Ability To Send Custom Headers From kubectl

[joshkurz]

What would you like to be added?

It would be nice to have the option to pass along custom headers from kubectl to the k8s api. This would allow for more security options to be used, possibly tracing options or monitoring options as well.

Thinking it could look something like

kubectl get pods --customheader foo:bar --customheader far:bar 

It should work with any command as it would need to be global, since any api call could possibly need the custom header ability.

It could also be an option in the kubeconfig per cluster. That way it would not need to be set every single command.

Why is this needed?

It's a best practice to lock down the k8s api, via networking layer, and not run it on the public internet. This requires the api to either have a firewall on it that only allows traffic from specific IPs or to be internal to a network and then some proxy is required to reach it externally, which is typically locked down to IPs as well.

If we had the ability to pass custom headers, we could use zero trust security products that could front the api and then allow much stronger identity based access to the API. This would allow for multi factor auth on k8s API, by locking down the API to only users that need access to it, then on top of that, k8s based authn/z. Allowing for both factors of security is a good way to prevent zero day issues effecting your api. This also allows for k8s to be fully supported by zero trust solutions.

[k8s-ci-robot]

@joshkurz: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[brianpursley]

/sig cli

[sftim]

If client-go supports this, we could transfer this issue to k/kubectl.

[brianpursley]

@sftim Yes, this should be transferred to k/kubectl for better visibility for sig-cli.

/transfer kubectl

[seans3]

Please have a look at: kubernetes/kubernetes#98952.

It does not implement this exactly (instead adding headers for the invoked kubectl command), but would show a way forward on implementation if the sig agrees.

[joshkurz]

Thanks @seans3 it looks like we could possibly leverage that code to allow for customHeaders. Do you think it would make sense to combine the functionality of ParseCommandHeaders and rename to ParseHeaders and just add a parameter that passes in the custom headers array. If they exist, we add those alongside of commandHeaders. High level idea, i'm sure there are some gotchas in there.

[liziwl]

Other k8s client, like fabric8 client or official Java client can add an interceptor (by okhttp) to set custom headers.

• How to add headers to OkHttp request interceptor?

[joshkurz]

Thanks @liziwl that is good to note.

So if other clients can do this, should kubectl be able too as well?
Are there any concerns of doing this?
What are the reasons why we would not want to do it?