-
Notifications
You must be signed in to change notification settings - Fork 42
remove exec and auth provider check to utilize kubeconfig with oidc enabled #221
remove exec and auth provider check to utilize kubeconfig with oidc enabled #221
Conversation
I think it depends on whether the kubeconfigs are coming / are read from a trusted source.
If the above is true, we could assume that also the kubconfig secrets that we read from the gardener are safe. The gardener has implemented a validating webhook to validate secrets containing kubeconfigs |
Yes, I also agree with @petersutter here. It's always good to double check but I guess we gain more out of it if we leave it to the user to check the |
thanks for your comments @petersutter @DockToFuture , i had another suggestion, if we could allow What do you think? if it's OK i will add these warning message to this PR Thanks |
In case we want to display a warning message (do not have a strong opinion here)
nit: change to [...] could contain malicious code[...] Other suggestion: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm, as discussed with @ThormaehlenFred there are no further concerns.
What this PR does / why we need it:
In gardenctl there's validation against kubeconfig which doesn't allow kubeconfig contains
exec
orauth provider
to prevent malicious executable code. Now with OIDC enabled, kubeconfig contains exec part, so i would like to propose this PR to discuss whether we can remove this check in gardenctlWhich issue(s) this PR fixes:
Fixes #217 and #175
Special notes for your reviewer:
/CC @dansible @ThormaehlenFred @DockToFuture @ialidzhikov @vpnachev @donistz
Basically this PR enables gardenctl to utilize oidc enabled kubeconfig, i did some basic testing like
gardenctl target garden/seed/shoot
and then do some kubectl operation likegardenctl k get pods -- -n kube-system
etc , so far so good.Indeed it is security to allow using kubeconfig with exec part which can execute any code, as discussed in https://banzaicloud.com/blog/kubeconfig-security/ (thanks for @DockToFuture ), we could discuss e.g. we add some warning message in gardenctl project regarding this? to let people know gardenctl allow using kubeconfig contains exec part which could be security risk....
Release note: