-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client Exec Proxy #2693
Client Exec Proxy #2693
Conversation
/cc @micahhausler |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fill out the other sections.
We probably need to schedule some time to hash out the finer details of this API.
e213a1b
to
1749701
Compare
42a702b
to
904f46f
Compare
904f46f
to
eff6dfe
Compare
Thanks. The problem/motivation make sense to me and the approach is reasonable. Comments are mostly seeking clarification and additional specification in some areas. |
/remove-lifecycle rotten |
@enj Updated with your feedback. |
29754bd
to
779bab4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still need to review some of the later parts of the KEP doc.
The client will authenticate to its proxy using mTLS. On exec, the proxy will | ||
pass back client key and certificate authority data for the client to use for | ||
authentication when establishing a connection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some details on the implementation may be interesting here. For example, I think we could us Go's reverse proxy code to implement this.
779bab4
to
c506511
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments but looks pretty good from a PRR perspective.
Ok, well, I am just waiting for SIG approval - PRR is fine. Deadline is close... |
- Metric name: | ||
- [Optional] Aggregation method: | ||
- Components exposing the metric: | ||
- Metric name: `rest_client_exec_plugin_with_proxy_call_total` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that just a count? can we differentiate errors? (non-blocking question)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we will be able to differentiate errors, the implementation follow the example of: https://github.com/kubernetes/client-go/blob/d3b97581d2e22eef0f02a6667e19dfc193df7a3e/plugin/pkg/client/auth/exec/metrics.go
954ce93
to
08f4a49
Compare
A KEP to propose a client-side proxy for a number of client authentication use cases.
08f4a49
to
b08382a
Compare
/lgtm This is close enough for us to figure out the final details during the implementation. |
/lgtm |
/assign @johnbelamaric |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, johnbelamaric, mikedanese, nckturner The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
A KEP to propose a client-side proxy for a number of client authentication use cases.