Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49817

Accept kubeconfig file as credentials

    Details

    • Similar Issues:

      Description

      It's unclear to me why the Kubernetes plugin requires so much configuration. In general, Jenkins should be able to talk to Kubernetes with a KUBECONFIG and nothing else. Yet, when I give it a KUBECONFIG via a Jenkins secret, it still seems to connect to 'kubernetes.svc.default' which seems incorrect to me.

       

      (Also, I didn't want to open a new bug for this, but why does this setup require the Jenkins instance to have port 5000 open? That's an operational burden for me...)

        Attachments

          Activity

          Hide
          colemickens Cole Mickens added a comment -

          Are you opposed to allowing the user to specify kubeconfig creds? This is how credentials are distributed for every single cluster I've ever used. Most or all deployment tools output a kubeconfig, AKS/GKE both have `get-credentials` commands that output kubeconfig files, etc.

          It looks like the interface might have to be extended, or another added that the kubernetes-plugin could then probe/utilize...

          I think it would be a major UX win if the user could upload a kubeconfig file and be good to. Extracting the URL, CA cert, etc is just throwaway work. Maybe this is a result of how the kubernetes client works?

          Show
          colemickens Cole Mickens added a comment - Are you opposed to allowing the user to specify kubeconfig creds? This is how credentials are distributed for every single cluster I've ever used. Most or all deployment tools output a kubeconfig, AKS/GKE both have `get-credentials` commands that output kubeconfig files, etc. It looks like the interface might have to be extended, or another added that the kubernetes-plugin could then probe/utilize... I think it would be a major UX win if the user could upload a kubeconfig file and be good to. Extracting the URL, CA cert, etc is just throwaway work. Maybe this is a result of how the kubernetes client works?
          Hide
          csanchez Carlos Sanchez added a comment -

          What I've typically seen is the usage of serviceaccounts and tokens, for security reasons you wouldn't use the full admin account in the plugin
          That said I'm not opposed to add an option to use a kubeconfig, the code that checks credentials type is here
          https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L121

          The kubernetes client can read the kubeconfig from file, that's what the Config.autoConfigure() do, if kubeconfig is present in the filesystem will use it.
          See the code here https://github.com/fabric8io/kubernetes-client/blob/f9b8ea2f25e95a232678ebc0ab66d0ee52490e05/kubernetes-client/src/main/java/io/fabric8/kubernetes/client/Config.java#L372

          Show
          csanchez Carlos Sanchez added a comment - What I've typically seen is the usage of serviceaccounts and tokens, for security reasons you wouldn't use the full admin account in the plugin That said I'm not opposed to add an option to use a kubeconfig, the code that checks credentials type is here https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L121 The kubernetes client can read the kubeconfig from file, that's what the Config.autoConfigure() do, if kubeconfig is present in the filesystem will use it. See the code here https://github.com/fabric8io/kubernetes-client/blob/f9b8ea2f25e95a232678ebc0ab66d0ee52490e05/kubernetes-client/src/main/java/io/fabric8/kubernetes/client/Config.java#L372
          Hide
          colemickens Cole Mickens added a comment -

          A kubeconfig file doesn't mean or imply a root account. As an example, the kubeconfig I'm pulling apart and handing the plugin currently is for a rather limited user. GKE, Tectonic both issue non-root user accounts this way as well. AKS will when it gets to RBAC.

          Anyway, thank you for the pointers! I'll take a look when I get a chance.

          Show
          colemickens Cole Mickens added a comment - A kubeconfig file doesn't mean or imply a root account. As an example, the kubeconfig I'm pulling apart and handing the plugin currently is for a rather limited user. GKE, Tectonic both issue non-root user accounts this way as well. AKS will when it gets to RBAC. Anyway, thank you for the pointers! I'll take a look when I get a chance.
          Hide
          csanchez Carlos Sanchez added a comment -

          It's not root, but it is not a limited service account specifically tailored for jenkins as defined in https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

          Show
          csanchez Carlos Sanchez added a comment - It's not root, but it is not a limited service account specifically tailored for jenkins as defined in https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml
          Show
          csanchez Carlos Sanchez added a comment - PR at https://github.com/jenkinsci/kubernetes-plugin/pull/294

            People

            • Assignee:
              csanchez Carlos Sanchez
              Reporter:
              colemickens Cole Mickens
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: