kubie icon indicating copy to clipboard operation
kubie copied to clipboard

Published 20 hours ago verified publisher icon sbstp

Feature request: allow impersonation with temporary context

Open jonmoter opened this issue 4 years ago • 6 comments

Normally when I use kubectl to interact with shared/production clusters, I use credentials for a user with read-only permissions. But the user has the ability to impersonate a user with admin-level permissions. So if I need to make a change, I can run something like:

kubectl --as=admin --as-group=system:masters delete pod ${pod_name}

It's kindof like using sudo for executing commands with higher permissions.

It would be useful for me to be able to run something like this:

kubie ctx --as=admin --as-group=system:masters --as-reason="deleting stuck pod"

That would give me a shell where the temporary kubeconfig file would have:

users:
- name: user-as-admin
  user:
    # Normal credentials here, could be client certs, exec, whatever
    username: foo
    password: password123
    # Impersonation information below
    as: admin
    as-groups:
      - system:masters
    as-user-extra:
      reason:
        - deleting stuck pod

Then I could run a few commands with those credentials, and then exit out of the shell.

This would also be useful for CLI tools like istioctl that do not support passing --as as a command-line flag.

jonmoter avatar Apr 07 '20 14:04 jonmoter

This is a great idea. The prompt could even be changed to display the user in this mode [context|namespace|@user].

Do you intend on working on this feature? No pressure to do it, just want to know who's working on what.

sbstp avatar Apr 07 '20 16:04 sbstp

For now I just wanted to write down the idea before it slipped out of my head.

At the moment I'm pretty busy with work/family/life, so I can't commit to executing in any particular amount of time. But if I have some extra time to hack up a PR, I'll do so.

jonmoter avatar Apr 07 '20 18:04 jonmoter

It seems like a simple enough change. I can write it in a branch so you can test. I don't have this kind of role configured in my clusters, I'll have to setup it up if I want to test it out.

sbstp avatar Apr 08 '20 16:04 sbstp

Is there an update on this feature? Recently ran into the need to use impersonations and I think the way you guys have outlined it above would be a great addition to kubie.

sgloutnikov avatar Jan 31 '22 23:01 sgloutnikov

I'm not really working on new features for kubie at the moment. I would merge & review PRs for new features but I don't really have the time or inclination to develop new stuff.

sbstp avatar Feb 01 '22 03:02 sbstp

Really appreciate the work so far! If I find some time myself I'd love to learn some Rust and make a contribution to the project.

sgloutnikov avatar Feb 03 '22 21:02 sgloutnikov