-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate azure and gcp in-tree auth plugins #102181
Conversation
@@ -114,6 +114,9 @@ type gcpAuthProvider struct { | |||
} | |||
|
|||
func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | |||
klog.Warningf(`WARNING: in-tree gcp auth plugin is now deprecated. | |||
Please use the gcloud kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should hold off on this until we have an alternative. This is not currently actionable. Can we add this to release notes instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to have the warning where an end-user would actually see it. Perhaps GCP can make a documentation page that we can link to? Then you can update the documentation page with details when it becomes actionable.
Also GCP has had years of runway to migrate away from this. This should be no surprise. It is time (technically in August).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved to a .V(1)
to limit unactionable warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened #103499 to track moving this back to a Warningf
by 1.24 at the latest.
c2bf4dd
to
6bc9c85
Compare
klog.Warningf(`WARNING: in-tree azure auth plugin is now deprecated. | ||
Please use the https://github.com/Azure/kubelogin kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ritazh are you happy with this verbiage?
klog.V(1).Infof(`WARNING: in-tree gcp auth plugin is now deprecated. | ||
Please use the gcloud kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikedanese are you happy with this verbiage?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll defer to mike on content, but I'd suggest a single line if possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, in other deprecation warnings, we've included the "from" version and the targeted removal version, e.g.
WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use ___ instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll defer to mike on content, but I'd suggest a single line if possible
The docs link forced me to use multiple lines to keep the length sane.
Updated to include the from and target versions.
/hold (until PR to make client-go exec plugin officially GA is merged) |
func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | ||
// deprecated in v1.22, remove in v1.25 | ||
// this should be updated to use klog.Warningf in v1.24 to more actively warn consumers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there going to be some kind of process in place to ensure this happens? Otherwise is there anything programatic we could do to query the version at runtime and update the error?
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there going to be some kind of process in place to ensure this happens?
I'd expect a milestoned issue
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
This won't merge until the client-go exec plugin GA merges. That is the target for any issues or concerns. Once that is released as GA, setting a definite removal version for the other auth plugins is reasonable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// deprecated in v1.22, remove in v1.25 | ||
warnOnce.Do(func() { | ||
klog.Warningf(`WARNING: in-tree azure auth plugin is now deprecated. | ||
Please use the https://github.com/Azure/kubelogin kubectl/client-go credential plugin instead.`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a casual/novice Kubectl user kubectl/client-go
doesn't seem very actionable to me (as opposed to Azure's login thing getting an entire URL). Is it a directory? Or package? Or Repo? I would prefer a more actionable link where I can learn how to use kubectl/client-go
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestions for alternative links are welcome
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a link to the credential plugin docs.
/retest |
klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin client-go credential plugin instead. | ||
|
||
To learn more about this feature, consult the documentation available at: | ||
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we shrink to two lines instead of four?
WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) { | ||
// deprecated in v1.22, remove in v1.25 | ||
warnOnce.Do(func() { | ||
klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin client-go credential plugin instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this get the same V(1) treatment and move to a Warningf in 1.24?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on what @liggitt pointed out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Opened #103525 to track.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good.
74e5ca1
to
0c72fef
Compare
/hold cancel #102890 has merged. |
With the client-go credential plugin functionality going GA in 1.22, it is now time to deprecate these legacy integrations. Signed-off-by: Monis Khan <mok@vmware.com>
0c72fef
to
6bfaeaf
Compare
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
As a user reading the release notes, I am still not quite sure what I am expected to do to authenticate with GCP now. I hope it will not require the 1gb+ (and 10x slower in our tests) gcloud command just to connect to a GCP cluster? |
@howardjohn I observe that the (now deprecated) |
I suggest reaching out to GKE support. GKE will need to provide some binary to fetch credentials. Whether that is the |
So when I distribute my k8s controller (which needs to authenticate with all platforms) and stick it on a distroless image, it's not going to work anymore? I need to somehow find a magic binary for gke (and aks, eks,....), get them in the docker image, manage the versions, etc? I very much hope I misunderstand this change - this seems like a very hostile change for users if not. |
No, your controller would run as a Kubernetes service account via the in cluster config credentials provided uniformally across all clusters by the Kubelet. This is the standard way all controllers obtain an identity on Kubernetes. The various controller frameworks do this automatically.
This change pertains to human users obtaining proprietary credentials that are specific to their Kubernetes distribution. We are replacing the use of a proprietary SDK with a proper extension point. |
@enj how can I hide this warning when using kubectl? |
Follow the directions to migrate to the replacement client-go credential plugin. |
I did. But it's still showing. My GKE cluster is on 1.21.11. My kubectl is on 1.24.2. |
With the client-go credential plugin functionality going GA in 1.22,
it is now time to deprecate these legacy integrations.
Signed-off-by: Monis Khan mok@vmware.com
/kind cleanup
/kind deprecation
/sig auth
/priority important-soon
/triage accepted
/milestone v1.22
@kubernetes/sig-auth-pr-reviews
/assign @ritazh @mikedanese @cjcullen @ankeesler @liggitt