client-go credential plugin

[nickperry]

Hi. What are your thoughts on https://kubernetes.io/docs/admin/authentication/#client-go-credential-plugins ? It would be great if this feature was more flexible so a variation of osprey-client could be called by kubectl, rather than users having to run it manually. Unfortunately there is an expectation that web api server will use the webhook mechanism to validate the bearer token.

[totahuanocotl]

Hi @nickperry!
We were actually looking for something simular to hook osprey into, so that osprey would be invoked whenever the user tried to execute a command and it was not authenticated.
We initially thought of using the kubectl plugin features, but it was the same as calling osprey manually, with more configuration to keep track of so we abandoned it.
This seems like a better fit, but it would be nicer if instead of forcing to use a webhook, it allowed to use any of the other available authenticators. The feature is still in alpha, so changes may still come that allow it. I'd probably wait until it is in beta to try it out, as we prefer not to use the alpha features unless it is absolutely necessary.