Hi,
thanks for this super cool plugin!

I think it would be useful to add the Kubernetes client and server version as a table, like this:

> select * from kubernetes_version;
+-----------+------------+-------------+
| component | version    | revision    |
+-----------+------------+-------------+
| server    | v1.25.6    | 9ec5f337f9f |
| client    | v1.26.1    | deadbeeeeef |
+-----------+------------+-------------+

The Gitlab plugin does something similar.

References

• https://kubernetes.io/docs/concepts/storage/storage-classes/

Describe the bug
To connect me to my k8s clusters using kubectl use or OIDC authentication provider, but it looks like the plugin doesn't support it. When trying to run as queries I just got an error message [2021-08-18 17:43:19] [HV000] ERROR: rpc error: code = Unknown desc = no authentication provider found for name "oidc".

Steampipe version (steampipe -v)
v0.7.2

Plugin version (steampipe plugin list)
v0.0.2

To reproduce
Need to have OIDC authentication provider configured on your k8s clusters. After that just try running any queries.

Expected behavior
Normal execution of queries and use of auth providers.

Additional context
N/A

References
https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/limit_range

Describe the bug
Dynamic CRD table creation fails when using an aggregator connection

Steampipe version (steampipe -v)
v0.18.0-dev.10

Plugin version (steampipe plugin list)
v0.13.0

To reproduce
Create 2 connections in kubernetes.spc, and then create 1 aggregator connection using both of the aforementioned connections.

Expected behavior
Aggregator connections should work correctly.

Additional context
Add any other context about the problem here.

References
Need for Kubernetes compliances
reference - https://pkg.go.dev/k8s.io/client-go/kubernetes/typed/batch/v1#BatchV1Client.CronJobs (Latest)

References
Add any related links that will help us understand the resource, including vendor documentation, related Kubernetes issues, and Go SDK documentation.

Add integration test for below tables:

• kubernetes_cluster_role
• kubernetes_cluster_role_binding
• kubernetes_config_map
• kubernetes_daemonset
• kubernetes_deployment
• kubernetes_replicaset
• kubernetes_role
• kubernetes_role_binding
• kubernetes_service_account
• kubernetes_ingress

Is your feature request related to a problem? Please describe.
I manage several dozens connections for the kubernetes plugin. Occasionally one of the clusters behind these connections goes stale (the cluster gets destroyed or rebuilt). When I try to run queries when this happens the steampipe cli returns:

Error: failed to start plugin 'hub.steampipe.io/plugins/turbot/kubernetes@latest': timed out waiting for hub.steampipe.io/plugins/turbot/kubernetes@latest to startup after 5 seconds (SQLSTATE HV000)

This error gives no information about which connection may have had an error or timedout.

Describe the solution you'd like
The above error gives information about connections that failed.

Describe alternatives you've considered
I've tried running steampipe query with trace logging enabled, but, as far as I can tell, that doesn't seem to report the issue.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
I'm especially interested in the kubernetes_cronjob table. Unfortunately I've never managed to get a SELECT upon this table to work since I first tried, 3 or 4 months ago.

Steampipe version (steampipe -v)
Steampipe v0.20.0-alpha.4

Plugin version (steampipe plugin list)
Example: v0.18.1

To reproduce

steampipe query 'select * from kubernetes_cronjob;'

This produces

Error: the server could not find the requested resource (SQLSTATE HV000)

followed by an empty table.

References
Add a new table to include in existing Kubernetes compliance.
For reference - clientset.CoreV1().PodTemplates("").List(ctx, metav1.ListOptions{})

References
Add any related links that will help us understand the resource, including vendor documentation, related Kubernetes issues, and Go SDK documentation.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
A clear and concise description of what the bug is.

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Describe the bug
Running the select * from .. query on some tables fails with an error: Error: the server could not find the requested resource (SQLSTATE HV000).

The following tables are impacted by the above error:

• kubernetes_endpoint_slice
• kubernetes_horizontal_pod_autoscaler
• kubernetes_pod_disruption_budget
• kubernetes_pod_security_policy

Steampipe version (steampipe -v)
Example: v0.19.3

Plugin version (steampipe plugin list)
Example: v0.18.0

To reproduce
Run any select * queries on the above mentioned tables.

For example:

select * from kubernetes_pod_security_policy

Expected behavior
If there is no resource of specific kind, the table should return zero result without any error.

Additional context
Add any other context about the problem here.

References
https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

References
Update doc to indicate Kubernetes plugin support for OIDC Auth Provider.

Describe the bug
Running any query against the table kubernetes_replication_controller gives the following error:

Error: failed to populate column 'selector_query': rpc error: code = Internal desc = transform labelSelectorToString failed with panic interface conversion: interface {} is map[string]string, not *v1.LabelSelector (SQLSTATE HV000)

Steampipe version (steampipe -v)
Example: v0.19.3

Plugin version (steampipe plugin list)
Example: v0.18.0

To reproduce
Run any query against the table kubernetes_replication_controller.

Expected behavior
The query should return the results without any error.

Additional context
Add any other context about the problem here.

I am using steampipe tool for kubernetes inventory and compliance. The below is the "kubernetes.spc file" which will be used by steampipe. However instead of giving the path to the "kubeconfig file" under the field "config_path" in the "kubernetes.spc file" , I just simply want to hardcode the credentials(like certificate-authority-data, client-certificate-data, client-key-data) of kubeconfig file in the below spc file. How can i achieve this? What would be the exact format of my spc file. please help

connection "kubernetes" {
  plugin = "kubernetes"
   By default, the plugin will use credentials in "~/.kube/config" with the current context.
   OpenID Connect (OIDC) authentication is supported without any extra configuration.
   The kubeconfig path and context can also be specified with the following config arguments:
   Specify the file path to the kubeconfig.
   Can also be set with the "KUBE_CONFIG_PATHS" or "KUBERNETES_MASTER" environment variables.
   config_path = "~/.kube/config"
   Specify a context other than the current one.
   config_context = "minikube"
   If no kubeconfig file can be found, the plugin will attempt to use the service account Kubernetes gives to pods.
   This authentication method is intended for clients that expect to be running inside a pod running on Kubernetes.
}

I want to hard code creds directly in spc file from kubeconfig file. Let say i dont have kubeconfig file exist in my system. like in cases of aws we directly mention creds like aws_secret_key, access_key in spc file. I want to achieve same with kubernetes spc file like the below pattern but it is not working.

connection "kubernetes" {
  plugin = "kubernetes"
  config = {
    # Hardcoded credentials for Kubernetes API server
    host = "https://your-kubernetes-host/"
    certificate-authority-data = "<certificate-authority-data>"
    client-certificate-data = "<client-certificate-data>"
    client-key-data = "<client-key-data>"
  }
}

Is your feature request related to a problem? Please describe.
I want to be able to choose which CRDs tables are created for per connection.

Describe the solution you'd like
A config arg that allows me to specify names/patterns of CRDs. Possible names:

• custom_resources
• custom_resource_definitions
• crds

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
We run steampipe dashboards inside a container. We would like to not have to configure a KubeConfig file and rather really on "/var/run/secrets/kubernetes.io/serviceaccount/token". In KubeCtl the method is called InClusterConfig.

Describe the solution you'd like
Add InClusterConfig support.

Describe alternatives you've considered
Attempted to create Kube config from existing information dynamically.

Additional context
Link to InClusterConfig method
https://github.com/kubernetes/client-go/blob/fcdf37233b57445e4a6a4038ec580e9aaac931de/rest/config.go#L274

Describe the bug
Plugin times out on startup when there are several connections with dynamic CRD tables.

Warning: failed to start plugin 'hub.steampipe.io/plugins/turbot/kubernetes@latest': timed out waiting for hub.steampipe.io/plugins/turbot/kubernetes@latest to startup after 5 seconds

Steampipe version (steampipe -v)

steampipe version 0.18.0

Plugin version (steampipe plugin list)

hub.steampipe.io/plugins/turbot/aws@latest 0.95.0
hub.steampipe.io/plugins/turbot/csv@latest 0.5.0
hub.steampipe.io/plugins/turbot/github@latest 0.25.1
hub.steampipe.io/plugins/turbot/kubernetes@latest 0.17.0

To reproduce

• Configure multiple connections to kubernetes clusters containing several CRDs.
  • In my case I see this when trying to connect to more than 6 clusters running Istio.
• Run a steampipe command: steampipe plugin list or steampipe query

Expected behavior
All kubernetes connections load.

Additional context
Kubernetes clusters in my case are EKS running Istio.

Describe the bug

select * from kubernetes_ingress

Error: the server could not find the requested resource (get ingresses.extensions) (SQLSTATE HV000)

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
The below parameters are deprecated and will be removed after next month.
config_paths (please use config_path instead)
KUBE_CONFIG_PATHS (please use KUBECONFIG or KUBE_CONFIG_PATH instead)
KUBERNETES_MASTER (please use KUBECONFIG or KUBE_CONFIG_PATH instead)

References
Need for Kubernetes compliances
For reference - clientset.AppsV1().StatefulSets("").List(ctx, metav1.ListOptions{})

Describe the bug
Dynamic CRD table creation fails when a dynamic column conflicts with a common column, which are defined in

Steampipe version (steampipe -v)
v0.18.0-dev.10

Plugin version (steampipe plugin list)
v0.13.0

To reproduce
Create a custom resource definition and object with the property labels and then start Steampipe.

Expected behavior
All dynamic columns should be created alongside the common columns.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
Add optional qual support in kubernetes_pod for label_selector

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
steampipe query 'select name from kube_dev.kubernetes_node'
Works with simple (aws_access_key_id / aws_secret_access_key) in ~/.aws/credentials
Fails like this with MFA token (aws_access_key_id / aws_secret_access_key / aws_session_token) in ~/.aws/credentials (while kubectl --context=dev get nodes works):

Warning: executeQueries: query 1 of 1 failed: ERROR: rpc error: code = Unknown desc = Unauthorized (SQLSTATE HV000)

Steampipe version (steampipe -v)
0.15.4

Plugin version (steampipe plugin list)
hub.steampipe.io/plugins/turbot/kubernetes@latest 0.10.0

To reproduce
Use MacOS app "Leapp" to populate/update MFA in ~/.aws/credentials files

Expected behavior
Expected support for aws_session_token

Additional context

2022-08-17 16:07:57.558 UTC [ERROR] steampipe-plugin-kubernetes.plugin: [ERROR] 1660752476690: streamRows error chan select: Unauthorized
2022-08-17 16:07:57.559 UTC [WARN]  steampipe-plugin-kubernetes.plugin: [WARN]  1660752476690: Execute call failed err: Unauthorized cancelled: <nil> - cancelling pending item in cache

For some reason I'm not seeing the logs in utils.go

Describe the bug
To be fair I don't know if it's working as intended or a bug, but here we go.

The plugin doesn't seem to use the ClientConfigLoadingRules provided by the k8s client-go sdk. So for example setting the KUBECONFIG env doesn't lead to the plugin using the path provided in the value of the env to build the client config. That's unfortunate because all other Kubernetes CLIs that we use work with the KUBECONFIG env.

I guess that because here https://github.com/turbot/steampipe-plugin-kubernetes/blob/main/kubernetes/utils.go#L184 a default config path is set and here https://github.com/turbot/steampipe-plugin-kubernetes/blob/main/kubernetes/utils.go#L209-L213 if configPaths has one or multiple entries they are configured with precedence or explicit. In the default case it's set explicit which leads to the plugin not trying any other location for the Kubernetes config at all.

I know there is KUBE_CONFIG_PATHS variable but why introduce a new one when there might be already an env set with the desired value (KUBECONFIG).

I didn't test it but removing the default config path from the code may resolve all the above mentioned problems.

Steampipe version (steampipe -v)
Example: v0.16.4

Plugin version (steampipe plugin list)
Example: v0.12.0

To reproduce
Set KUBECONFIG env to something else than the default value (~/.kube/config)

Expected behavior
The envs which are used across almost all Kubernetes CLIs should be usable in the plugin.

RBAC tables:

• kubernetes_cluster_role
• kubernetes_cluster_role_binding
• kubernetes_pod_security_policy
• kubernetes_role
• kubernetes_role_binding

Other tables:

• kubernetes_config_map
• kubernetes_daemonset
• kubernetes_secret

References
https://kubernetes.io/docs/concepts/services-networking/service/

Describe the bug
When using private certificates for the Kubernetes API server - the CA root being referenced in the kubeconfig file, I get the following error:

> select * from kubernetes_namespace

Error: Get "https://api.k8s.example.com/api/v1/namespaces?limit=500": tls: failed to verify certificate: x509: certificate signed by unknown authority (SQLSTATE HV000)

Steampipe version (steampipe -v)
Steampipe v0.20.12

Plugin version (steampipe plugin list)
hub.steampipe.io/plugins/turbot/kubernetes@latest | 0.23.0 | kubernetes

To reproduce
Use a cluster with a self-signed private certificate on the api server.

Expected behavior
A way to configure the plugin to ignore unknown authorities.

Describe the bug

If I understood the behaviour correctly, the data field ( as in : kubernetes_config_map.data and kubernetes_secret.data ) is incorrectly overriden, and therefore returned as nil due to a bug introduced in #139

In particular, the issue is that the Data field from parsedContent

overrides the Data field from the kubernetes API object struct with a nil value,
which I believe to be unintended behvaiour, in lines such as this one :

• steampipe-plugin-kubernetes/kubernetes/table_kubernetes_config_map.go

  Line 206 in 1367ea2

  return ConfigMap{*configMap, parsedContent{SourceType: "deployed"}}, nil

• steampipe-plugin-kubernetes/kubernetes/table_kubernetes_secret.go

  Line 218 in 1367ea2

  return Secret{*secret, parsedContent{SourceType: "deployed"}}, nil

I would personally feel more confortable with an implementation that does not mix fields from internal struct with fields from the kubernetes API object structs, but given my limited knowledge of this codebase, for now I will open a hotfix PR that changes the Data field's name : see #150

Steampipe version
Steampipe v0.20.10

Plugin version (steampipe plugin list)
Found bug when testing versions :

• hub.steampipe.io/plugins/turbot/[email protected]
• hub.steampipe.io/plugins/turbot/[email protected]

But is NOT present in version : hub.steampipe.io/plugins/turbot/[email protected]

To reproduce

Run any query attempting to make use of the data field, such as the default one from the documentation :

select
  name,
  namespace,
  data.key,
  data.value,
  age(current_timestamp, creation_timestamp)
from
  kubernetes_config_map,
  jsonb_each(data) as data
order by
  namespace,
  name;

The data field is always null.

Expected behavior

If the configmap's (or secret) actual data within etcd is not empty, and therefore the API response from kubernetes's data field is not empty, then this plugin should be correctly returning it.

Additional context
Hopefully this description contains enough information 🙂

Describe the bug
When source_type = "all" (default or explicitly set) in my kubernetes.spc, if I run a query, I receive an error since Kube is looking for a cluster to connect to:

connection "kubernetes" {
  plugin = "kubernetes"
  
  manifest_file_paths =  ["/Users/cbruno/kube/deployments.yaml"]
  # Defaults to "all"
  #source_type = "all"
}

> select * from kubernetes.kubernetes_deployment

Error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable (SQLSTATE HV000)

+------+-----------+-----+----------+----------------+----------+----------+----------+-------------------+------------------------+--------+---------------------------+---------------------+-----------------+---
| name | namespace | uid | replicas | selector_query | selector | template | strategy | min_ready_seconds | revision_history_limit | paused | progress_deadline_seconds | observed_generation | status_replicas | up
+------+-----------+-----+----------+----------------+----------+----------+----------+-------------------+------------------------+--------+---------------------------+---------------------+-----------------+---
+------+-----------+-----+----------+----------------+----------+----------+----------+-------------------+------------------------+--------+---------------------------+---------------------+-----------------+---

Time: 29ms.

If I then change source_type = "manifest", then the query works:

> select * from kubernetes.kubernetes_deployment
+-----------------------+-----------+--------+----------+---------------------------+-------------------------------------------------+-----------------------------------------------------------------------------
| name                  | namespace | uid    | replicas | selector_query            | selector                                        | template
+-----------------------+-----------+--------+----------+---------------------------+-------------------------------------------------+-----------------------------------------------------------------------------
| redis-cart            |           | <null> | <null>   | app=redis-cart            | {"matchLabels":{"app":"redis-cart"}}            | {"metadata":{"creationTimestamp":null,"labels":{"app":"redis-cart"}},"spec":
...

Time: 126ms. Rows fetched: 12. Hydrate calls: 12.

Steampipe version (steampipe -v)
v0.20.9

Plugin version (steampipe plugin list)
v0.22.1

To reproduce
See above

Expected behavior
If source_type = "all", even if I don't have a Kube cluster configured, the helm and manifest information should still be loaded

Additional context
Add any other context about the problem here.

References
https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/resource_quota

Tables:

• kubernetes_endpoint_slice
• kubernetes_endpoints
• kubernetes_ingress
• kubernetes_job
• kubernetes_network_policy
• kubernetes_persistent_volum
• kubernetes_persistent_volume_claim
• kubernetes_replication_controller