kauthproxy

command module

v0.6.0 Latest Latest Go to latest Published: Nov 7, 2019 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/int128/kauthproxy

Links

Open Source Insights

README ¶

kauthproxy

This is a kubectl plugin to forward a local port to a pod via the authentication proxy. It forwards HTTP requests to a pod via the reverse proxy and port forwarder as follows:

diagram

The reverse proxy gets a token from the credential plugin (e.g. aws-iam-authenticator or kubelogin) and adds the token to the authorization header of requests.

Getting Started

Install

You can install the latest release from Homebrew, Krew or GitHub Releases as follows:

# Homebrew
brew install int128/kauthproxy/kauthproxy

# Krew
kubectl krew install auth-proxy

# GitHub Releases
curl -LO https://github.com/int128/kauthproxy/releases/download/v0.4.0/kauthproxy_linux_amd64.zip
unzip kauthproxy_linux_amd64.zip
ln -s kauthproxy kubectl-auth_proxy

Access Kubernetes Dashboard

You can access the Kubernetes Dashboard without manually entering a token.

For Amazon EKS, set up the kubeconfig to use the aws-iam-authenticator or aws eks get-token.

For OpenID Connect, set up the kubeconfig to use kubelogin.

To access the service of Kubernetes Dashboard:

% kubectl auth-proxy -n kube-system https://kubernetes-dashboard.svc
Starting an authentication proxy for pod/kubernetes-dashboard-57fc4fcb74-jjg77:8443
Open http://127.0.0.1:18000
Forwarding from 127.0.0.1:57866 -> 8443
Forwarding from [::1]:57866 -> 8443

Kauthproxy will open the browser and you can access the Kubernetes Dashboard.

Access Kibana

TODO

Known Issues

kauthproxy always skips TLS verification for a pod. TODO: add a flag

Usage

Forward a local port to a pod or service via the authentication proxy.
It gets a token from the current credential plugin (e.g. EKS, OpenID Connect).
Then it appends the authorization header to HTTP requests, like "authorization: Bearer token".
All traffic is routed by the authentication proxy and port forwarder as follows:
  [browser] -> [authentication proxy] -> [port forwarder] -> [pod]

Usage:
  kubectl auth-proxy POD_OR_SERVICE_URL [flags]

Examples:
  # To access a service:
  kubectl auth-proxy https://kubernetes-dashboard.svc

  # To access a pod:
  kubectl auth-proxy https://kubernetes-dashboard-57fc4fcb74-jjg77

Flags:
      --add_dir_header                   If true, adds the file directory to the header
      --address stringArray              The address on which to run the proxy. If set multiple times, it will try binding the address in order (default [127.0.0.1:18000,127.0.0.1:28000])
      --alsologtostderr                  log to standard error as well as files
      --as string                        Username to impersonate for the operation
      --as-group stringArray             Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --cache-dir string                 Default HTTP cache directory (default "~/.kube/http-cache")
      --certificate-authority string     Path to a cert file for the certificate authority
      --client-certificate string        Path to a client certificate file for TLS
      --client-key string                Path to a client key file for TLS
      --cluster string                   The name of the kubeconfig cluster to use
      --context string                   The name of the kubeconfig context to use
  -h, --help                             help for kubectl
      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string                Path to the kubeconfig file to use for CLI requests.
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --log_file string                  If non-empty, use this log file
      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --logtostderr                      log to standard error instead of files (default true)
  -n, --namespace string                 If present, the namespace scope for this CLI request
      --request-timeout string           The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -s, --server string                    The address and port of the Kubernetes API server
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files
      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
      --token string                     Bearer token for authentication to the API server
      --user string                      The name of the kubeconfig user to use
  -v, --v Level                          number for the log level verbosity
      --version                          version for kubectl
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging

Contributions

This is an open source software. Feel free to open issues and pull requests.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
adaptors/cmd Package cmd provides command line interface.	Package cmd provides command line interface.
adaptors/env
adaptors/env/mock_env Package mock_env is a generated GoMock package.	Package mock_env is a generated GoMock package.
adaptors/logger Package logger provides logging facility.	Package logger provides logging facility.
adaptors/logger/mock_logger
adaptors/portforwarder Package portforwarder provides port forwarding between local and Kubernetes.	Package portforwarder provides port forwarding between local and Kubernetes.
adaptors/portforwarder/mock_portforwarder Package mock_portforwarder is a generated GoMock package.	Package mock_portforwarder is a generated GoMock package.
adaptors/resolver Package resolver provides resolving a pod and container port.	Package resolver provides resolving a pod and container port.
adaptors/resolver/mock_resolver Package mock_resolver is a generated GoMock package.	Package mock_resolver is a generated GoMock package.
adaptors/reverseproxy Package reverseproxy provides a reverse proxy.	Package reverseproxy provides a reverse proxy.
adaptors/reverseproxy/mock_reverseproxy Package mock_reverseproxy is a generated GoMock package.	Package mock_reverseproxy is a generated GoMock package.
adaptors/transport Package transport provides a HTTP transport with a token got from the credential plugin of the cluster.	Package transport provides a HTTP transport with a token got from the credential plugin of the cluster.
adaptors/transport/mock_transport Package mock_transport is a generated GoMock package.	Package mock_transport is a generated GoMock package.
di
usecases/authproxy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL