KEP-5339: add additional cluster-specific auth info field to the cluster profile object

[michaelawyu]

• One-line PR description: this PR updates KEP-5339 to add a field for cluster-specific auth information in the cluster profile API

• Issue link: sig-multicluster's ClusterProfile should have a way to support credentials issuance #5339

• Other comments:

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: michaelawyu / name: michaelawyu (1cbec78, 792f846, 8d9c0c5, b96d925, bce1a46, c5d0768, c88da8c, f9d858e)

[k8s-ci-robot]

Welcome @michaelawyu!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: michaelawyu
Once this PR has been reviewed and has the lgtm label, please assign jeremyot for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-multicluster/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @michaelawyu. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[skitt]

/ok-to-test

[lauralorenz]

Triage notes:

• Needs reviews from the community, please take a look

[skitt]

This looks good to me, thanks; before I approve it, do you have an example handy of a real-world situation showing how these extensions would be used in practice?

[qiujian16]

this looks good to me, I think you also need to update the metadata.yaml

[corentone]

Suggested change

	further reserves a an extension name, `client.authentication.k8s.io/exec`, that can be used to pass cluster-specific
	further reserves an extension name, `client.authentication.k8s.io/exec`, that can be used to pass cluster-specific

[michaelawyu]

Thanks, coretone! Let me fix this.

[corentone]

how is this paragraph different from the previous one? You seem to imply that its additive to the previous one, but it seems to just explain the in-code behavior that the Extension content always overwrites any ExecConfig.Config ?

[michaelawyu]

Hi coretone! Let me simplify this sections about client.authentication.k8s.io/exec a bit so that the PR can be more focused.

[corentone]

Exec plugins are not mandated to support this environment variable either;

I don't think its an actual issue. if they don't support the envvar, it means they don't need data that would be in it...

[michaelawyu]

Hi coretone! It is true, though I am more thinking in the way that the plugins might have other ways to take the inputs needed... Anyway, as mentioned earlier, let me simplify the sections a bit more.

[corentone]

it is not guaranteed that the included extension data can be properly extracted

This would actually be a misconfiguration? I don't think anyone must protect the extension. The paragraph from line l.319 to l.326 gives a good summary that things may breakdown if marshalling/unmarshalling doesnt work.

[michaelawyu]

Hi coretone! For this part the idea was that both the marshaller and the unmarshaller must know the expected object type (scheme) to make it work, but from the communit library's perspective it is a bit difficult to achieve so. Once again, let me simplify this a bit.

[corentone]

can we remove this intro or shorten it?

Maybe something like: Extensions are useful for ClusterProfile to communicate additional elements such as audience, identity guidance etc.

[michaelawyu]

Sure, let me simplify this part.

[corentone]

Most, if not all, exec plugins would expect such information from the CLI arguments or some environment variables.

This I disagree with the wording. The mechanism described above is via KUBERNETES_EXEC_INFO and it would mostly be good for the vast majority.

I would prefer to point out on possible shortcomings of the envvar, which are:

1. Length limitations (which is proposed above as a blocker, though I'd question if args don't suffer the same issues)
2. Ability to leverage existing binaries that require usage of arguments instead of the envvar.

[michaelawyu]

Hi coretone! I might have a little bit different idea on the vast majority part given how well the KUBERNETES_EXEC_INFO env var is supported right now but I do get the point. Will tweak the wordings a bit to be more focused.

[corentone]

Suggested change

	additional CLI arguments that need to be supplied to the exec plugin when the Cluster Profile API and community-provided
	additional CLI arguments that would be supplied to the exec plugin when the Cluster Profile API and community-provided

[michaelawyu]

Hi coretone! Thanks, let me fix the part.

[corentone]

indent left?

[michaelawyu]

Hi coretone! Thanks, let me fix the part.

[corentone]

I agree with the section and default recommendation. But I'd love more details here.

Could we recommend a field similar to ProvideClusterInfo that would be AllowClusterProfileSourcedArgs (defaults to false) and AllowClusterProfileSourcedEnv (defaults to false).

Those arguments would be set in the Provider, defined in Configuring plugins in the controller

[michaelawyu]

Hi coretone! I do not have a preference on this part, let me make the edits.

[skitt]

See also this PR: kubernetes-sigs/cluster-inventory-api#27

[kahirokunn]

I created the following PR, and discussed and agreed with corentone to incorporate the extensions specification.

kubernetes-sigs/cluster-inventory-api#21

After this implementation was merged, I immediately created the PR for #5643 and requested a review on Slack.

https://kubernetes.slack.com/archives/C09R1PJR3/p1760015723440499?thread_ts=1756771754.324819&cid=C09R1PJR3

This PR seems to have been opened before my PR, but the commit dates suggest my PR is older.
As I am the implementer of extensions, I am confident that I submitted the KEP correction immediately after implementation. However, my PR and your PR appear to partially overlap, though not completely.
How should we merge this? 👀

[michaelawyu]

I created the following PR, and discussed and agreed with corentone to incorporate the extensions specification.

kubernetes-sigs/cluster-inventory-api#21

After this implementation was merged, I immediately created the PR for #5643 and requested a review on Slack.

https://kubernetes.slack.com/archives/C09R1PJR3/p1760015723440499?thread_ts=1756771754.324819&cid=C09R1PJR3

This PR seems to have been opened before my PR, but the commit dates suggest my PR is older. As I am the implementer of extensions, I am confident that I submitted the KEP correction immediately after implementation. However, my PR and your PR appear to partially overlap, though not completely. How should we merge this? 👀

Hi @kahirokunn! I don't think this PR is a duplicate of #5643 though; as you can see from the changes in the PR, the primary goal of this PR was to reserve additional, multi-cluster specific extensions, multicluster.x-k8s.io/clusterprofiles/auth/exec/additional-args and multicluster.x-k8s.io/clusterprofiles/auth/exec/additional-envs. This PR only talks about how we handle client.authentication.k8s.io/exec because:

a) it is an existing mechanism defined in previous KEPs that we are supposed to support; and
b) it can also be used to pass cluster-specific information, but it was a bit difficult to use for some, if not many plugins

and the discussion scope about client.authentication.k8s.io/exec in this PR does not go beyond the scope that is basically saying "we are going to support it as prev. KEPs discussed" kind of manner.

With this being said, would it make things easier if I simplify the PR a bit to focus more on the newly reserved extensions and less about client.authentication.k8s.io/exec?

[kahirokunn]

Thank you for the clarification! That makes perfect sense to me.
I'm glad to hear that our two PRs can be aligned without conflicts.
Please go ahead with simplifying your PR as you suggested. I appreciate your consideration! 🙏

[corentone]

I approved #5643; I think we can get it in and rebase that one on top. Indeed there is alignment and just the wording is different.
Given this builds on top and the focus is a bit more on adding env/flags, let's merge #5643 and rebase this one on top.

Thank you for applying my suggestions and editing the text! Let's align the PRs content, do a final review and push this!