int128 / kauthproxy Goto Github PK

View Code? Open in Web Editor NEW

104.0 3.0 4.0 742 KB

Local authentication proxy for Kubernetes Dashboard (kubectl auth-proxy)

License: Apache License 2.0

Go 96.20% Makefile 2.09% Shell 1.71%

kubernetes kubectl golang kubectl-plugins kubernetes-dashboard

kauthproxy's Introduction

kauthproxy

This is a kubectl plugin of the authentication proxy to access Kubernetes Dashboard.

You can access Kubernetes Dashboard with your credentials instead of entering a service account token. It provides better user experience and security.

kauthproxy supports the following environments:

Amazon EKS
Azure Kubernetes Service (with Azure AD)
Self-hosted Kubernetes cluster

Note that kauthproxy does not work with client certificate authentication.

Getting Started

Install

Install the latest release from Homebrew, Krew, aqua, or GitHub Releases.

# Homebrew (macOS)
brew install int128/kauthproxy/kauthproxy

# Krew (macOS, Linux and Windows)
kubectl krew install auth-proxy

# aqua
aqua g -i int128/kauthproxy

You can deploy the manifest of Kubernetes Dashboard from here.

Run

To access Kubernetes Dashboard in your cluster:

% kubectl auth-proxy -n kubernetes-dashboard https://kubernetes-dashboard.svc
Starting an authentication proxy for pod/kubernetes-dashboard-57fc4fcb74-jjg77:8443
Open http://127.0.0.1:18000
Forwarding from 127.0.0.1:57866 -> 8443
Forwarding from [::1]:57866 -> 8443

It will automatically open the browser. You can see Kubernetes Dashboard logged in as you.

How it works

Authentication

Kubernetes Dashboard supports header based authentication. kauthproxy forwards HTTP requests from the browser to Kubernetes Dashboard.

Take a look at the diagram:

When you access Kubernetes Dashboard, kauthproxy forwards HTTP requests by the following process:

Acquire your token from the credential plugin or authentication provider.
Set authorization: bearer TOKEN header to a request and forward the request to the pod.

Authorization

kauthproxy requires the following privileges:

Get the Service of Kubernetes Dashboard.
List the Pods of Kubernetes Dashboard.
Port-forward to the Pod of Kubernetes Dashboard.

If you need to assign the least privilege for production, see an example of Role.

Usage

Usage:
  kubectl auth-proxy POD_OR_SERVICE_URL [flags]

Flags:
      --add_dir_header                   If true, adds the file directory to the header
      --address stringArray              The address on which to run the proxy. If set multiple times, it will try binding the address in order (default [127.0.0.1:18000,127.0.0.1:28000])
      --alsologtostderr                  log to standard error as well as files
      --as string                        Username to impersonate for the operation
      --as-group stringArray             Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --cache-dir string                 Default HTTP cache directory (default "~/.kube/http-cache")
      --certificate-authority string     Path to a cert file for the certificate authority
      --client-certificate string        Path to a client certificate file for TLS
      --client-key string                Path to a client key file for TLS
      --cluster string                   The name of the kubeconfig cluster to use
      --context string                   The name of the kubeconfig context to use
  -h, --help                             help for kubectl
      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string                Path to the kubeconfig file to use for CLI requests.
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --log_file string                  If non-empty, use this log file
      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --logtostderr                      log to standard error instead of files (default true)
  -n, --namespace string                 If present, the namespace scope for this CLI request
      --request-timeout string           The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -s, --server string                    The address and port of the Kubernetes API server
      --skip-open-browser                If set, skip opening the browser
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files
      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
      --token string                     Bearer token for authentication to the API server
      --user string                      The name of the kubeconfig user to use
  -v, --v Level                          number for the log level verbosity
      --version                          version for kubectl
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging

Contributions

This is an open source software. Feel free to open issues and pull requests.

End-to-end test

To provision a cluster:

# requires Docker, Kind and Chrome
brew cask install docker google-chrome
brew install kind

# provision a cluster and deploy Kubernetes Dashboard
make -C e2e_test deploy

You can access the cluster as follows:

export KUBECONFIG=e2e_test/output/kubeconfig.yaml

# show all pods
kubectl get pods -A

# open Kubernetes Dashboard
./kauthproxy -n kubernetes-dashboard --user=tester https://kubernetes-dashboard.svc

To run the automated test:

make -C e2e_test test

To delete the cluster.

make -C e2e_test delete-cluster

kauthproxy's People

Contributors

Stargazers

Watchers

Forkers

pennycoders mghlaiel syllogy tsuzu

kauthproxy's Issues

Dependabot can't parse your go.mod

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/sync/@v/v0.0.0-20190423024810-112230192c58.mod442395275.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20191209160850-c0dbc17a3553.mod597883780.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/sys/@v/v0.0.0-20190215142949-d0b11bdaac8a.mod545942474.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/sys/@v/v0.0.0-20191228213918-04cbcbbfeed8.mod533827574.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/net/@v/v0.0.0-20190311183353-d8887717615a.mod271365395.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.0.0-20190308221718-c2843e01d9a2.mod98092523.tmp: no space left on device
go: writing go.mod cache: write /opt/go/gopath/pkg/mod/cache/download/golang.org/x/tools/@v/v0.0.0-20190422233926-fe54fb35175b.mod782064401.tmp: no space left on device
go: github.com/chromedp/[email protected] requires
	github.com/gobwas/[email protected]: codehost.WorkDir: can't find or create lock file: open /opt/go/gopath/pkg/mod/cache/vcs/525569a280ddbd0a05b0ff8e005ab9177dbbe978ad73ebe28553f46a73a3b594.lock: no space left on device

View the update logs.

selfLink field will be removed in Kubernetes v1.20.0

Currently kauthproxy depends on selfLink field to construct a pod URL for port-forwarder. It will be removed in Kubernetes v1.20.0 as kubernetes/enhancements#1164.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

fix(deps): update kubernetes packages to v0.30.2 (k8s.io/api, k8s.io/apimachinery, k8s.io/cli-runtime, k8s.io/client-go)

Detected dependencies

github-actions

.github/workflows/e2e-test.yaml

actions/checkout v4@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-go v5

.github/workflows/go.yaml

int128/go-workflows v0.3.0

actions/checkout v4@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-go v5

.github/workflows/manifest.yaml

actions/checkout v4@a5ac7e51b41094c92402da3b24376905380afc29

int128/kustomize-action v1

.github/workflows/release.yaml

actions/checkout v4@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-go v5

int128/go-actions v1

actions/checkout v4@a5ac7e51b41094c92402da3b24376905380afc29

rajatjindal/krew-release-bot v0.0.46

gomod

go.mod

go 1.22.2

github.com/cenkalti/backoff/v4 v4.3.0

github.com/chromedp/chromedp v0.9.5

github.com/golang/mock v1.6.0

github.com/google/wire v0.6.0

github.com/int128/listener v1.1.0

github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c@5ac0b6a4141c

github.com/spf13/cobra v1.8.0

github.com/spf13/pflag v1.0.5

golang.org/x/sync v0.7.0

k8s.io/api v0.30.1

k8s.io/apimachinery v0.30.1

k8s.io/cli-runtime v0.30.1

k8s.io/client-go v0.30.1

k8s.io/klog/v2 v2.120.1

regex

.github/workflows/go.yaml

golangci/golangci-lint v1.59.1

e2e_test/kustomization.yaml

kubernetes/dashboard v2.7.0

kubernetes-sigs/metrics-server v0.7.1

Check this box to trigger a request for Renovate to run again on this repository

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

rsc.io/quote/[email protected]: unrecognized import path "rsc.io/quote/v3" (parse https://rsc.io/quote/v3?go-get=1: no go-import meta tags ())

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Resume connection to pod

A connection to a pod is lost after the timeout as follows:

% kubectl auth-proxy -n kube-system https://kubernetes-dashboard.svc
Starting an authentication proxy for pod/kubernetes-dashboard-6f6b6d8db9-8cqg4:8443
Open http://127.0.0.1:62733
Forwarding from 127.0.0.1:62732 -> 8443
Forwarding from [::1]:62732 -> 8443
Handling connection for 62732
E1001 20:49:14.579714    7229 portforward.go:233] lost connection to pod

It would be nice if kauthproxy resumes the connection.

Websocket support

Thanks for building this incredibly useful tool!

Does kauthproxy support websocket connections? I'm trying to use it with a custom kubernetes tool that uses websockets but the client is unable to open websocket connections to the server through kauthproxy (v1.2.2).

Add the installation guide with aqua to the document

Hi, thank you for your great project!

We suggest to add the installation guide with aqua to the document.
aqua is a declarative CLI Version Manager.
You can install this tool with aqua.

aqua init # Create aqua.yaml
aqua g -i int128/kauthproxy # Add this tool to aqua.yaml
aqua i # Install tools

For the detail of aqua, please see the official document.

We expect you can just copy and paste the following guide to your document.

Install with aqua

You can install this tool with aqua.

aqua g -i int128/kauthproxy # Add int128/kauthproxy to aqua.yaml

Thank you.

This issue was created automatically by script. For the detail, please see here.

[krew] Distribute with license

👋 Hello, maintainer of the kubectl plugin manager krew here.

Thank you for your commitment to open source by making this plugin available via krew!

Krew wants to give credit where credit is due by installing the proper license file for the plugins it distributes. However, your plugin was found to not contain any license file. We wanted to remind you that if you're using a license such as Apache 2.0, you should be bundling your LICENSE file with your plugin’s distributions.

What do you have to do?

Please ensure your GitHub repository has a license file.
Make sure your archive file (.tar.gz or .zip) contains the license file.
Please submit a pull-request to krew-index and update the files: section to copy the file to the installation directory. Have a look at this PR for an example: https://github.com/kubernetes-sigs/krew-index/pull/314/files

If you need further assistance, don't hesitate to ask for help.

Fix the krew yaml according to the review

Fix the krew yaml according to kubernetes-sigs/krew-index#216 after approved.

Pick a free local port

It would be nice if kauthproxy picks a free port instead of fixed port 8000.

checksum mismatch on 1.2.1 release

I wasn't able to install kauthproxy via krew because of a checksum mismatch error. I was able to reproduce the error outside of kubectl/krew:

[LAPTOP-9M95256K]/home/tim/tmp > ls -la kauthproxy_linux_amd64.zip*
-rw-r--r-- 1 tim tim 19432320 Dec  6 21:16 kauthproxy_linux_amd64.zip
-rw-r--r-- 1 tim tim       93 Dec  6 21:16 kauthproxy_linux_amd64.zip.sha256
[LAPTOP-9M95256K]/home/tim > cat kauthproxy_linux_amd64.zip.sha256
8199aad0e90d626bf37886558e2a13ae8b13ec280d47c7d52957addf2ce0c283 *kauthproxy_linux_amd64.zip
[LAPTOP-9M95256K]/home/tim > sha256sum kauthproxy_linux_amd64.zip.sha256
ae49e1c71a112af7a319547091ab7785ce7edd2804ada789fdafbb8106b430b7  kauthproxy_linux_amd64.zip.sha256

EDIT: I see my error in the sha256sum line above. See comment below. Checksum is matching fine outside of my work environment, where I can easily reproduce this:

~  >> mkdir tmp
~  >> cd tmp
~/tmp  >> wget https://github.com/int128/kauthproxy/releases/download/v1.2.1/kauthproxy_linux_amd64.zip
.
.
.
~/tmp  >> wget https://github.com/int128/kauthproxy/releases/download/v1.2.1/kauthproxy_linux_amd64.zip.sha256
.
.
.
~/tmp  >> ls -la
total 19008
drwxr-xr-x 1 tim tim      512 Apr 12 09:23 .
drwxr-xr-x 1 tim tim      512 Apr 12 09:22 ..
-rw-r--r-- 1 tim tim 19408014 Dec  6 21:16 kauthproxy_linux_amd64.zip
-rw-r--r-- 1 tim tim       93 Dec  6 21:16 kauthproxy_linux_amd64.zip.sha256
~/tmp  >> cat kauthproxy_linux_amd64.zip.sha256
8199aad0e90d626bf37886558e2a13ae8b13ec280d47c7d52957addf2ce0c283 *kauthproxy_linux_amd64.zip
~/tmp  >> sha256sum kauthproxy_linux_amd64.zip
04f544ac96e5f710d3d1cbbb60e6b35c22f6a3b0ab30924e815f6c48fd40a651  kauthproxy_linux_amd64.zip

Is it possible to authenticate against Azure AD without using oidc-login

I am using a managed AKS cluster and I am using the azure auth provider in my kube config. Is it possible to only use this plugin to authenticate against the provider. For example, my config looks like

users:
  user:
    auth-provider:
      config:
        access-token: redacted
        apiserver-id: redacted
        client-id: redacted
        environment: AzurePublicCloud
        expires-in: "3599"
        expires-on: "1589901220"
        refresh-token: redacted
        tenant-id: redacted
      name: azure

I want to use this configuration itself without adding another user item to work with oidc-plugin. I have already attempted a kubectl auth-proxy -n kubernetes-dashboard https://kubernetes-dashboard.svc using this user in the context but it gave me a error

error: could not run an authentication proxy: could not create a resolver: could not create a client: no Auth Provider found for name "azure"
exit status 1

This error seems to be coming from client-credential which is already a dependency of this project and the client-credential project has the azure login so I am not sure what I am missing here.

Any help is much appreciated.

Clarify plugin names in code and documentation

I originally installed kauthproxy manually (not using krew) by copying the binary from release 1.2.1 into /usr/local/bin/kubectl-auth-proxy, but when I then invoke kubectl auth-proxy -n kubernetes-dashboard https://kubernetes-dashboard.svc, I get:

warning: kubectl-auth-proxy overwrites existing command: "kubectl auth"

From the plugin docs I learned that the kubectl plugin mechanism just looks for binaries on path named kubectl-<plugin name> where the <plugin name> is identical to the kubectl subcommand. Also from the section on naming plugins I learned that there can be multiple subcommands in a kubectl call, with each permutation implemented by an individual plugin binary named following the convention kubectl-<subcommand 1>-<subcommand 2>-....

This explains my issue: because I named the binary kubectl-auth-proxy¹, using hyphens, kubectl expects this binary to implement the command kubectl auth proxy, and of course auth is a built-in subcommand.

So by simply renaming the plugin binary from kubectl-auth-proxy to kubectl-ap I was then able to work around the current issue and run the kubectl ap command without this warning occurring.

I see that krew install auth-proxy installs as the kubectl-auth_proxy binary, working around the issue.

I'd like to see the naming of things here get updated to not so confuse the next person that comes here wearing shoes like mine. At the very least I'd like to see the README get fixed to state the correct command for starting the proxy:

kubectl auth_proxy -n kubernetes-dashboard https://kubernetes-dashboard.svc

But I think some clarification about the 3 different names used throughout the project and why is warranted:

Explanation of Plugin Names

The repo/project is named kauthproxy, and is completely independent of the plugin name.
The name of the plugin in the krew index is auth-proxy, thus the instructions to kubectl krew install auth-proxy.
The installed plugin is named auth_proxy, corresponding to the installed binary kubectl-auth_proxy.

The naming discrepancy between 2. and 3. is required to prevent the plugin from masking the built-in `auth` kubectl sub-command. Although `auth` and `auth-proxy` are distinct strings, plugins which implement multiple kubectl subcommands are implemented by a binary expected to be named `kubectl-<subcommand 1>-<subcommand 2>-...`.. Therefore, essentially, hyphens must be omitted from plugin names.

But IMO it's much better to just clean up the naming discrepancies in the code, in which case the documentation clarification is unnecesasry.

which I did because the command documented in the Run section of your README is wrong. ↩

How to set default user?

In order to get kauthproxy to log me into the dashboard automatically I had to specify a user as a command line option. Is this expected? My kubectl context is already configured to get tokens from aws-iam-authenticator automatically. Can I configure kauthproxy to use the same user as kubectl by default?