.Var(&builder.cmdAuthInfo.BearerToken,FlagBearerToken,"Bearer token for authentication to the API server.")
// NewInteractiveClientConfig creates a DirectClientConfig using the passed context name and a reader in case auth information is not provided via files or flags
// ConfirmUsable looks a particular context and determines if that particular part of the config is useable. There might still be errors in the config,
// but no errors in the sections requested or referenced. It does not return early so that it can find as many errors as possible.
// TODO short flag names are impossible to prefix, decide whether to keep them or not
flags.StringVarP(&clusterInfo.Server,flagNames.APIServer,"s","","The address of the Kubernetes API server")
flags.StringVar(&clusterInfo.APIVersion,flagNames.APIVersion,"","The API version to use when talking to the server")
flags.StringVar(&clusterInfo.CertificateAuthority,flagNames.CertificateAuthority,"","Path to a cert. file for the certificate authority.")
flags.BoolVar(&clusterInfo.InsecureSkipTLSVerify,flagNames.InsecureSkipTLSVerify,false,"If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure.")
}
// BindFlags is a convenience method to bind the specified flags to their associated variables
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
packageclientcmd
import()
// Where possible, yaml tags match the cli argument names.
// Top level config objects and all values required for proper functioning are not "omitempty". Any truly optional piece of config is allowed to be omitted.
// Config holds the information needed to build connect to remote kubernetes clusters as a given user
typeConfigstruct{
// Preferences holds general information to be use for cli interactions
PreferencesPreferences`yaml:"preferences"`
// Clusters is a map of referencable names to cluster configs
Clustersmap[string]Cluster`yaml:"clusters"`
// AuthInfos is a map of referencable names to user configs
AuthInfosmap[string]AuthInfo`yaml:"users"`
// Contexts is a map of referencable names to context configs
Contextsmap[string]Context`yaml:"contexts"`
// CurrentContext is the name of the context that you would like to use by default
CurrentContextstring`yaml:"current-context"`
}
typePreferencesstruct{
Colorsbool`yaml:"colors,omitempty"`
}
// Cluster contains information about how to communicate with a kubernetes cluster
typeClusterstruct{
// Server is the address of the kubernetes cluster (https://hostname:port).
Serverstring`yaml:"server"`
// APIVersion is the preferred api version for communicating with the kubernetes cluster (v1beta1, v1beta2, v1beta3, etc).
APIVersionstring`yaml:"api-version,omitempty"`
// InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
// ClientKey is the path to a client key file for TLS.
ClientKeystring`yaml:"client-key,omitempty"`
// Token is the bearer token for authentication to the kubernetes cluster.
Tokenstring`yaml:"token,omitempty"`
}
// Context is a tuple of references to a cluster (how do I communicate with a kubernetes cluster), a user (how do I identify myself), and a namespace (what subset of resources do I want to work with)
typeContextstruct{
// Cluster is the name of the cluster for this context
Clusterstring`yaml:"cluster"`
// AuthInfo is the name of the authInfo for this context
AuthInfostring`yaml:"user"`
// Namespace is the default namespace to use on unspecified requests
Namespacestring`yaml:"namespace,omitempty"`
}
// NewConfig is a convenience function that returns a new Config object with non-nil maps
// ConfirmUsable looks a particular context and determines if that particular part of the config is useable. There might still be errors in the config,
// but no errors in the sections requested or referenced. It does not return early so that it can find as many errors as possible.
validationErrors=append(validationErrors,fmt.Errorf("unable to read certificate-authority %v for %v due to %v",clusterInfo.CertificateAuthority,clusterName,err))
}
}
returnvalidationErrors
}
// validateAuthInfo looks for conflicts and errors in the auth info
validationErrors=append(validationErrors,fmt.Errorf("unable to read client-cert %v for %v due to %v",authInfo.ClientCertificate,authInfoName,err))
}
clientKeyFile,err:=os.Open(authInfo.ClientKey)
deferclientKeyFile.Close()
iferr!=nil{
validationErrors=append(validationErrors,fmt.Errorf("unable to read client-key %v for %v due to %v",authInfo.ClientKey,authInfoName,err))
}
}
if(len(methods))>1{
validationErrors=append(validationErrors,fmt.Errorf("more than one authentication method found for %v. Found %v, only one is allowed",authInfoName,methods))
}
returnvalidationErrors
}
// validateContext looks for errors in the context. It is not transitive, so errors in the reference authInfo or cluster configs are not included in this return
validationErrors=append(validationErrors,fmt.Errorf("namespace, %v, for context %v, does not conform to the kubernetest DNS952 rules",context.Namespace,contextName))
returnnil,fmt.Errorf("no description has been implemented for %q",mapping.Kind)
}
returndescriber,nil
}
returnret
}
}
func(f*Factory)Run(outio.Writer){
func(f*Factory)Run(outio.Writer){
...
@@ -96,12 +100,13 @@ Find more information at https://github.com/GoogleCloudPlatform/kubernetes.`,
...
@@ -96,12 +100,13 @@ Find more information at https://github.com/GoogleCloudPlatform/kubernetes.`,
Run:runHelp,
Run:runHelp,
}
}
f.ClientBuilder.BindFlags(cmds.PersistentFlags())
f.ClientConfig=getClientConfig(cmds)
// Globally persistent flags across all subcommands.
// Globally persistent flags across all subcommands.
// TODO Change flag names to consts to allow safer lookup from subcommands.
// TODO Change flag names to consts to allow safer lookup from subcommands.
// TODO Add a verbose flag that turns on glog logging. Probably need a way
// TODO Add a verbose flag that turns on glog logging. Probably need a way
// to do that automatically for every subcommand.
// to do that automatically for every subcommand.
cmds.PersistentFlags().Bool(FlagMatchBinaryVersion,false,"Require server version to match client version")
cmds.PersistentFlags().String("ns-path",os.Getenv("HOME")+"/.kubernetes_ns","Path to the namespace info file that holds the namespace context to use for CLI requests.")
cmds.PersistentFlags().String("ns-path",os.Getenv("HOME")+"/.kubernetes_ns","Path to the namespace info file that holds the namespace context to use for CLI requests.")
cmds.PersistentFlags().StringP("namespace","n","","If present, the namespace scope for this CLI request.")
cmds.PersistentFlags().StringP("namespace","n","","If present, the namespace scope for this CLI request.")
cmds.PersistentFlags().Bool("validate",false,"If true, use a schema to validate the input before sending it")
cmds.PersistentFlags().Bool("validate",false,"If true, use a schema to validate the input before sending it")
...
@@ -124,6 +129,50 @@ Find more information at https://github.com/GoogleCloudPlatform/kubernetes.`,
...
@@ -124,6 +129,50 @@ Find more information at https://github.com/GoogleCloudPlatform/kubernetes.`,
}
}
}
}
// getClientBuilder creates a clientcmd.ClientConfig that has a hierarchy like this:
// 1. Use the kubeconfig builder. The number of merges and overrides here gets a little crazy. Stay with me.
// 1. Merge together the kubeconfig itself. This is done with the following hierarchy and merge rules:
// 1. CommandLineLocation - this parsed from the command line, so it must be late bound
// 2. EnvVarLocation
// 3. CurrentDirectoryLocation
// 4. HomeDirectoryLocation
// Empty filenames are ignored. Files with non-deserializable content produced errors.
// The first file to set a particular value or map key wins and the value or map key is never changed.
// This means that the first file to set CurrentContext will have its context preserved. It also means
// that if two files specify a "red-user", only values from the first file's red-user are used. Even
// non-conflicting entries from the second file's "red-user" are discarded.
// 2. Determine the context to use based on the first hit in this chain
// 1. command line argument - again, parsed from the command line, so it must be late bound
// 2. CurrentContext from the merged kubeconfig file
// 3. Empty is allowed at this stage
// 3. Determine the cluster info and auth info to use. At this point, we may or may not have a context. They
// are built based on the first hit in this chain. (run it twice, once for auth, once for cluster)
// 1. command line argument
// 2. If context is present, then use the context value
// 3. Empty is allowed
// 4. Determine the actual cluster info to use. At this point, we may or may not have a cluster info. Build
// each piece of the cluster info based on the chain:
// 1. command line argument
// 2. If cluster info is present and a value for the attribute is present, use it.
// 3. If you don't have a server location, bail.
// 5. Auth info is build using the same rules as cluster info, EXCEPT that you can only have one authentication
// technique per auth info. The following conditions result in an error:
// 1. If there are two conflicting techniques specified from the command line, fail.
// 2. If the command line does not specify one, and the auth info has conflicting techniques, fail.
// 3. If the command line specifies one and the auth info specifies another, honor the command line technique.
// 2. Use default values and potentially prompt for auth information