Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/kubernetes/gke: use non-deprecated auth #19651

Open
quentinmit opened this issue Mar 21, 2017 · 2 comments

Comments

@quentinmit
Copy link
Contributor

commented Mar 21, 2017

We're currently using clusters.list to get the certificate pair used to authenticate to the Kubernetes API. This is deprecated (and very confusing to set up in a new project). The docs say we should switch to just using OAuth directly with the API (which has the advantage that we don't need to also grant the coordinator permission to create new clusters).

/cc @bradfitz

@quentinmit quentinmit added the NeedsFix label Mar 21, 2017

@quentinmit quentinmit added this to the Unreleased milestone Mar 21, 2017

@bradfitz bradfitz changed the title build/kubernetes/gke: use non-deprecated auth x/build/kubernetes/gke: use non-deprecated auth Mar 21, 2017

@gopherbot gopherbot added the Builders label Mar 21, 2017

@bradfitz

This comment has been minimized.

Copy link
Member

commented Mar 22, 2017

Where are the deprecation docs?

Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?

@quentinmit

This comment has been minimized.

Copy link
Contributor Author

commented Mar 27, 2017

Where are the deprecation docs?

I found this out at https://cloud.google.com/container-engine/docs/iam-integration#authentication_modes

I don't see any announcement... they have just started calling it "the legacy cluster certificate" in docs and have started restricting access to it (see below).

Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?

It doesn't break any of our existing deployments. This was changed in GKE 1.3. When I created a new service account for development, I discovered that the roles/container.developer role ("Full access to Kubernetes API objects inside Container Clusters.") did not allow the coordinator to talk to Kubernetes. This is because the certificate pair is not exposed to that role (nor is it even exposed to the container.clusterAdmin role). The legacy compute engine default service account is not restricted by IAM roles, so it will continue to work as long as we use it for the farmer VM (or they deprecate harder).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.