K
Q

Kubenetes Java client - OpenId auth support

5/30/2018

I am trying using kubernetes java client for few use cases.

https://github.com/kubernetes-client/java

Our kubernetes cluster is been implemented with OpenId authentication.

Unfortunately, the java client doesnt support OpenId auth.

Java code :-

final ApiClient client = io.kubernetes.client.util.Config.defaultClient();
        Configuration.setDefaultApiClient(client);

        CoreV1Api api = new CoreV1Api();
        V1PodList list = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null);
        for (V1Pod item : list.getItems()) {
            System.out.println(item.getMetadata().getName());
        }

Error :-

13:25:22.549 [main] ERROR io.kubernetes.client.util.KubeConfig - Unknown auth provider: oidc
Exception in thread "main" io.kubernetes.client.ApiException: Forbidden
    at io.kubernetes.client.ApiClient.handleResponse(ApiClient.java:882)
    at io.kubernetes.client.ApiClient.execute(ApiClient.java:798)
    at io.kubernetes.client.apis.CoreV1Api.listPodForAllNamespacesWithHttpInfo(CoreV1Api.java:18462)
    at io.kubernetes.client.apis.CoreV1Api.listPodForAllNamespaces(CoreV1Api.java:18440)

Is there any plan to support OpenId auth with the Java client. Or, is there any other way?

Thanks

-- user1578872
kubernetes

Similar Questions

Error response from daemon: Get https://armdocker.rnd.se/v1/_ping: Not Found
How to get kubernetes secret data from java
Unable to connect to the server: dial tcp 192.168.99.100:8443: getsockopt: no route to host
Azure AKS 'Kube-Proxy' Kubernetes Node Log file location?
Access private IP of different security group inside the Openshift cluster

2 Answers

6/5/2019

Note that ok-http which underlies the api clients supports oauth. Our local cluster uses oidc and I've been able to talk to it as follows.

ApiClient client = new ClientBuilder()
    .setBasePath("https://api.kube.example.com/")
    .setAuthentication(new AccessTokenAuthentication(token))
    .build();

We have a custom command that logs you in to the system which is where I'm getting the token from.

I haven't tried this yet but it might be possible to implement a io.kubernetes.client.util.authenticators.Authenticator for oidc which you would then register in KubeConfig#registerAuthenticator(Authenticator). If this does what I hope it does, you'd get the same functionality as kubectl command line which seems to know how to obtain a refresh token but can't do the up-front authentication.

-- Mumrah
Source: StackOverflow
6/1/2018

Apparently not, but by far the larger question is: what would you expect to happen with an oidc auth-provider in a Java setting? Just use the id-token? Be able to use the refresh-token and throw an exception if unable to reacquire an id-token? Some callback system for you to manage that lifecycle on your own?

Trying to do oidc from a library is fraught with peril, since it is almost certain that there is no "user" to interact with.

Is there any plan to support OpenId auth with the Java client

Only the project maintainers could answer that, and it is unlikely they know to prioritize that kind of work when there is no issue describing what you would expect to happen. Feel free to create one.

Or, is there any other way?

In the meantime, you still have Config.fromToken() where you can go fishing in your .kube/config and pull out the existing id-token then deal with any subsequent ApiException which requires using the refresh-token, because you will know more about what tradeoffs your client is willing to make.

-- mdaniel
Source: StackOverflow