Skip to content
This repository has been archived by the owner on Oct 3, 2020. It is now read-only.

Oauth (google auth) crashes kube-ops-view #172

Open
iMartyn opened this issue Aug 20, 2018 · 3 comments
Open

Oauth (google auth) crashes kube-ops-view #172

iMartyn opened this issue Aug 20, 2018 · 3 comments

Comments

@iMartyn
Copy link

iMartyn commented Aug 20, 2018

As the title suggests, if you auth with a cluster by oauth token from GApps, the users.user.auth-provider.config.id-token is a JWT auth token, but kube-ops-view attempts to use b64decode on it. This fails with an error like

Traceback (most recent call last):
  File "/kube_ops_view/update.py", line 42, in update_clusters
    for cluster in clusters:
  File "/kube_ops_view/cluster_discovery.py", line 146, in get_clusters
    kubernetes.config.load_kube_config(config_file, context=context['name'], client_configuration=config)
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 476, in load_kube_config
    loader.load_and_set(client_configuration)
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 354, in load_and_set
    self._load_authentication()
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 185, in _load_authentication
    if self._load_oid_token():
  File "/usr/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 236, in _load_oid_token
    base64.b64decode(parts[1]).decode('utf-8')
  File "/usr/lib/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Which is understandable because JWT is multiple b64 strings concatenated with ., - and _ characters.

Obviously my cluster is accessible with kubectl but this completely breaks kube-ops-view's loading for all the clusters listed in my config.

If k-o-v must decode the values manually, can it at least not crash on this kind of expectation so that the other clusters in my config can be monitored.
@hjacobs
Copy link
Owner

hjacobs commented Aug 21, 2018

Interesting case, the exception comes from the official Python Kubernetes client. Can you paste instructions on how to reproduce and some sanitized (with sensitive credentials replaced) ~/.kube/config file?

@iMartyn
Copy link
Author

iMartyn commented Aug 21, 2018

Sure, I'll grab them shortly. I was going to add them to the original report but didn't have time to sanitize.

@iMartyn
Copy link
Author

iMartyn commented Aug 21, 2018

fyi, looks like there's an upstream fix kubernetes-client/python-base#70 - Unfortunately when I generate a JWT token with sanitised data it works (because padding). Would be really nice if kube-ops-view would handle the exception better though. I managed to make a config with my real auth that loads (doesn't crash) with kube-ops-view but it doesn't actually auth, and it will not work with kubectl (which does JWT properly)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hjacobs @iMartyn