You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're currently using clusters.list to get the certificate pair used to authenticate to the Kubernetes API. This is deprecated (and very confusing to set up in a new project). The docs say we should switch to just using OAuth directly with the API (which has the advantage that we don't need to also grant the coordinator permission to create new clusters).
I don't see any announcement... they have just started calling it "the legacy cluster certificate" in docs and have started restricting access to it (see below).
Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?
It doesn't break any of our existing deployments. This was changed in GKE 1.3. When I created a new service account for development, I discovered that the roles/container.developer role ("Full access to Kubernetes API objects inside Container Clusters.") did not allow the coordinator to talk to Kubernetes. This is because the certificate pair is not exposed to that role (nor is it even exposed to the container.clusterAdmin role). The legacy compute engine default service account is not restricted by IAM roles, so it will continue to work as long as we use it for the farmer VM (or they deprecate harder).
We're currently using
clusters.list
to get the certificate pair used to authenticate to the Kubernetes API. This is deprecated (and very confusing to set up in a new project). The docs say we should switch to just using OAuth directly with the API (which has the advantage that we don't need to also grant the coordinator permission to create new clusters)./cc @bradfitz
The text was updated successfully, but these errors were encountered: