Skip to content

K8S user impersonation #2355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Dimpison opened this issue Apr 4, 2025 · 5 comments
Closed

K8S user impersonation #2355

Dimpison opened this issue Apr 4, 2025 · 5 comments

Comments

@Dimpison
Copy link

Dimpison commented Apr 4, 2025
edited
Loading

Describe the bug
This k8s client doesn't allow impersonating another user/SA in a cluster. kubectl binary allows doing this via --as flag or adding the following entity to kubeconfig: users.user.as. Even adding the entity to kubeconfig,

Client Version
1.1.0

Server Version
1.30.10

To Reproduce
Steps to reproduce the behavior:
Run the following code.

import * as k8s from "@kubernetes/client-node";
const kubeconfigPath = "/path/to/kube/config;
const kubeConfig = new k8s.KubeConfig();
kubeConfig.loadFromFile(kubeconfigPath);
console.log(kubeConfig.getCurrentUser());

The above code snippet doesn't show the users.user.as field even if it's added to the kubeconfig. As well as the client ignores the field when making a request to K8S API.

Kubeconfig snippet example:

- name: sudo user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - eks
      - get-token
      - --cluster-name=cluste-name
      command: aws
    as: sudo-user

Expected behavior
It's expected that as field is available and can be used to impersonate user in k8s cluster.

Example Code

import * as k8s from "@kubernetes/client-node";
const kubeconfigPath = "/path/to/kube/config;
const kubeConfig = new k8s.KubeConfig();
kubeConfig.loadFromFile(kubeconfigPath);
console.log(kubeConfig.getCurrentUser());

Environment (please complete the following information):

  • OS: [e.g. Windows, Linux]: MacOS
  • Node.js version [eg. 20] - 20
  • Cloud runtime [e.g. Azure Functions, Lambda] - local run

Additional context
Link to k8s doc https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
Link to kubeconfig api reference https://kubernetes.io/docs/reference/config-api/kubeconfig.v1/#AuthInfo
@Soubi8
Copy link

Soubi8 commented Apr 4, 2025

This is really important and has to be addressed

@brendandburns
Copy link
Contributor

Happy to review PRs if you want to add this.

cjihrig added a commit to cjihrig/javascript that referenced this issue Apr 15, 2025
@cjihrig
config: support username impersonation
35932fa 
This commit adds support for username impersonation. This does
not implement group, UID, or extra impersonation.

Refs: kubernetes-client#2355
@cjihrig cjihrig mentioned this issue Apr 15, 2025
Merged
@cjihrig
Copy link
Contributor

cjihrig commented Apr 15, 2025

@Dimpison can you give the changes in #2373 a try.

cjihrig added a commit to cjihrig/javascript that referenced this issue Apr 16, 2025
@cjihrig
config: support username impersonation
77812b9 
This commit adds support for username impersonation. This does
not implement group, UID, or extra impersonation.

Refs: kubernetes-client#2355
cjihrig added a commit to cjihrig/javascript that referenced this issue Apr 16, 2025
@cjihrig
config: support username impersonation
531daad 
This commit adds support for username impersonation. This does
not implement group, UID, or extra impersonation.

Refs: kubernetes-client#2355
@Dimpison
Copy link
Author

The issue and PR are being discussed in more detail in the PR (for visibility).

cjihrig added a commit to cjihrig/javascript that referenced this issue Apr 19, 2025
@cjihrig
config: support username impersonation
8fc2f57 
This commit adds support for username impersonation. This does
not implement group, UID, or extra impersonation.

Refs: kubernetes-client#2355
@cjihrig
Copy link
Contributor

cjihrig commented Apr 25, 2025

Closed by #2373

@cjihrig cjihrig closed this as completed Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cjihrig @brendandburns @Dimpison @Soubi8