kubectl --token is not honored when ~/.kube/config has an authentication token #44476
Comments
|
The token arg on the command line overrides the bearer token field in the config file, but I'm not sure the precedence of the token arg and the auth provider in the config file. cc @cjcullen |
liggitt
added
sig/auth
|
All auth providers currently override the "Authorization" header even if it's set. Should be an easy-ish check to add. Long term we probably want to have the auth provider stop wrapping the transport and just act like a token source #39587 (comment), that way some central code would handle the HTTP headers and we wouldn't have to enforce this on a per plugin basis. |
|
@ericchiang So the tokens from command line should be used, right? if so I can send a pr to fix this. |
|
@wanghaoran1988 the client auth plugins shouldn't override the "Authorization" headers. Yeah feel free to send a PR. |
|
@cjcullen Is this a regression or why 1.7? |
|
@pwittrock bug is pretty self contained in the GCP client auth plugin and the fix is short #45575 Not strictly a regression, but something that popped up over this cycle as a bug impacting users. Is that reason enough to get it in during the 1.7 freeze? |
Automatic merge from submit-queue Make gcp auth provider not to override the Auth header if it's already exits **What this PR does / why we need it**: Make AuthProvider not wrap the transport if beartoken or basic auth is enabled **Which issue this PR fixes** : fixes #44476 **Special notes for your reviewer**: **Release note**: ``` GCP auth plugin no longer overwrites existing Authorization headers. ```
What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.):
kubectl token
BUG REPORT
Kubernetes version (use
kubectl version):kubectl version
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.0", GitCommit:"fff5156092b56e6bd60fff75aad4dc9de6b6ef37", GitTreeState:"clean", BuildDate:"2017-03-28T16:36:33Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1", GitCommit:"b0b7a323cc5a4a2019b2e9520c21c7830b7f708e", GitTreeState:"clean", BuildDate:"2017-04-03T20:33:27Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
Cloud provider or hardware configuration:
GKE
OS (e.g. from /etc/os-release):
macOS Sierra 10.12.4
Kernel (e.g.
uname -a):➜ uname -a
Darwin jacobsimpson-macbookpro.roam.corp.google.com 16.5.0 Darwin Kernel Version 16.5.0: Fri Mar 3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64
Install tools:
Others:
What happened:
I set up a second user, then I use
kubectl --tokento authenticate as the second user. The--tokenparameter is ignored and the authentication token from the~/.kube/configfile is used instead, so I'm authenticated as the user configured in the config file, not as the user set on the command line parameters.I further verified this by commenting out the section in the config file with the authentication token and then the
--tokenparameter starts to work as expected.What you expected to happen:
I expect the command line parameters, when present, to override the config file settings.
How to reproduce it (as minimally and precisely as possible):
At this point, the error message should be indicating kubectl tried to authenticate with the
user-1account. Something like this:Now edit
~/.kube/config, search for theauth-provider:section for your cluster and comment out the whole section for the test cluster.Now it should be possible to run these two commands. The one using the $admin_token will succeed, the one using the $user_token will fail with the error message indicating the user name.
Anything else we need to know:
The text was updated successfully, but these errors were encountered: