Deprecate azure and gcp in-tree auth plugins #102181
Conversation
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
the
sig/auth
k8s-ci-robot
added
kind/cleanup
k8s-ci-robot
added
priority/important-soon
k8s-ci-robot
added
the
sig/api-machinery
| @@ -114,6 +114,9 @@ type gcpAuthProvider struct { | |||
| } | |||
|
|
|||
| func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | |||
| klog.Warningf(`WARNING: in-tree gcp auth plugin is now deprecated. | |||
| Please use the gcloud kubectl/client-go credential plugin instead.`) | |||
There was a problem hiding this comment.
We should hold off on this until we have an alternative. This is not currently actionable. Can we add this to release notes instead?
There was a problem hiding this comment.
I would prefer to have the warning where an end-user would actually see it. Perhaps GCP can make a documentation page that we can link to? Then you can update the documentation page with details when it becomes actionable.
Also GCP has had years of runway to migrate away from this. This should be no surprise. It is time (technically in August).
There was a problem hiding this comment.
Moved to a .V(1) to limit unactionable warning.
There was a problem hiding this comment.
Opened #103499 to track moving this back to a Warningf by 1.24 at the latest.
enj
force-pushed
the
enj/i/deprecate_gcp_azure
branch
from
c2bf4dd
to
6bc9c85
Compare
k8s-ci-robot
added
size/S
| klog.Warningf(`WARNING: in-tree azure auth plugin is now deprecated. | ||
| Please use the https://github.com/Azure/kubelogin kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
@ritazh are you happy with this verbiage?
| klog.V(1).Infof(`WARNING: in-tree gcp auth plugin is now deprecated. | ||
| Please use the gcloud kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
@mikedanese are you happy with this verbiage?
There was a problem hiding this comment.
I'll defer to mike on content, but I'd suggest a single line if possible
There was a problem hiding this comment.
also, in other deprecation warnings, we've included the "from" version and the targeted removal version, e.g.
WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use ___ instead
There was a problem hiding this comment.
I'll defer to mike on content, but I'd suggest a single line if possible
The docs link forced me to use multiple lines to keep the length sane.
Updated to include the from and target versions.
|
/hold (until PR to make client-go exec plugin officially GA is merged) |
k8s-ci-robot
added
the
do-not-merge/hold
| func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | ||
| // deprecated in v1.22, remove in v1.25 | ||
| // this should be updated to use klog.Warningf in v1.24 to more actively warn consumers |
There was a problem hiding this comment.
Is there going to be some kind of process in place to ensure this happens? Otherwise is there anything programatic we could do to query the version at runtime and update the error?
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
There was a problem hiding this comment.
Is there going to be some kind of process in place to ensure this happens?
I'd expect a milestoned issue
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
This won't merge until the client-go exec plugin GA merges. That is the target for any issues or concerns. Once that is released as GA, setting a definite removal version for the other auth plugins is reasonable.
| // deprecated in v1.22, remove in v1.25 | ||
| warnOnce.Do(func() { | ||
| klog.Warningf(`WARNING: in-tree azure auth plugin is now deprecated. | ||
| Please use the https://github.com/Azure/kubelogin kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
As a casual/novice Kubectl user kubectl/client-go doesn't seem very actionable to me (as opposed to Azure's login thing getting an entire URL). Is it a directory? Or package? Or Repo? I would prefer a more actionable link where I can learn how to use kubectl/client-go.
There was a problem hiding this comment.
suggestions for alternative links are welcome
There was a problem hiding this comment.
Added a link to the credential plugin docs.
|
/retest |
| klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin client-go credential plugin instead. | ||
|
|
||
| To learn more about this feature, consult the documentation available at: | ||
| https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`) |
There was a problem hiding this comment.
can we shrink to two lines instead of four?
WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
| func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | ||
| // deprecated in v1.22, remove in v1.25 | ||
| warnOnce.Do(func() { | ||
| klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin client-go credential plugin instead. |
There was a problem hiding this comment.
should this get the same V(1) treatment and move to a Warningf in 1.24?
There was a problem hiding this comment.
There was a problem hiding this comment.
+1 on what @liggitt pointed out.
There was a problem hiding this comment.
Fixed. Opened #103525 to track.
enj
force-pushed
the
enj/i/deprecate_gcp_azure
branch
from
74e5ca1
to
0c72fef
Compare
/hold cancel #102890 has merged. |
k8s-ci-robot
removed
the
do-not-merge/hold
With the client-go credential plugin functionality going GA in 1.22, it is now time to deprecate these legacy integrations. Signed-off-by: Monis Khan <mok@vmware.com>
enj
force-pushed
the
enj/i/deprecate_gcp_azure
branch
from
0c72fef
to
6bfaeaf
Compare
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
As a user reading the release notes, I am still not quite sure what I am expected to do to authenticate with GCP now. I hope it will not require the 1gb+ (and 10x slower in our tests) gcloud command just to connect to a GCP cluster? |
|
@howardjohn I observe that the (now deprecated) |
I suggest reaching out to GKE support. GKE will need to provide some binary to fetch credentials. Whether that is the |
|
So when I distribute my k8s controller (which needs to authenticate with all platforms) and stick it on a distroless image, it's not going to work anymore? I need to somehow find a magic binary for gke (and aks, eks,....), get them in the docker image, manage the versions, etc? I very much hope I misunderstand this change - this seems like a very hostile change for users if not. |
No, your controller would run as a Kubernetes service account via the in cluster config credentials provided uniformally across all clusters by the Kubelet. This is the standard way all controllers obtain an identity on Kubernetes. The various controller frameworks do this automatically.
This change pertains to human users obtaining proprietary credentials that are specific to their Kubernetes distribution. We are replacing the use of a proprietary SDK with a proper extension point. |
|
@enj how can I hide this warning when using kubectl? |
Follow the directions to migrate to the replacement client-go credential plugin. |
I did. But it's still showing. My GKE cluster is on 1.21.11. My kubectl is on 1.24.2. |
With the client-go credential plugin functionality going GA in 1.22,
it is now time to deprecate these legacy integrations.
Signed-off-by: Monis Khan mok@vmware.com
/kind cleanup
/kind deprecation
/sig auth
/priority important-soon
/triage accepted
/milestone v1.22
@kubernetes/sig-auth-pr-reviews
/assign @ritazh @mikedanese @cjcullen @ankeesler @liggitt