Authentication and authorisation processes exist for a reason. They are there to ensure that the person doing a thing is who they say they are and that they’re allowed to do that thing. Such processes can be frustrating at times, and whilst we shouldn’t disable them or circumvent them, we can make them easier.
In this case it’s about authenticating to VMware vSphere Kubernetes Service (VKS) via the vSphere plugin for kubectl. Yes, we could generate a kubeconfig file that maps to the cluster-admin role and share it around to make life easy, but that’s a bit like giving your bank card to a random stranger and asking them to get some cash out of an ATM for you. You can’t be sure who has that kubeconfig file and what they did with it! The vSphere plugin for kubectl means that you can ask users for a set of credentials that can be verified via a trusted source before they get access to your Kubernetes infrastructure.
The problem is that the command syntax can be a little long and, of course, after a period of time you’ll be expected to re-authenticate yourself. This might lead to folks taking some shortcuts to minimise any inconvenience, I mean typing. Lets see some examples using my Homelab…
kubectl vsphere login --server supervisor.lab.mpoore.io -u [email protected]
Maybe once per day that’d be ok I guess. What do you think? It just authenticates my user to the Supervisor cluster. I could even setup an alias to do that. In fact, that’s exactly what I did! The problem comes when you want to pre-select the Supervisor namespace and / or the VKS cluster to work with…
kubectl vsphere login --server supervisor.lab.mpoore.io --tanzu-kubernetes-cluster-namespace production -u [email protected]
kubectl vsphere login --server supervisor.lab.mpoore.io --tanzu-kubernetes-cluster-name tkc-prod-01 --tanzu-kubernetes-cluster-namespace production -u [email protected]
…and you want to setup aliases for lots of different options. And maybe you have multiple Supervisors in your environment (I don’t in my Homelab). Soon you have to keep a note of what alias is setup for what configuration. That’s not fun!
It’s exactly the situation I was finding myself in, so I created a function for my .zshrc profile on my laptop to take away some of the pain. Here it is:
alias k="kubectl"
export KUBE_EDITOR="code --wait"
export ADM="[email protected]"
export ME="[email protected]"
klogin() {
case $# in
0)
echo "Help for 'klogin':"
echo ""
echo " This function is a shortcut for performing a kubectl vsphere login. It expects the following positional parameters:"
echo " user - the username used to login"
echo " namespace - the Supervisor namespace to connect to"
echo " cluster - the cluster to connect to"
echo ""
;;
1)
kubectl vsphere login --server supervisor.lab.mpoore.io -u $1
;;
2)
kubectl vsphere login --server supervisor.lab.mpoore.io --tanzu-kubernetes-cluster-namespace $2 -u $1
;;
3)
kubectl vsphere login --server supervisor.lab.mpoore.io --tanzu-kubernetes-cluster-name $3 --tanzu-kubernetes-cluster-namespace $2 -u $1
;;
*)
echo "WARNING!! Too many arguments supplied!"
echo ""
klogin
;;
esac
}
I still have an alias for kubectl (lazy typing remember), but that’s the only one that I need. I setup ADM and ME as environment variables to hold my usernames because… lazy! Get the picture?
Finally, there is the klogin function. This takes a minimum of a username as an argument, but can also accept a Supervisor namespace and a VKS cluster name. And all I have to do is type something simple like:
klogin $ADM
I am prompted for my password and like that I’m in!