kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24639 from ankeesler/exec-cred-prov-cluster-info 

exec credential provider: cluster info details
This commit is contained in:
Kubernetes Prow Robot 2020-11-04 11:20:52 -08:00 committed by GitHub
parent dbce914cfd c855d5d68c
commit 44fd64ef5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
content/en/docs/reference/access-authn-authz/authentication.md
View File

@ -882,11 +882,22 @@ users:
On Fedora: dnf install example-client-go-exec-plugin On Fedora: dnf install example-client-go-exec-plugin
... ...
# Whether or not to provide cluster information, which could potentially contain
# very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO
# environment variable.
provideClusterInfo: true
clusters: clusters:
- name: my-cluster - name: my-cluster
cluster: cluster:
server: "https://172.17.4.100:6443" server: "https://172.17.4.100:6443"
certificate-authority: "/etc/kubernetes/ca.pem" certificate-authority: "/etc/kubernetes/ca.pem"
extensions:
- name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config
extension:
arbitrary: config
this: can be provided via the KUBERNETES_EXEC_INFO environment variable upon setting provideClusterInfo
you: ["can", "put", "anything", "here"]
contexts: contexts:
- name: my-cluster - name: my-cluster
context: context:
@ -968,3 +979,28 @@ RFC3339 timestamp. Presence or absence of an expiry has the following impact:
} }
``` ```
The plugin can optionally be called with an environment variable, `KUBERNETES_EXEC_INFO`,
that contains information about the cluster for which this plugin is obtaining
credentials. This information can be used to perform cluster-specific credential
acquisition logic. In order to enable this behavior, the `provideClusterInfo` field must
be set on the exec user field in the
[kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/). Here is an
example of the aforementioned `KUBERNETES_EXEC_INFO` environment variable.
```json
{
"apiVersion": "client.authentication.k8s.io/v1beta1",
"kind": "ExecCredential",
"spec": {
"cluster": {
"server": "https://172.17.4.100:6443",
"certificate-authority-data": "LS0t...",
"config": {
"arbitrary": "config",
"this": "can be provided via the KUBERNETES_EXEC_INFO environment variable upon setting provideClusterInfo",
"you": ["can", "put", "anything", "here"]
}
}
}
}
```