Merge pull request #134870 from pmengelbert/pmengelbert/kuberc/4

Add client-go credential plugin to kuberc

Kubernetes-commit: 183892b2c96aa962118ccfc2ee1c971caf72b16b

Author: k8s-publishing-bot

go.mod

@@ -30,11 +30,11 @@ require (
 	golang.org/x/sys v0.37.0
 	golang.org/x/text v0.29.0
 	gopkg.in/evanphx/json-patch.v4 v4.13.0
-	k8s.io/api v0.0.0-20251106202824-18e16b5aa26d
-	k8s.io/apimachinery v0.0.0-20251104194212-729c13d7df38
-	k8s.io/cli-runtime v0.0.0-20251104214421-bd0840656b55
-	k8s.io/client-go v0.0.0-20251106123256-0e6fc04326d2
-	k8s.io/component-base v0.0.0-20251105043606-09c454e1f74b
+	k8s.io/api v0.0.0-20251107002836-f1737241c064
+	k8s.io/apimachinery v0.0.0-20251106231852-6f8949260573
+	k8s.io/cli-runtime v0.0.0-20251110050429-aaf392a9dbb5
+	k8s.io/client-go v0.0.0-20251110043236-6ce2c0f8c3b9
+	k8s.io/component-base v0.0.0-20251110044304-c1ad4134391c
 	k8s.io/component-helpers v0.0.0-20251106124553-0e2bf40485ce
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912

go.sum

@@ -192,16 +192,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20251106202824-18e16b5aa26d h1:3SQPUUHMeygNWukXQYPtNoQfiqgQkDxv7T+uicVmYGI=
-k8s.io/api v0.0.0-20251106202824-18e16b5aa26d/go.mod h1:WAtHXlm214kKcYg1bP2G5eefhLoi/NCF6sxUeTjUXMs=
-k8s.io/apimachinery v0.0.0-20251104194212-729c13d7df38 h1:5jRAlNQwmLaPNhf9mfhacvZKFF8fE4nfULiBul0PrGM=
-k8s.io/apimachinery v0.0.0-20251104194212-729c13d7df38/go.mod h1:dR9KPaf5L0t2p9jZg/wCGB4b3ma2sXZ2zdNqILs+Sak=
-k8s.io/cli-runtime v0.0.0-20251104214421-bd0840656b55 h1:3MvAzXG9vXwjhuBqktZiW/qzTXktD2THOt8+xuvAnaM=
-k8s.io/cli-runtime v0.0.0-20251104214421-bd0840656b55/go.mod h1:1S/aYJqjbAEheEwb9zogUIfQB3mcd+Vh+SKzX4hWY5A=
-k8s.io/client-go v0.0.0-20251106123256-0e6fc04326d2 h1:6wyLSk4mUY9VUUYqsFyDvqEQD9+QoRRBu22loMh9Tw8=
-k8s.io/client-go v0.0.0-20251106123256-0e6fc04326d2/go.mod h1:Xw1AYXa8yFMl6qNHHV3E0uhL7RAq+X5I5me/G08wwYY=
-k8s.io/component-base v0.0.0-20251105043606-09c454e1f74b h1:iZ59BHeRkNAM5RSutSryNx9qtrgT7YPSM5HanS+GXVw=
-k8s.io/component-base v0.0.0-20251105043606-09c454e1f74b/go.mod h1:ccVXlbwyM8koWd6+OylPWi8m3aunkoPzcQcSbVvTHrk=
+k8s.io/api v0.0.0-20251107002836-f1737241c064 h1:n8Q6kd+Mwr2ce6QpIGlMKM31hhb0XkeNKKYc8mfv/pk=
+k8s.io/api v0.0.0-20251107002836-f1737241c064/go.mod h1:KmeiqHqfbEx7y5cjOafexrDA1x0/NCS0EvYefr1M9eQ=
+k8s.io/apimachinery v0.0.0-20251106231852-6f8949260573 h1:gNmsE5h0ynVpA5XKQBVSWKTogBPL4ecYdzF5get+L4A=
+k8s.io/apimachinery v0.0.0-20251106231852-6f8949260573/go.mod h1:dR9KPaf5L0t2p9jZg/wCGB4b3ma2sXZ2zdNqILs+Sak=
+k8s.io/cli-runtime v0.0.0-20251110050429-aaf392a9dbb5 h1:TNpIHORxdvVjHG6sc9bTof9O+Au0HLL2Im5Ecxx0GW4=
+k8s.io/cli-runtime v0.0.0-20251110050429-aaf392a9dbb5/go.mod h1:gxjLvb8qJv8gyqFX9RUsHmVBcU4r++7GLwubu1PCdeI=
+k8s.io/client-go v0.0.0-20251110043236-6ce2c0f8c3b9 h1:w3avFIgMRha3Tp2Y8GtSbA/CP4Pjn+MoEFk2L6660Z0=
+k8s.io/client-go v0.0.0-20251110043236-6ce2c0f8c3b9/go.mod h1:QM7Zy4bRkvPZ8IwCto7QVHLGkeASaoOsSDtpTRqY55s=
+k8s.io/component-base v0.0.0-20251110044304-c1ad4134391c h1:D6Qzh3e/OInWBo4eA2W+11N1Iyp+b3AJbQ08PBpgP3A=
+k8s.io/component-base v0.0.0-20251110044304-c1ad4134391c/go.mod h1:N9qBoyM5YJbtzos7/NnVUVt93sD3VrxVQShY1FQK+NI=
 k8s.io/component-helpers v0.0.0-20251106124553-0e2bf40485ce h1:lSLeDsacpYQVPtJnd4/S3iciKZ/b08CiCxhjwBbm+ec=
 k8s.io/component-helpers v0.0.0-20251106124553-0e2bf40485ce/go.mod h1:hBkkxYVO7wXIh0RjzhUECKBc6LIsL1wzNIyKYGDW5q8=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=

pkg/cmd/cmd.go

@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"sync/atomic"
 
 	"github.com/spf13/cobra"
 
@@ -233,15 +234,17 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 	matchVersionKubeConfigFlags := cmdutil.NewMatchVersionFlags(kubeConfigFlags)
 	matchVersionKubeConfigFlags.AddFlags(flags)
 	// Updates hooks to add kubectl command headers: SIG CLI KEP 859.
-	addCmdHeaderHooks(cmds, kubeConfigFlags)
+	var isProxyCmd atomic.Bool
+	addCmdHeaderHooks(cmds, kubeConfigFlags, &isProxyCmd)
 
 	f := cmdutil.NewFactory(matchVersionKubeConfigFlags)
 
-	// Proxy command is incompatible with CommandHeaderRoundTripper, so
-	// clear the WrapConfigFn before running proxy command.
+	// Proxy command is incompatible with the headers set by
+	// CommandHeaderRoundTripper, so the RoundTripper hooks set in
+	// `addCmdHeaderHooks` needs to be aware that the subcommand is `proxy`
 	proxyCmd := proxy.NewCmdProxy(f, o.IOStreams)
 	proxyCmd.PreRun = func(cmd *cobra.Command, args []string) {
-		kubeConfigFlags.WrapConfigFn = nil
+		isProxyCmd.Store(true)
 	}
 
 	// Avoid import cycle by setting ValidArgsFunction here instead of in NewCmdGet()
@@ -366,7 +369,7 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 			}
 			return existingPreRunE(cmd, args)
 		}
-		_, err := pref.Apply(cmds, o.Arguments, o.IOStreams.ErrOut)
+		_, err := pref.Apply(cmds, kubeConfigFlags, o.Arguments, o.IOStreams.ErrOut)
 		if err != nil {
 			fmt.Fprintf(o.IOStreams.ErrOut, "error occurred while applying preferences %v\n", err)
 			os.Exit(1)
@@ -387,7 +390,7 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 // See SIG CLI KEP 859 for more information:
 //
 //	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
-func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags) {
+func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags, isProxyCmd *atomic.Bool) {
 	crt := &genericclioptions.CommandHeaderRoundTripper{}
 	existingPreRunE := cmds.PersistentPreRunE
 	// Add command parsing to the existing persistent pre-run function.
@@ -397,20 +400,21 @@ func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.C
 	}
 	wrapConfigFn := kubeConfigFlags.WrapConfigFn
 	// Wraps CommandHeaderRoundTripper around standard RoundTripper.
-	kubeConfigFlags.WrapConfigFn = func(c *rest.Config) *rest.Config {
+	kubeConfigFlags.WithWrapConfigFn(func(c *rest.Config) *rest.Config {
 		if wrapConfigFn != nil {
 			c = wrapConfigFn(c)
 		}
 		c.Wrap(func(rt http.RoundTripper) http.RoundTripper {
 			// Must be separate RoundTripper; not "crt" closure.
 			// Fixes: https://github.com/kubernetes/kubectl/issues/1098
 			return &genericclioptions.CommandHeaderRoundTripper{
-				Delegate: rt,
-				Headers:  crt.Headers,
+				Delegate:    rt,
+				Headers:     crt.Headers,
+				SkipHeaders: isProxyCmd, // proxy command is incompatible with these headers
 			}
 		})
 		return c
-	}
+	})
 }
 
 func runHelp(cmd *cobra.Command, args []string) {

pkg/config/scheme/scheme_test.go

@@ -19,10 +19,28 @@ package scheme
 import (
 	"testing"
 
+	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
 	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
-	"k8s.io/kubectl/pkg/config/fuzzer"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/kubectl/pkg/config"
+	kubectlfuzzer "k8s.io/kubectl/pkg/config/fuzzer"
+	"sigs.k8s.io/randfill"
 )
 
 func TestRoundTripTypes(t *testing.T) {
-	roundtrip.RoundTripTestForScheme(t, Scheme, fuzzer.Funcs)
+	// Because v1alpha1 does not have fields of these types, the fuzzing will
+	// be incorrect, so we need to manually intervene here
+	customFuzzerFuncs := func(codecs runtimeserializer.CodecFactory) []interface{} {
+		return []interface{}{
+			func(s *config.CredentialPluginPolicy, c randfill.Continue) {
+				*s = ""
+			},
+			func(s *[]config.AllowlistEntry, c randfill.Continue) {
+				*s = nil
+			},
+		}
+	}
+
+	funcs := fuzzer.MergeFuzzerFuncs(kubectlfuzzer.Funcs, customFuzzerFuncs)
+	roundtrip.RoundTripTestForScheme(t, Scheme, funcs)
 }

pkg/config/types.go

@@ -16,7 +16,9 @@ limitations under the License.
 
 package config
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -62,6 +64,63 @@ type Preference struct {
 	// "kubectl getn control-plane-1 --output=json" expands to "kubectl get node --output=json control-plane-1"
 	// +optional
 	Aliases []AliasOverride
+
+	// credentialPluginPolicy specifies the policy governing which, if any, client-go
+	// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+	// If the policy is "", then it falls back to "AllowAll" (this is required
+	// to maintain backward compatibility). If the policy is DenyAll, no
+	// credential plugins may run. If the policy is Allowlist, only those
+	// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+	// field may run.
+	// +optional
+	CredentialPluginPolicy CredentialPluginPolicy
+
+	// Allowlist is a slice of allowlist entries. If any of them is a match,
+	// then the executable in question may execute. That is, the result is the
+	// logical OR of all entries in the allowlist. This list MUST NOT be
+	// supplied if the policy is not "Allowlist".
+	//
+	// e.g.
+	// credentialPluginAllowlist:
+	// - name: cloud-provider-plugin
+	// - name: /usr/local/bin/my-plugin
+	// In the above example, the user allows the credential plugins
+	// `cloud-provider-plugin` (found somewhere in PATH), and the plugin found
+	// at the explicit path `/usr/local/bin/my-plugin`.
+	// +optional
+	CredentialPluginAllowlist []AllowlistEntry
+}
+
+// CredentialPluginPolicy specifies the policy governing which, if any, client-go
+// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+// If the policy is "", then it falls back to "AllowAll" (this is required
+// to maintain backward compatibility). If the policy is DenyAll, no
+// credential plugins may run. If the policy is Allowlist, only those
+// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+// field may run. If the policy is not `Allowlist` but one is provided, it
+// is considered a configuration error.
+type CredentialPluginPolicy string
+
+const (
+	PluginPolicyAllowAll  CredentialPluginPolicy = "AllowAll"
+	PluginPolicyDenyAll   CredentialPluginPolicy = "DenyAll"
+	PluginPolicyAllowlist CredentialPluginPolicy = "Allowlist"
+)
+
+// AllowlistEntry is an entry in the allowlist. For each allowlist item, at
+// least one field must be nonempty. A struct with all empty fields is
+// considered a misconfiguration error. Each field is a criterion for
+// execution. If multiple fields are specified, then the criteria of all
+// specified fields must be met. That is, the result of an individual entry is
+// the logical AND of all checks corresponding to the specified fields within
+// the entry.
+type AllowlistEntry struct {
+	// Name matching is performed by first resolving the absolute path of both
+	// the plugin and the name in the allowlist entry using `exec.LookPath`. It
+	// will be called on both, and the resulting strings must be equal. If
+	// either call to `exec.LookPath` results in an error, the `Name` check
+	// will be considered a failure.
+	Name string
 }
 
 // AliasOverride stores the alias definitions.

pkg/config/v1alpha1/conversion.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	config "k8s.io/kubectl/pkg/config"
+)
+
+// v1alpha1 Preference does not have `CredentialPluginPolicy` or `CredentialPluginAllowlist` fields. They can be left blank, so the autoConvert functions will suffice.
+func Convert_config_Preference_To_v1alpha1_Preference(in *config.Preference, out *Preference, s conversion.Scope) error {
+	return autoConvert_config_Preference_To_v1alpha1_Preference(in, out, s)
+}
+
+func Convert_v1alpha1_Preference_To_config_Preference(in *Preference, out *config.Preference, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Preference_To_config_Preference(in, out, s)
+}

pkg/config/v1alpha1/zz_generated.conversion.go

@@ -37,7 +37,7 @@ func init() {
 	// We only register manually written functions here. The registration of the
 	// generated functions takes place in the generated files. The separation
 	// makes the code compile even when the generated files are missing.
-	localSchemeBuilder.Register(addKnownTypes)
+	localSchemeBuilder.Register(addKnownTypes, RegisterDefaults)
 }
 
 // addKnownTypes registers known types to the given scheme

pkg/config/v1beta1/register.go

@@ -16,7 +16,9 @@ limitations under the License.
 
 package v1beta1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -62,6 +64,64 @@ type Preference struct {
 	// "kubectl getn control-plane-1 --output=json" expands to "kubectl get node --output=json control-plane-1"
 	// +listType=atomic
 	Aliases []AliasOverride `json:"aliases"`
+
+	// credentialPluginPolicy specifies the policy governing which, if any, client-go
+	// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+	// If the policy is "", then it falls back to "AllowAll" (this is required
+	// to maintain backward compatibility). If the policy is DenyAll, no
+	// credential plugins may run. If the policy is Allowlist, only those
+	// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+	// field may run.
+	// +optional
+	CredentialPluginPolicy CredentialPluginPolicy `json:"credentialPluginPolicy,omitempty"`
+
+	// Allowlist is a slice of allowlist entries. If any of them is a match,
+	// then the executable in question may execute. That is, the result is the
+	// logical OR of all entries in the allowlist. This list MUST NOT be
+	// supplied if the policy is not "Allowlist".
+	//
+	// e.g.
+	// credentialPluginAllowlist:
+	// - name: cloud-provider-plugin
+	// - name: /usr/local/bin/my-plugin
+	// In the above example, the user allows the credential plugins
+	// `cloud-provider-plugin` (found somewhere in PATH), and the plugin found
+	// at the explicit path `/usr/local/bin/my-plugin`.
+	// +optional
+	// +listType=atomic
+	CredentialPluginAllowlist []AllowlistEntry `json:"credentialPluginAllowlist,omitempty"`
+}
+
+// CredentialPluginPolicy specifies the policy governing which, if any, client-go
+// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+// If the policy is "", then it falls back to "AllowAll" (this is required
+// to maintain backward compatibility). If the policy is DenyAll, no
+// credential plugins may run. If the policy is Allowlist, only those
+// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+// field may run. If the policy is not `Allowlist` but one is provided, it
+// is considered a configuration error.
+type CredentialPluginPolicy string
+
+const (
+	PluginPolicyAllowAll  CredentialPluginPolicy = "AllowAll"
+	PluginPolicyDenyAll   CredentialPluginPolicy = "DenyAll"
+	PluginPolicyAllowlist CredentialPluginPolicy = "Allowlist"
+)
+
+// AllowlistEntry is an entry in the allowlist. For each allowlist item, at
+// least one field must be nonempty. A struct with all empty fields is
+// considered a misconfiguration error. Each field is a criterion for
+// execution. If multiple fields are specified, then the criteria of all
+// specified fields must be met. That is, the result of an individual entry is
+// the logical AND of all checks corresponding to the specified fields within
+// the entry.
+type AllowlistEntry struct {
+	// Name matching is performed by first resolving the absolute path of both
+	// the plugin and the name in the allowlist entry using `exec.LookPath`. It
+	// will be called on both, and the resulting strings must be equal. If
+	// either call to `exec.LookPath` results in an error, the `Name` check
+	// will be considered a failure.
+	Name string `json:"name"`
 }
 
 // AliasOverride stores the alias definitions.