kube icon indicating copy to clipboard operation
kube copied to clipboard

Published 20 hours ago verified publisher icon kube-rs

Add auth delegation utilities

Open MikailBag opened this issue 3 years ago • 2 comments

Motivation

Applications usually perform some authentication & authorization, and for kubernetes-native apps it makes sense to leverage apiserver for that, e.g. this is recommended for the extension API servers.

Solution

This PR adds simple high-level client together with SubjectAccessReview builders.

Additionally, while I was writing an example, I realized that currently it is not possible to create subresources, so I added a method for this in a separate commit.

MikailBag avatar Jan 07 '22 22:01 MikailBag

Codecov Report

Merging #778 (647233e) into master (4d991fe) will decrease coverage by 1.69%. The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #778      +/-   ##
==========================================
- Coverage   71.99%   70.29%   -1.70%     
==========================================
  Files          54       55       +1     
  Lines        3631     3720      +89     
==========================================
+ Hits         2614     2615       +1     
- Misses       1017     1105      +88
Impacted Files Coverage Δ
kube-client/src/lib.rs 92.80% <ø> (ø)
kube-client/src/util/auth.rs 0.00% <0.00%> (ø)
kube-core/src/request.rs 92.16% <0.00%> (-2.84%) :arrow_down:
kube/src/lib.rs 87.80% <ø> (ø)
kube-runtime/src/wait.rs 70.00% <0.00%> (+2.00%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 4d991fe...647233e. Read the comment docs.

codecov-commenter avatar Jan 07 '22 22:01 codecov-commenter

Hey, thanks a lot for all of this! I think this makes sense to include a lot of this in kube, and will come back in a day or two to give this a proper review (the tokenreview stuff is all new to me, so need to read through this properly).

Some quick notes:

  • extra subresource create absolutely makes sense
  • authclient and associated enums makes sense
  • the builders for subjectaccessreview possibly makes sense - they might clash with https://github.com/kube-rs/k8s-pb/issues/9 down the line though :thinking:

clux avatar Jan 08 '22 16:01 clux

I'm going to close this: builders, while being useful, are probably out-of-scope for kube-rs, and the rest is already implemented in other PRs

MikailBag avatar Oct 23 '22 17:10 MikailBag