Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/build/kubernetes/gke: use non-deprecated auth #19651

Open
quentinmit opened this issue Mar 21, 2017 · 2 comments
Open

x/build/kubernetes/gke: use non-deprecated auth #19651

quentinmit opened this issue Mar 21, 2017 · 2 comments
Labels
Builders x/build issues (builders, bots, dashboards) NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@quentinmit
Copy link
Contributor

We're currently using clusters.list to get the certificate pair used to authenticate to the Kubernetes API. This is deprecated (and very confusing to set up in a new project). The docs say we should switch to just using OAuth directly with the API (which has the advantage that we don't need to also grant the coordinator permission to create new clusters).

/cc @bradfitz
@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 21, 2017
@quentinmit quentinmit added this to the Unreleased milestone Mar 21, 2017
@bradfitz bradfitz changed the title build/kubernetes/gke: use non-deprecated auth x/build/kubernetes/gke: use non-deprecated auth Mar 21, 2017
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Mar 21, 2017
@bradfitz
Copy link
Contributor

Where are the deprecation docs?

Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?

@quentinmit
Copy link
Contributor Author

Where are the deprecation docs?

I found this out at https://cloud.google.com/container-engine/docs/iam-integration#authentication_modes

I don't see any announcement... they have just started calling it "the legacy cluster certificate" in docs and have started restricting access to it (see below).

Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?

It doesn't break any of our existing deployments. This was changed in GKE 1.3. When I created a new service account for development, I discovered that the roles/container.developer role ("Full access to Kubernetes API objects inside Container Clusters.") did not allow the coordinator to talk to Kubernetes. This is because the certificate pair is not exposed to that role (nor is it even exposed to the container.clusterAdmin role). The legacy compute engine default service account is not restricted by IAM roles, so it will continue to work as long as we use it for the farmer VM (or they deprecate harder).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Builders x/build issues (builders, bots, dashboards) NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@bradfitz @quentinmit @gopherbot